Web lists-archives.com

Re: [Samba] dbtool --cross-ncs and undeletable errors..




On Tue, 22 Jan 2019 15:19:10 -0500 (EST)
"Vincent S. Cojot via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On Tue, 22 Jan 2019, Rowland Penny via samba wrote:
> 
> > On Tue, 22 Jan 2019 14:20:21 -0500 (EST)
> > "Vincent S. Cojot via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> 
> >> Hi All,
> >> 
> >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup but 02
> >> and 03 are gone), I've noticed the following errors which I am
> >> unable to fix.. Any hints?
> >> 
> >> * Basic dbcheck is clean.
> >> 
> >> [root@dc00 ~]# samba-tool dbcheck
> >> Checking 327 objects
> >> Checked 327 objects (0 errors)
> >> 
> >> * Cross-NCS shows two errors related to a de-comissionned DC (dc02)
> >> and cannot auto-fix this.. How do I fix those errors?
> >> 
> >> [root@dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes
> >> Checking 3574 objects
> >> ERROR: no target object found for GUID component for link
> >> fromServer in object 
> >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
> >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
> >> ERROR: target DN is deleted for fromServer in object 
> >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
> >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
> >> Target GUID points at deleted DN 
> >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
> >> Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
> >> Remove DN link? [YES]
> >> ERROR: Failed to remove deleted DN attribute fromServer : (65, 
> >> "objectclass_attrs: at least one mandatory attribute ('fromServer')
> >> on entry 
> >> 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' 
> >> wasn't specified!")
> >> 
> >> 
> >> Thanks for any hints/pointers.
> >> 
> >> Vincent
> >> 
> >
> > This isn't an error, if you look very carefully at the 'link' you
> > will see 'DEL'. This means the record is a 'DELETED' record, you
> > cannot delete a 'DELETED' record ;-)
> >
> > If you wait for 180 days minus the number of days since you
> > decommissioned the DC, the record will just go away.
> >
> > Rowland
> 
> Hi Rowland,
> Thank you for your quick reply. Is there a way to force an expire on
> those things so I can get past those errors and only consider new
> errors as 'new'? It's been about 4-5 months since I removed those DCs
> but an ldbsearch shows more objects in need of purge (Computers that
> were removed, users too).
> If I wanted to clean this manually, I guess I could do the following
> (but I'm sure I'd -want- to do that):
> 
> export LDB_MODULES_PATH=/usr/lib64/samba/ldb
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs  \
> --show-deleted --show-deactivated-link --extended-dn
> (and then light a few candles, I guess)..
> 
> Is there a way to do that saefly using RSAT?
> 
> Thanks,
> 
> Vincent
> 

These are 'Tombstone' records and can be ignored, they will go away of
their own accord, but if you want them to go away sooner, you are going
to have to change something in AD.

Run this as root on a DC:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb -s base -b
"CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com"

Alter it to match your ldap domain.

Amongst the output, there will be a line like this:

tombstoneLifetime: 180

Change the '180' to whatever number of days you want.
Close and save with 'Ctl-x'

Now wait the number of days you set.

Once your deleted records have gone away, I would repeat the process
and reset the attribute back to 180

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba