Samba 4.7.0 replication issue: failed get spanning tree edges

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4.7.0 replication issue: failed get spanning tree edges

Samba - General mailing list
[2017/09/28 03:46:51.256663,  1] ../source4/dsdb/kcc/kcc_topology.c:2730(kcctpl_get_spanning_tree_edges)
   ../source4/dsdb/kcc/kcc_topology.c:2730: failed to run Kruskal's algorithm: NT_STATUS_INVALID_PARAMETER
[2017/09/28 03:46:51.256953,  1] ../source4/dsdb/kcc/kcc_topology.c:3283(kcctpl_create_connections)
   ../source4/dsdb/kcc/kcc_topology.c:3283: failed get spanning tree edges: NT_STATUS_INVALID_PARAMETER

I also have objects out of sync that were in sync prior to updating.  
All DCs are running 4.7.0.  There are duplicate members in some groups
too.  When I try to remove all members from one of these affected groups
I get "The following Active Directory Domain Services error occurred:
The environment is incorrect."

Thanks,
Arthur

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.0 replication issue: failed get spanning tree edges

Samba - General mailing list
I fixed this with the following process.

 1. Identify affected groups with "samba-tool dbcheck --cross-ncs",
    which reports errors like "ERROR: orphaned backlink attribute
    'memberOf'".
 2. Create new group
 3. Execute "perl ad_clone_group.pl 'Foobar_Group' ''New_Group" to copy
    members from broken group to new group: https://pastebin.com/6L8NZPRC
 4. Delete bad group
 5. Rename new group to name of bad group
 6. Expunge tombstone with "samba-tool domain tombstones expunge
    --tombstone-lifetime=0"
 7. Check with "samba-tool dbcheck --cross-ncs --fix" again

Thanks,
Arthur



This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.0 replication issue: failed get spanning tree edges

Samba - General mailing list
Did you check that these groups were actually consistent before you
upgraded (have you got a backup to look at the old groups)? The
consistency checking definitely got stricter in 4.7, but there may still
be a bug here.


Cheers,

Garming


On 29/09/17 10:02, Arthur Ramsey via samba wrote:

> I fixed this with the following process.
>
> 1. Identify affected groups with "samba-tool dbcheck --cross-ncs",
>    which reports errors like "ERROR: orphaned backlink attribute
>    'memberOf'".
> 2. Create new group
> 3. Execute "perl ad_clone_group.pl 'Foobar_Group' ''New_Group" to copy
>    members from broken group to new group: https://pastebin.com/6L8NZPRC
> 4. Delete bad group
> 5. Rename new group to name of bad group
> 6. Expunge tombstone with "samba-tool domain tombstones expunge
>    --tombstone-lifetime=0"
> 7. Check with "samba-tool dbcheck --cross-ncs --fix" again
>
> Thanks,
> Arthur
>
>
>
> This e-mail and any attachments may contain CONFIDENTIAL information,
> including PROTECTED HEALTH INFORMATION. If you are not the intended
> recipient, any use or disclosure of this information is STRICTLY
> PROHIBITED; you are requested to delete this e-mail and any
> attachments, notify the sender immediately, and notify the Mediture
> Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.0 replication issue: failed get spanning tree edges

Samba - General mailing list
I think there were some conflicts between the DCs that got resolved
badly after the upgrade.  There were no orphaned backlinks though. I
looked at a backup of the ldb files to confirm.

Thanks,
Arthur

On 09/28/2017 04:21 PM, Garming Sam wrote:
> Did you check that these groups were actually consistent before you
> upgraded (have you got a backup to look at the old groups)? The
> consistency checking definitely got stricter in 4.7, but there may
> still be a bug here.
>
>
> Cheers,
>
> Garming

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.0 replication issue: failed get spanning tree edges

Samba - General mailing list
Make sure you have a back of your LDB files before you do my procedure
or a dump of your SID and GIDs.

ldbsearch -H *.ldb '(objectClass=group)' | egrep 'dn:|gidNumber:|objectSid:'

Thanks,
Arthur

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba