Web lists-archives.com

Re: [Samba] dbtool --cross-ncs and undeletable errors..





Hi all, Hi Rowland,

No such luck. I temporarily set the tombstonelifetime to just 1 day (I'll set it back to 180 days later) but the records still show up:

[root@dc00 ~]#  samba-tool dbcheck --cross-ncs --fix --yes
Checking 3572 objects
ERROR: no target object found for GUID component for link fromServer in object CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn ERROR: target DN is deleted for fromServer in object CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn Target GUID points at deleted DN '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
Remove DN link? [YES]
ERROR: Failed to remove deleted DN attribute fromServer : (65, "objectclass_attrs: at least one mandatory attribute ('fromServer') on entry 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' wasn't specified!")

Any ideas?

Vincent

On Tue, 22 Jan 2019, Rowland Penny via samba wrote:

On Tue, 22 Jan 2019 15:19:10 -0500 (EST)
"Vincent S. Cojot via samba" <samba@xxxxxxxxxxxxxxx> wrote:

On Tue, 22 Jan 2019, Rowland Penny via samba wrote:

> On Tue, 22 Jan 2019 14:20:21 -0500 (EST)
> "Vincent S. Cojot via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>
>> >> Hi All, >> >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup but 02
>> and 03 are gone), I've noticed the following errors which I am
>> unable to fix.. Any hints?
>> >> * Basic dbcheck is clean. >> >> [root@dc00 ~]# samba-tool dbcheck
>> Checking 327 objects
>> Checked 327 objects (0 errors)
>> >> * Cross-NCS shows two errors related to a de-comissionned DC (dc02)
>> and cannot auto-fix this.. How do I fix those errors?
>> >> [root@dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes
>> Checking 3574 objects
>> ERROR: no target object found for GUID component for link
>> fromServer in object >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> ERROR: target DN is deleted for fromServer in object >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> Target GUID points at deleted DN >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
>> Remove DN link? [YES]
>> ERROR: Failed to remove deleted DN attribute fromServer : (65, >> "objectclass_attrs: at least one mandatory attribute ('fromServer') >> on entry >> 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' >> wasn't specified!") >> >> >> Thanks for any hints/pointers. >> >> Vincent >> >
> This isn't an error, if you look very carefully at the 'link' you
> will see 'DEL'. This means the record is a 'DELETED' record, you
> cannot delete a 'DELETED' record ;-)
>
> If you wait for 180 days minus the number of days since you
> decommissioned the DC, the record will just go away.
>
> Rowland

Hi Rowland,
Thank you for your quick reply. Is there a way to force an expire on
those things so I can get past those errors and only consider new
errors as 'new'? It's been about 4-5 months since I removed those DCs
but an ldbsearch shows more objects in need of purge (Computers that
were removed, users too).
If I wanted to clean this manually, I guess I could do the following
(but I'm sure I'd -want- to do that):

export LDB_MODULES_PATH=/usr/lib64/samba/ldb
ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs  \
--show-deleted --show-deactivated-link --extended-dn
(and then light a few candles, I guess)..

Is there a way to do that saefly using RSAT?

Thanks,

Vincent


These are 'Tombstone' records and can be ignored, they will go away of
their own accord, but if you want them to go away sooner, you are going
to have to change something in AD.

Run this as root on a DC:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb -s base -b
"CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com"

Alter it to match your ldap domain.

Amongst the output, there will be a line like this:

tombstoneLifetime: 180

Change the '180' to whatever number of days you want.
Close and save with 'Ctl-x'

Now wait the number of days you set.

Once your deleted records have gone away, I would repeat the process
and reset the attribute back to 180

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba