Delete Object from s4search

UCS - Univention Corporate Server
#1

I renamed a computer on the domain, however it is not not allowing me to login to the domain and saying the trust between the server and workstation cannot be established (something to that extent). After I disjoined/rejoined the computer (win10 pro), it says it was successful, but the error persists when trying to login. I disjoined again, deleted the object from ucs-ldap (ucs web browser console).

However, when I use univention-s4search cn=sav-961-editor the object remains with the legacy computer name in the sAMAccountName entry:

# record 1
dn: CN=SAV-961-EDITOR,OU=Sav-Comps,OU=Computers,OU=MyBusiness,DC=adventure,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: SAV-961-EDITOR
instanceType: 4
whenCreated: 20200205042217.0Z
whenChanged: 20200205042217.0Z
uSNCreated: 510035
uSNChanged: 510035
name: SAV-961-EDITOR
objectGUID: ca4a0bcf-c65c-41e8-af7f-007308ab0e82
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-3027053013-3488521204-1596860519-3666
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: SAV-TIM-D001$
sAMAccountType: 805306369
operatingSystem: Windows 10 Pro
operatingSystemVersion: 10.0 (18362)
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=adventure,DC=local
isCriticalSystemObject: FALSE
distinguishedName: CN=SAV-961-EDITOR,OU=Sav-Comps,OU=Computers,OU=MyBusiness,D
 C=adventure,DC=local

# Referral
ref: ldap://adventure.local/CN=Configuration,DC=adventure,DC=local

# Referral
ref: ldap://adventure.local/DC=DomainDnsZones,DC=adventure,DC=local

# Referral
ref: ldap://adventure.local/DC=ForestDnsZones,DC=adventure,DC=local

# returned 4 records
# 1 entries
# 3 referrals

After some searching, I tried the univention-s4connector-list-rejected, which comes back clean. I’ve done univention-ldapsearch cn=sav-961-editor, which returns no results as expected. When the computer is joined to the domain, I get an entry for univention-ldapsearch and two entries for univention-s4search. One s4 result is correct, the other is the incorrect version posted.

My thought was to follow the process found here.

Solution

Remove the object directly from the Samba database with the ldbdel command:

root@dc-01:~# /etc/init.d/samba stop
root@dc-01:~# ldbdel -H /var/lib/samba/private/sam.ldb "cn=EU.MULTI.UCS,CN=Computers,dc=eu,dc=multi,dc=ucs"
root@dc-01:~# /etc/init.d/samba start

But I’m nervous about deleting objects from the samba database. How should I proceed in order to fix the issue of the computer being unable to login to the domain?

#2

Deleting the computer account from both the OpenLDAP and the Samba LDAP (with ldbdel as shown above) and re-joining the computer afterwards is the process most likely to succeed quickly.

#3

So my suspicion was correct and I was on the right track. Thanks for the reply. I will try this later today.

#4

Actually there’s a dedicated script for removing a computer object from the Samba LDAP: /usr/share/univention-samba4/scripts/purge_s4_computer.py

Give that one a try before reverting to ldbdel and use the latter only if the former fails to remove the object.

#5

I saw that, but wasn’t sure what it’s function was. I read some of the source code and googled around. Every use-case referred to removing DC’s, so I wasn’t sure if I should use it here.

#6

Yeah, that’s its primary purpose (e.g. when removing a UCS DC Backup). For regular clients removing with ldbdel should suffice.

Mastodon