Web lists-archives.com

Re: [Samba] Domain join issues - 4.9.0




On Tue, 20 Nov 2018 13:17:58 +0000
Jonathan Hunter via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> Does anyone have experience of using ldbedit or similar, to remove the
> duplicates below? (Is that even the right way for me to go?) Can I
> perhaps query something using ldbsearch, to find the duplicates,
> before using ldbedit?
> 
> On Sun, 18 Nov 2018 at 21:37, Jonathan Hunter <jmhunter1@xxxxxxxxx>
> wrote:
> > [...]
> > In my database, as reported by the domain join command above, I have
> > five duplicates 'for index on servicePrincipalName', plus 107
> > duplicates for index on a custom LDAP attribute I am using. If
> > there's a correct way I can step through these one by one, and
> > remove the duplicates, I am happy to try...
> 
> I guess ldbedit does carry some level of risk with it, but I can't
> seem to add any DCs to my domain at the moment which is unfortunate as
> I had a hardware failure that I now can't recover from.
> 
> I note that this was last discussed on the list on 20 March 2018 at
> 03:14 (message ID
> <1113A703-649B-42D5-BDFC-2842767B31E5@xxxxxxxxxxxxxxxxxxxxxxxx>) but
> there was no conclusion to that thread other than a comment that
> 4.9.0pre1 seemed to resolve the issue. However, I am now using 4.9.2
> on one of my DCs and on the DC that is being newly joined, and I am
> still having the problem. (My two other DCs are still on 4.9.0)
> 
> For reference, this is the type of error I'm getting when joining my
> DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in
> CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for
> index on servicePrincipalName, duplicate of objectGUID
> 00000000-1111-2222-3333-444444444444 in
> @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC
> 
> Cheers
> 
> Jonathan
> 

Try this to search for computers:

ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s
sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif

Replace 'dc1' with your DC short hostname and
'dc=samdom,dc=example,dc=com' with your ldap info

This actually raises an interesting question, when I run it, it lists
all my computers, but the only ones that have a
'RestrictedKrbHost/PC_NAME' SPN are windows PC's, not one of my Unix
computers has such a line.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba