Bug 12297 - samba-tool dbcheck --fix does not fix problem with Deleted Accounts
Summary: samba-tool dbcheck --fix does not fix problem with Deleted Accounts
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 12382 12385 12453
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-29 14:27 UTC by Alisson
Modified: 2019-07-31 07:52 UTC (History)
4 users (show)

See Also:


Attachments
More helpful message (1.24 KB, patch)
2016-10-14 03:59 UTC, Garming Sam
no flags Details
Proposed WIP patch for master (1018 bytes, patch)
2016-10-18 19:11 UTC, Andrew Bartlett
abartlet: review-
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alisson 2016-09-29 14:27:38 UTC
After upgrade samba 4.4.4 to 4.5, the dbcheck have been fixed almost all problems. The problem is when a user does not exists anymore. So on, if the user is deleted before upgrade, the dbcheck does not fix correctly the GUID.

The related command is:
[root@dc01 ~]# samba-tool dbcheck --fix
Checking 541 objects
ERROR: incorrect GUID component for member in object CN=fs_suporte,CN=Groups,DC=example,DC=com - <GUID=e2995b216e22994eb2ea9d0afb44399b>;<RMD_ADDTIME=130812597670000000>;<RMD_CHANGETIME=130812957120000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4832>;<RMD_ORIGINATING_USN=4832>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c109757c040000>;CN=Zabbix . Monitoração,CN=Users,DC=example,DC=com
unable to find object for DN CN=XXX,CN=Users,DC=example,DC=com - (No such Base DN: CN=XXX,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=88b09fb6e1216248b4d51f16412ed9ec>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097581040000>;CN=Igor . Cervo,CN=Users,DC=example,DC=com
unable to find object for DN CN=YYY,CN=Users,DC=example,DC=com - (No such Base DN: CN=YYY,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=7f5a28ee742e2e48979113459862a552>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097580040000>;CN=Marciano . Walter da Silva,CN=Users,DC=example,DC=com
unable to find object for DN CN=ZZZ,CN=Users,DC=example,DC=com - (No such Base DN: CN=ZZZ,CN=Users,DC=example,DC=com)
Not removing dangling forward link
Checked 541 objects (3 errors)
Comment 1 Alisson 2016-09-29 14:29:00 UTC
After upgrade samba 4.4.4 to 4.5, the dbcheck have been fixed almost all problems. The problem is when a user does not exists anymore. So on, if the user is deleted before upgrade, the dbcheck does not fix correctly the GUID.

The related command is:
[root@dc01 ~]# samba-tool dbcheck --fix
Checking 541 objects
ERROR: incorrect GUID component for member in object CN=fs_suporte,CN=Groups,DC=example,DC=com - <GUID=e2995b216e22994eb2ea9d0afb44399b>;<RMD_ADDTIME=130812597670000000>;<RMD_CHANGETIME=130812957120000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4832>;<RMD_ORIGINATING_USN=4832>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c109757c040000>;CN=ZXXX,CN=Users,DC=example,DC=com
unable to find object for DN CN=XXX,CN=Users,DC=example,DC=com - (No such Base DN: CN=XXX,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=88b09fb6e1216248b4d51f16412ed9ec>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097581040000>;CN=YYY,CN=Users,DC=example,DC=com
unable to find object for DN CN=YYY,CN=Users,DC=example,DC=com - (No such Base DN: CN=YYY,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=7f5a28ee742e2e48979113459862a552>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097580040000>;CN=ZZZ,CN=Users,DC=example,DC=com
unable to find object for DN CN=ZZZ,CN=Users,DC=example,DC=com - (No such Base DN: CN=ZZZ,CN=Users,DC=example,DC=com)
Not removing dangling forward link
Checked 541 objects (3 errors)
Comment 2 (mail address dead) 2016-10-06 09:49:11 UTC
We have the same problem after upgrade to samba 4.5.

# samba-tool --version
4.5.0-SerNet-Ubuntu-4.trusty

Do you have any idea how to fix this manually while waiting for an upgrade? Our monitoring would love to have the list of errors empty ;)
Comment 3 Garming Sam 2016-10-14 03:59:11 UTC
Created attachment 12574 [details]
More helpful message
Comment 4 Garming Sam 2016-10-14 04:01:34 UTC
(In reply to tim.dittler from comment #2)
If you have a clone of the master repository of Samba, you can build it in the source directory and run bin/samba-tool domain tombstones expunge. Then the dbcheck should no longer issue any further complaints.

