Problem: Check local ad database for errors

Problem: Check local ad database for errors

If the fix button does not do the trick and you get a similar message like this, doing the fix on command line:

root@schul-repl2:~ # samba-tool dbcheck --cross-ncs --fix --yes
Checking 3881 objects
ERROR: incorrect DN SID component for member in object CN=Print Operators,CN=Builtin,DC=schein,DC=me - <GUID=46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab>;<RMD_ADDTIME=1336516656
10000000>;<RMD_CHANGETIME=133651665640000000>;<RMD_FLAGS=1>;<RMD_INVOCID=135de555-e3ca-4d52-a75a-c8a4dfb39b50>;<RMD_LOCAL_USN=4643>;<RMD_ORIGINATING_USN=4643>;<RMD_VERSIO
N=2>;<SID=S-1-5-21-2258795110-56359529-1961293181-1000>;CN=SCHUL-REPL2,OU=Domain Controllers,DC=schein,DC=me
Change DN to <GUID=46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab>;<SID=S-1-5-21-2258795110-56359529-1961293181-5018>;CN=SCHUL-REPL2,OU=Domain Controllers,DC=schein,DC=me? [YES]
Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab')
Checked 3881 objects (1 errors)

Solution

Be careful with this!

Step 1:

Create an ldif for the manual modification.
Take the member part from the error message, from samba-tool starting with the dn…member in object - <starting the member-part until the next line starts with "Change DN to>
You can do this like below with the cat command or vim /nano your favorite editor. Make sure you do not have a line break in the member string!
We delete the old member and add the right one doing the needed change manually. The change is shown in the samba-tool output. It is failing to the DN SID on this member atribute.
If we compare the SIDs from first member Part and the part after “Change DN to …” you see the missmatch in the RID, the last part of the SID, this has ti be changed and added. So take the same memberstring again and do the modification in the editor:

cat > changePrintOp.ldif
dn: CN=Print Operators,CN=Builtin,DC=schein,DC=me
changetype: modify   
delete: member
member: <GUID=46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab>;<RMD_ADDTIME=133651665610000000>;<RMD_CHANGETIME=133651665640000000>;<RMD_FLAGS=1>;<RMD_INVOCID=135de555-e3ca-4d52-a75a-c8a4dfb39b50>;<RMD_LOCAL_USN=4643>;<RMD_ORIGINATING_USN=4643>;<RMD_VERSION=2>;<SID=S-1-5-21-2258795110-56359529-1961293181-1000>;CN=SCHUL-REPL2,OU=Domain Controllers,DC=schein,DC=me
-
add: member
member: <GUID=46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab>;<RMD_ADDTIME=133651665610000000>;<RMD_CHANGETIME=133651665640000000>;<RMD_FLAGS=1>;<RMD_INVOCID=135de555-e3ca-4d52-a75a-c8a4dfb39b50>;<RMD_LOCAL_USN=4643>;<RMD_ORIGINATING_USN=4643>;<RMD_VERSION=2>;<SID=S-1-5-21-2258795110-56359529-1961293181-5018>;CN=SCHUL-REPL2,OU=Domain Controllers,DC=schein,DC=me
^C

The SID change ist <SID=S-1-5-21-2258795110-56359529-1961293181-1000> to <SID=S-1-5-21-2258795110-56359529-1961293181-5018>

Step 2:

Now we can try the modification on the “frontend” making sure, our ldif is correct. This will probably not work and you will get the Modify failed after processing 0 records message. This is why samba-tool cannot do it either. But for syntax check it is useful! Because if the syntax is okay, but it cannot be applied we need to go to the backend of samba.

root@schul-repl2:~ # ldbmodify -H /var/lib/samba/private/sam.ldb --extended-dn < changePrintOp.ldif
ERR: (Unwilling to perform) "Attribute member already deleted for target GUID 46b5a4b9-55a2-4eb1-894d-5d3b1c6e37ab" on DN CN=Print Operators,CN=Builtin,DC=schein,DC=me at block before line 7 
Modify failed after processing 0 records

Step 3:

Attention, now you are modifying the samba backend! No check or audit is done here. If you are not sure and do not have a backup, keep your fingers off!

Finally apply the modification after you checked and tested you ldif in Step 2!Step ¹

eval "$(ucr shell samba4/ldap/base)"
partition_backend="/var/lib/samba/private/sam.ldb.d/${samba4_ldap_base}.ldb"
ldbmodify -H "$partition_backend" < changePrintOp.ldif
1 Like
Mastodon