I did some researches about the AD recycle-bin feature in Samba, and found out, that objects are recycled much to fast, if there are more than one DC in a domain. Domain Level is 2008r2 and I have enabled the optional feature: # source4/scripting/bin/enablerecyclebin /usr/local/samba/private/sam.ldb After I've deleted an user, the object is moved into the Deleted Objects container with all it's attributes, what is correct: # ldbsearch -H ldap://localhost -U administrator --show-deleted --show-recycled cn=demo7\\0ADEL:* Password for [SAMDOM\administrator]: # record 1 dn: CN=demo7\0ADEL:7380e071-29db-45f2-bd46-81f89ad9ffa0,CN=Deleted Objects,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user sn: demo givenName: demo7 instanceType: 4 whenCreated: 20140125200751.0Z displayName: demo7 demo uSNCreated: 4083 objectGUID: 7380e071-29db-45f2-bd46-81f89ad9ffa0 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3134998938-619743855-3616620706-1126 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: demo7 userPrincipalName: demo7@samdom.example.com pwdLastSet: 130351540710000000 userAccountControl: 512 wWWHomePage: meine Webseite isDeleted: TRUE lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com msDS-LastKnownRDN: demo7 cn:: ZGVtbzcKREVMOjczODBlMDcxLTI5ZGItNDVmMi1iZDQ2LTgxZjg5YWQ5ZmZhMA== name:: ZGVtbzcKREVMOjczODBlMDcxLTI5ZGItNDVmMi1iZDQ2LTgxZjg5YWQ5ZmZhMA== whenChanged: 20140125200824.0Z uSNChanged: 4089 distinguishedName: CN=demo7\0ADEL:7380e071-29db-45f2-bd46-81f89ad9ffa0,CN=Dele ted Objects,DC=samdom,DC=example,DC=com But up to 10 minutes later, the same ldbsearch command returns much lesser attributes: # ldbsearch -H ldap://localhost -U administrator --show-deleted --show-recycled cn=demo7\\0ADEL:* Password for [SAMDOM\administrator]: # record 1 dn: CN=demo7\0ADEL:7380e071-29db-45f2-bd46-81f89ad9ffa0,CN=Deleted Objects,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user instanceType: 4 whenCreated: 20140125200751.0Z uSNCreated: 4083 objectGUID: 7380e071-29db-45f2-bd46-81f89ad9ffa0 objectSid: S-1-5-21-3134998938-619743855-3616620706-1126 sAMAccountName: demo7 userAccountControl: 512 isDeleted: TRUE lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com msDS-LastKnownRDN: demo7 cn:: ZGVtbzcKREVMOjczODBlMDcxLTI5ZGItNDVmMi1iZDQ2LTgxZjg5YWQ5ZmZhMA== name:: ZGVtbzcKREVMOjczODBlMDcxLTI5ZGItNDVmMi1iZDQ2LTgxZjg5YWQ5ZmZhMA== whenChanged: 20140125200827.0Z uSNChanged: 4090 isRecycled: TRUE distinguishedName: CN=demo7\0ADEL:7380e071-29db-45f2-bd46-81f89ad9ffa0,CN=Dele ted Objects,DC=samdom,DC=example,DC=com So in this short time, the object got recycled (isRecycled: TRUE) and with that all additional attributes are removed. Before the objects getting recycled, the msDS-deletedObjectLifetime should adhered to. According to the MS documentation http://technet.microsoft.com/en-us/library/dd392260%28v=ws.10%29.aspx msDS-deletedObjectLifetime is per default NULL, what means that it is the same than the tombstoneLifetime value (180 days). The to fast recycling problem seems to happen only if there are multiple DC. In my test environment I have two DC. If I demote one, then the deleted objects aren't recycled any more. If that could be fixed, it would be great, as the AD recycle-bin is a really great feature for Admins.
It seems really have something to do with replication if you have multiple DCs. If I shutdown Samba on one of my two DC and delete an user, the attributes stay and the object is only deleted, but not recycled. I've waited now for 15 Minutes. Then I started Samba on the second DC again and a short moment later the object was recycled.
The problem still exists in 4.5 RC2! If you have shut down all DCs, except one, the deleted object stays in CN=Deleted Objects,DC=samdom,DC=example,DC=com. If at least two DCs are online, the object is directly gone after you deleted it. I think this should be fixed, if we tell in the 4.5 release notes: "Samba now supports tombstone reanimation".
Does this only happen for objects that are themselves more than 180 days old, before deletion?
(In reply to Andrew Bartlett from comment #3) > Does this only happen for objects that are themselves more than 180 days old, > before deletion? No. This happens for new objects as well: [root@DC1 samba-4.5.0rc2]# samba-tool user create demoUser01 Passw0rd User 'demoUser01' created successfully [root@DC1 samba-4.5.0rc2]# samba-tool user delete demoUser01 Deleted user demoUser01 # ldbsearch -H ldap://localhost -U administrator --show-deleted cn=demoUser01\\0ADEL:* Password for [SAMDOM\administrator]: # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 3 records # 0 entries # 3 referrals If both DCs are online, sometimes, if I run the ldbsearch directly after the deletion, I could see the deleted object in CN=Deleted Objects,DC=samdom,DC=example,DC=com. However, it stays there only 1-2 seconds before it is gone.
The recycling bin has some real issues, as we've been finding out (such as a lack of any tests). The big issue with this, of course, is that once the recycling bin is turned on, Windows states that it can't be turned off (it can in Samba, but will probably break something), and there is no easy fix for anybody who turned it on. It will take some time to sort this out and we can't guarantee that it'll be done any time soon. We've found a possible cause of this. When the recycling bin feature is enabled, it is only set as enabled on the local DC. The Active Directory docs state that it should be set as enabled on the Domain Naming Master. Other DCs then somehow get this information from it. This is simply unimplemented in Samba. As a result, the other DC doesn't think the recycling bin is enabled, causing some problems.