On Mon, 2013-08-05 at 16:03 +1200, Andrew Bartlett wrote:
> On Fri, 2013-08-02 at 13:58 +1000, Alex Ferrara wrote:
> > I am having some trouble joining a new samba4 server as a DC. I am pretty
> > sure this stems from trying to use OpenChange and subsequently removing it.
> > The new samba4 machine is running 4.0.7 and the existing is running 4.0.1.
> > I am a little hesitant to do an in-place upgrade of the last working DC, so
> > I wanted a replica to fall back on in case things go bad.
>
> > On the existing DC logs
> >
> > [2013/08/02 13:53:04, 0]
> > ../source4/rpc_server/drsuapi/getncchanges.c:220(get_nc_changes_build_object)
> > ../source4/rpc_server/drsuapi/getncchanges.c:220: Failed to find
> > attribute in schema for attrid 2786216 mentioned in replPropertyMetaData of
> > CN=Recipient Update Service
> > (DOMAIN)\0ADEL:cbf078d9-a0ff-4609-a05b-743816af619d,CN=Deleted
> > Objects,CN=Configuration,DC=domain,DC=local
>
> This is really interesting. We are fighting with this in our automated
> testing, but we assumed it was due to runtime schema changes. Presuming
> you have restarted Samba since the last schema change, this points as a
> more sinister issue.
>
> Can you take a clone of this sever, and on an isolated network upgrade
> this to git master, and try to join another git master server to it?
>
> If that fails in the same way, we may wish to get a dump of this object
> (and potentially the database via a secure route) so we can investigate
> further.
Can you show me the output of 'dbcheck --cross-ncs' with this patch?
Please do this on a backup of the domain.
Don't run dbcheck --fix because I know the test and fix is at least
partially bogus, but I'm just curious to see what this shows up.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
>From 172888cf867739bd69f17789c49a2e1710ffe478 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Mon, 5 Aug 2013 19:13:15 +1200
Subject: [PATCH] dbcheck: FIXME Try and find replication metadata that does
not match the sent objects
The issue with the test is that if an attribute is deleted, then it needs to be in the metadata, but not have any
values. The important test should actually be that we can at least translate each metadata entry.
Andrew Bartlett
---
python/samba/dbchecker.py | 52 +++++++++++++++++++++++++++++++++++++++------
1 file changed, 46 insertions(+), 6 deletions(-)
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 8b175c2..0317824 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -606,6 +606,19 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to fix metadata for attribute %s" % attr):
self.report("Fixed metadata for attribute %s" % attr)
+ def fix_extra_metadata(self, dn, attr):
+ '''remove replPropertyMetaData elements for a single attribute for a
+ object. This is used to fix extra replPropertyMetaData elements'''
+ res = self.samdb.search(base = dn, scope=ldb.SCOPE_BASE, attrs = [attr],
+ controls = ["search_options:1:2", "show_recycled:1"])
+ msg = res[0]
+ nmsg = ldb.Message()
+ nmsg.dn = dn
+ nmsg[attr] = ldb.MessageElement([], ldb.FLAG_MOD_REPLACE, attr)
+ if self.do_modify(nmsg, ["relax:0", "provision:0", "show_recycled:1"],
+ "Failed to remove extra metadata for not-existing attribute %s" % attr):
+ self.report("Removed extra metadata for attribute %s" % attr)
+
def ace_get_effective_inherited_type(self, ace):
if ace.flags & security.SEC_ACE_FLAG_INHERIT_ONLY:
return None
@@ -900,6 +913,12 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if attrname == 'dn':
continue
+ flag = self.samdb_schema.get_systemFlags_from_lDAPDisplayName(attrname)
+ if (not flag & dsdb.DS_FLAG_ATTR_NOT_REPLICATED
+ and not flag & dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED
+ and not self.samdb_schema.get_linkId_from_lDAPDisplayName(attrname)):
+ list_attrs_seen.append(str(attrname).lower())
+
if str(attrname).lower() == 'replpropertymetadata':
list_attrs_from_md = self.process_metadata(obj[attrname])
got_repl_property_meta_data = True
@@ -956,12 +975,6 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1
continue
- flag = self.samdb_schema.get_systemFlags_from_lDAPDisplayName(attrname)
- if (not flag & dsdb.DS_FLAG_ATTR_NOT_REPLICATED
- and not flag & dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED
- and not self.samdb_schema.get_linkId_from_lDAPDisplayName(attrname)):
- list_attrs_seen.append(str(attrname).lower())
-
if syntax_oid in [ dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_OR_NAME,
dsdb.DSDB_SYNTAX_STRING_DN, ldb.SYNTAX_DN ]:
# it's some form of DN, do specialised checking on those
@@ -1011,6 +1024,33 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
continue
self.fix_metadata(dn, att)
+ for att in list_attrs_from_md:
+ if (att in attrs or '*' in attrs) and not att in list_attrs_seen:
+
+ # We need to double-check here so we do not remove passwords, which are hidden from a * search
+ res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
+ controls=["extended_dn:1:1",
+ "show_recycled:1",
+ "show_deleted:1",
+ "sd_flags:1:%d" % sd_flags,
+ ],
+ attrs=[att])
+ try:
+ res[0][att]
+ continue
+ except KeyError:
+ pass
+
+ if show_dn:
+ self.report("On object %s" % dn)
+ show_dn = False
+ error_count += 1
+ self.report("ERROR: Attribute %s present in replication metadata but not in entry" % att)
+ if not self.confirm_all("Remove extra replPropertyMetaData element '%s'" % att, 'fix_extra_metadata'):
+ self.report("Not removing extra replPropertyMetaData element '%s'" % att)
+ continue
+ self.fix_extra_metadata(dn, att)
+
if self.is_fsmo_role(dn):
if "fSMORoleOwner" not in obj:
self.err_no_fsmoRoleOwner(obj)
--
1.7.10.4
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