We're hoping to backport this soon. But before all that, can you please patch dbcheck and run it to confirm you see a new error message ('Try running "samba-tool domain tombstones expunge"')?
Comment 5 Alisson 2016-10-18 11:37:39 UTC
Besides the compilling, there is 3 errors yet...

Output of execution:
[root@dc01 samba-dev]# bin/samba-tool domain tombstones expunge
Deleting deleted linked attribute member to 0392e811-5c24-4565-82b0-6a13efe47dba, because vanish_links control is set
Deleting deleted linked attribute member to 0dd89e04-214c-4408-ba64-7024adc8a302, because vanish_links control is set
Deleting deleted linked attribute member to 3e5b1629-c73b-45ff-ab0b-fee81c12b11a, because vanish_links control is set
Deleting deleted linked attribute member to a00c6f5c-74d5-4452-b1c6-3f455c67f6eb, because vanish_links control is set
Deleting deleted linked attribute member to 2689ddae-050f-4cd6-8e03-2d0c809c4ae8, because vanish_links control is set
Deleting deleted linked attribute member to 533de2d0-2b4a-4e94-9087-9f5cd7399715, because vanish_links control is set
Deleting deleted linked attribute member to 2543aa4e-1bf9-4ca3-bdec-97eafcc84eaf, because vanish_links control is set
Deleting deleted linked attribute member to 0fbf6dcb-4221-4f36-90dd-2652ee5a5079, because vanish_links control is set
Deleting deleted linked attribute member to 136e6db2-b0d3-4860-ade3-683f5ce70c5f, because vanish_links control is set
Deleting deleted linked attribute member to 1a5f743c-592b-46d1-85f5-27fddf08afa9, because vanish_links control is set
Deleting deleted linked attribute member to 6356beac-ed43-4cba-bda6-6ff28ea79ef9, because vanish_links control is set
Deleting deleted linked attribute member to 638b50cb-c623-4074-9107-9ad9cf825338, because vanish_links control is set
Deleting deleted linked attribute member to 6c7c1b67-51e1-4e95-9b81-f0cfe1dded34, because vanish_links control is set
Deleting deleted linked attribute member to 7504ea32-554c-476f-a35a-f1793aa4ec0f, because vanish_links control is set
Deleting deleted linked attribute member to 7ec5d7ee-09a2-49f1-95fb-f05ef34e29a7, because vanish_links control is set
Deleting deleted linked attribute member to bc238a26-9404-46eb-ba2a-8fcf5b1e63ca, because vanish_links control is set
Deleting deleted linked attribute member to c7b7566d-78a6-46fa-bb5d-69c7ce551ec0, because vanish_links control is set
Deleting deleted linked attribute member to cd39d1b0-5184-4335-a42c-d8cb34adb4ec, because vanish_links control is set
Deleting deleted linked attribute member to da057ed9-c782-4fdf-b110-27b4a8dbc9db, because vanish_links control is set
Deleting deleted linked attribute member to dc06d2d6-07ca-416e-a624-56e88d2bd5f3, because vanish_links control is set
Deleting deleted linked attribute member to f1c3333f-b436-4466-94ed-4854f45812a4, because vanish_links control is set
Deleting deleted linked attribute member to 44a44af2-1691-4909-a39b-48fdbd62d106, because vanish_links control is set
Deleting deleted linked attribute member to 2689ddae-050f-4cd6-8e03-2d0c809c4ae8, because vanish_links control is set
Deleting deleted linked attribute member to 533de2d0-2b4a-4e94-9087-9f5cd7399715, because vanish_links control is set
Deleting deleted linked attribute member to a00c6f5c-74d5-4452-b1c6-3f455c67f6eb, because vanish_links control is set
Deleting deleted linked attribute member to afc03fb0-90a9-4ecd-9cea-68c19c805030, because vanish_links control is set
Deleting deleted linked attribute member to 55a4dc69-3f26-4d4d-b414-cdd37dfd70e3, because vanish_links control is set
Deleting deleted linked attribute member to 08a253fc-6382-4eb6-9a21-ee95ee9808ee, because vanish_links control is set
Deleting deleted linked attribute member to a00c6f5c-74d5-4452-b1c6-3f455c67f6eb, because vanish_links control is set
Deleting deleted linked attribute member to 4dde05fd-046b-4c26-983d-00897f65554a, because vanish_links control is set
Deleting deleted linked attribute member to 3e5b1629-c73b-45ff-ab0b-fee81c12b11a, because vanish_links control is set
Deleting deleted linked attribute member to 4faaf0b7-5267-4123-ac0b-9f532edec439, because vanish_links control is set
Deleting deleted linked attribute member to 93d9529d-ae48-4f8e-a82d-77c1b4939fe3, because vanish_links control is set
Deleting deleted linked attribute member to a00c6f5c-74d5-4452-b1c6-3f455c67f6eb, because vanish_links control is set
Deleting deleted linked attribute member to eaf52eec-46c1-42d0-9e78-8c481f54f24f, because vanish_links control is set
Deleting deleted linked attribute member to f6401de6-70b1-417f-b3f4-98112a90e8f6, because vanish_links control is set
Deleting deleted linked attribute member to 533de2d0-2b4a-4e94-9087-9f5cd7399715, because vanish_links control is set
Deleting deleted linked attribute member to 2543aa4e-1bf9-4ca3-bdec-97eafcc84eaf, because vanish_links control is set
Deleting deleted linked attribute member to 93d9529d-ae48-4f8e-a82d-77c1b4939fe3, because vanish_links control is set
Deleting deleted linked attribute member to 47a3b397-ca40-4d23-9df4-9c5bae42b37f, because vanish_links control is set
Removed 0 objects and 40 links successfully




[root@dc01 samba-dev]# bin/samba-tool dbcheck --fix
Checking 565 objects
ERROR: incorrect GUID component for member in object CN=fs_suporte,CN=Groups,DC=example,DC=com - <GUID=e2995b216e22994eb2ea9d0afb44399b>;<RMD_ADDTIME=130812597670000000>;<RMD_CHANGETIME=130812957120000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4832>;<RMD_ORIGINATING_USN=4832>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c109757c040000>;CN=XXX,CN=Users,DC=example,DC=com
unable to find object for DN CN=XXX,CN=Users,DC=example,DC=com - (No such Base DN: CN=XXX,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=88b09fb6e1216248b4d51f16412ed9ec>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097581040000>;CN=YYY,CN=Users,DC=example,DC=com
unable to find object for DN CN=YYY,CN=Users,DC=example,DC=com - (No such Base DN: CN=YYY,CN=Users,DC=example,DC=com)
Not removing dangling forward link
ERROR: incorrect GUID component for member in object CN=SuporteN3,CN=Groups,DC=example,DC=com - <GUID=7f5a28ee742e2e48979113459862a552>;<RMD_ADDTIME=130548272320000000>;<RMD_CHANGETIME=130812956960000000>;<RMD_FLAGS=1>;<RMD_INVOCID=e85471bb5ef02842a8f49fa380702a12>;<RMD_LOCAL_USN=4831>;<RMD_ORIGINATING_USN=4831>;<RMD_VERSION=1>;<SID=010500000000000515000000ba8d78dd5e73d766f6c1097580040000>;CN=ZZZ,CN=Users,DC=example,DC=com
unable to find object for DN CN=ZZZ,CN=Users,DC=example,DC=com - (No such Base DN: CN=ZZZ,CN=Users,DC=example,DC=com)
Not removing dangling forward link
Checked 565 objects (3 errors)
Comment 6 Andrew Bartlett 2016-10-18 19:11:42 UTC
Created attachment 12590 [details]
Proposed WIP patch for master

This patch (really, this belongs on the referenced bug) might help.

I'm not entirely sure why it is needed, but knowing if it helps will help.

Please test.

Thanks,
Comment 7 Alisson 2016-10-19 15:33:38 UTC
This patch is about samba (DC) or samba-tool? Is need reinstall samba (make install)?
Comment 8 Andrew Bartlett 2016-10-20 09:08:43 UTC
(In reply to Alisson from comment #7)
This patch is to code used by both, but the test I was after just needs you to build and run 'bin/samba-tool domain tombstones expunge' from an in-tree build of master, after applying this.

No install will be required for this step.
Comment 9 Alisson 2016-10-21 11:10:39 UTC
(In reply to Andrew Bartlett from comment #8)

[root@dc01 samba-dev]# bin/samba-tool domain tombstones expunge
Removed 0 objects and 0 links successfully


But same errors.
Comment 10 Alisson 2016-10-21 11:37:59 UTC
(In reply to Andrew Bartlett from comment #8)

After patch in https://bugzilla.samba.org/show_bug.cgi?id=12385 applied work it.
Comment 11 Andrew Bartlett 2016-10-21 18:51:05 UTC
Comment on attachment 12590 [details]
Proposed WIP patch for master

Correct, this patch does nothing.  Please see the correct patch on bug 12385 and report back there.
Comment 12 Stefan Metzmacher 2019-07-31 07:52:41 UTC
(In reply to Andrew Bartlett from comment #11)

But 12385 got fixed in 4.6.0