Domain join issues - 4.9.0

Thanks Rowland.

On Tue, 20 Nov 2018 at 13:56, Rowland Penny via samba
wrote:
> Jonathan Hunter via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Does anyone have experience of using ldbedit or similar, to remove the
> > duplicates below? (Is that even the right way for me to go?) Can I
> > perhaps query something using ldbsearch, to find the duplicates,
> > before using ldbedit?

Interestingly, I decided to play it safe and create a backup first of
all, using the new samba 4.9.2 backup commands. But (probably as
expected), the online backup reported the exact same errors as a
domain join - i.e. "../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate
attribute value in XXX".. I am therefore not certain if this backup
would actually be useful for a restore, but it seems that 4.9.2 does
not yet contain support for an offline backup (it just has

> Try this to search for computers:
> ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s
> sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif

I ended up using the following variant instead (since I am logged in
with a local user and have no Kerberos tickets)
user@dc2:~ $ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
'(&(cn=laptop1)(objectclass=computer))' servicePrincipalName | less
(where laptop1 is the computer object that had led to the errors about
duplicate values)

The output of this is as follows:
# record 1
dn: CN=laptop1,OU=Laptops,OU=Computers,OU=MyOwnOU,DC=mydomain,DC=org
servicePrincipalName: HOST/LAPTOP1.mydomain.org
servicePrincipalName: RestrictedKrbHost/LAPTOP1.mydomain.org
servicePrincipalName: HOST/LAPTOP1
servicePrincipalName: RestrictedKrbHost/LAPTOP1
servicePrincipalName: TERMSRV/LAPTOP1.mydomain.org
servicePrincipalName: TERMSRV/LAPTOP1
servicePrincipalName: restrictedkrbhost/laptop1
servicePrincipalName: restrictedkrbhost/laptop1.mydomain.org
servicePrincipalName: termsrv/laptop1
servicePrincipalName: termsrv/laptop1.mydomain.org

Which leads me to think that I should be able to use ldbedit to remove
the duplicate entries.. I think... ? Something like this might work..
I just need to work out which entries I can safely delete..
(UPPERCASE? CamelCase? lowercase? etc.) I think if I leave one of
each, ignoring case, then things should mostly be OK.

I think that the following command should work:
user@dc2:~ $ sudo ldbedit -H /usr/local/samba/private/sam.ldb

Luckily for me, one of the affected computers (this laptop1 example)
is not actually in existence any longer, so I can use that as my first
test edit before moving onto some of the other duplicate entries which
are still in use..



"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

