Bug 9532 - Samba 4 join error to Windows 2003 Active Directory: duplicate entry
Summary: Samba 4 join error to Windows 2003 Active Directory: duplicate entry
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0 beta4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-01-02 20:31 UTC by Todd
Modified: 2013-01-27 13:58 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Todd 2013-01-02 20:31:34 UTC
On Wed, 2012-11-28 at 14:52 -0800, todd kman wrote:
> Hi all,
> I am just experimenting with Samba 4.
> I have a Ubuntu server 12.04 with samba 4 compiled successfully.  I have webmin installed as well.
> I am trying to connect the Ubuntu/Samba server to a web domain called CODOMAIN.
> CODOMAIN is administered by gis-server-2 a Microsoft Windows Server 2003 R2, Standard x64 - Edition Version 5.2 (Build 3790 : Service Pack 2) (x64).
> Gis-server-2 is an Active Directory server, and Exchange server.  (Exchange Server 2007 Microsoft Corporation Version: 08.01.0436.000)
> If I was to guess it looks like the Exchange server component is causing some problem.

As I said on IRC (but following up here so others might understand the
situation better, and so we can loop back to you about fixing this up

In short, your other DCs have sent you the same value twice in a
multi-valued attribute.  This isn't valid LDAP, and we are being
stricter than Microsoft is, or we consider two values to be equivalent
when Microsoft considers them distinct. The issue is that we haven't
tested much with importing exchange-enabled domains so we just haven't
seen this before, and so we need to work out how to handle this
particular 'violation'.

Mostly, we have found that AD doesn't re-check schema syntax during
replication, so if somehow a duplicate does get into the system, it will
not cause replication to fail.  We are stricter, mostly due to the
layering of our databases.  We may have to turn that off.

Running this:
ldbsearch -Uadministrator -H ldap://ms-dc -s base -b "CN=owa (Default
Web  Site),CN=HTTP,CN=Protocols,CN=GIS-SERVER-2,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First

should give us more clues here, and help us solve this for the long
term.  Please file a bug with this info in the meantime, so we can track


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team          http://samba.org
Comment 1 Todd 2013-01-02 22:45:05 UTC
I am unable to get the suggested command to run.
ldbsearch -Uadministrator -H ldap://ms-dc -s base -b "CN=owa companywebsite.local
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First

It comes up with the error 
"search failed - Can't contact LDAP server"

Is the command I entered in the correct format?
Comment 2 Andrew Bartlett 2013-01-02 22:47:48 UTC
change 'ms-dc' to the name or IP of your Microsoft DC
Comment 3 Todd 2013-01-03 20:05:55 UTC
OK modified the ms-dc to the microsoft server and ran it.
Now I get the following error  when I run this:

"search error - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece"

Is this a bit of the chicken and the egg.  When I try the bind it gives me an error, but to get information to help resolve the bind error I need to do a bind.  

I feel a bit like a blind man exploring an unknown environment and blundering around.  

Any suggestions about how to move forward and solve this would be appreciated.