samba 4.7.0 replication errors

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

samba 4.7.0 replication errors

Samba - General mailing list
Hallo,
we have 5 ADDCs. All of them did run with sernet-samba 4.6.7.
I updated 4 of them to sernet-samba 4.7.0, one after the other, checked replication, everything seemed to be ok.
One day later a colleague wanted to delete a lot of users with a powershell-script and since then the
replication doesnt work anymore. (Im sure the script is not the problem, but it seemes like it triggered something)

All samba-servers with version 4.7.0 report errors with at least one other ADDC like

DC=domain,DC=de
 Default-First-Site-Name\ISAMBA4-2 via RPC
   DSA object GUID: 5dc32731-e914-486d-96f1-ce065ff956bf
   Last attempt @ Fri Sep 29 10:37:24 2017 CEST failed, result 58 (WERR_BAD_NET_RESP)
   358 consecutive failure(s).
   Last success @ Thu Sep 28 10:18:16 2017 CEST


The command "samba-tool dbcheck --cross-ncs --fix --yes" reports hundreds of errors like

   ERROR: orphaned backlink attribute 'memberOf' ...

The dbcheck-command says, it fixed the problems, but when I execute again, a lot of the same error comes again ( I can not say, if the same entries are effected).

The log.samba has a lot of entries like
   [2017/09/29 10:26:15.502219,  0] ../source4/dsdb/repl/drepl_out_helpers.c:959(dreplsrv_op_pull_source_apply_changes_trigger)
       Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE


If I make the dbcheck on the last server with version 4.6.7, this errors dont appear.

How do I get the replication to work again ?

Is the error "orphaned backlink attribute" the reason, why replication doesnt work anymore ?
And if so, do I have to fix all groups manually like said in a similar problem from the post "Samba 4.7.0 replication issue: failed get spanning tree edges" ?
(https://lists.samba.org/archive/samba/2017-September/211225.html)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
You can try the --fix option for the DB check, but it didn't work for
me.  If not and you have a lot of groups then you probably need to
improve my script to deal with the create, rename and delete group
operations.

Thanks,
Arthur

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
Can you provide a bit more logs? At first glance, it doesn't seem quite
related to group memberships.


Cheers,

Garming

On 29/09/17 22:07, gizmo via samba wrote:

> Hallo,
> we have 5 ADDCs. All of them did run with sernet-samba 4.6.7.
> I updated 4 of them to sernet-samba 4.7.0, one after the other, checked replication, everything seemed to be ok.
> One day later a colleague wanted to delete a lot of users with a powershell-script and since then the
> replication doesnt work anymore. (Im sure the script is not the problem, but it seemes like it triggered something)
>
> All samba-servers with version 4.7.0 report errors with at least one other ADDC like
>
> DC=domain,DC=de
>   Default-First-Site-Name\ISAMBA4-2 via RPC
>     DSA object GUID: 5dc32731-e914-486d-96f1-ce065ff956bf
>     Last attempt @ Fri Sep 29 10:37:24 2017 CEST failed, result 58 (WERR_BAD_NET_RESP)
>     358 consecutive failure(s).
>     Last success @ Thu Sep 28 10:18:16 2017 CEST
>
>
> The command "samba-tool dbcheck --cross-ncs --fix --yes" reports hundreds of errors like
>
>     ERROR: orphaned backlink attribute 'memberOf' ...
>
> The dbcheck-command says, it fixed the problems, but when I execute again, a lot of the same error comes again ( I can not say, if the same entries are effected).
>
> The log.samba has a lot of entries like
>     [2017/09/29 10:26:15.502219,  0] ../source4/dsdb/repl/drepl_out_helpers.c:959(dreplsrv_op_pull_source_apply_changes_trigger)
>         Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
>
> If I make the dbcheck on the last server with version 4.6.7, this errors dont appear.
>
> How do I get the replication to work again ?
>
> Is the error "orphaned backlink attribute" the reason, why replication doesnt work anymore ?
> And if so, do I have to fix all groups manually like said in a similar problem from the post "Samba 4.7.0 replication issue: failed get spanning tree edges" ?
> (https://lists.samba.org/archive/samba/2017-September/211225.html)
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
On Mon, 2 Oct 2017 09:59:47 +1300
Garming Sam via samba <[hidden email]> wrote:

> Can you provide a bit more logs? At first glance, it doesn't seem
> quite related to group memberships.
>
>
> Cheers,
>
> Garming
>
> On 29/09/17 22:07, gizmo via samba wrote:
> > Hallo,
> > we have 5 ADDCs. All of them did run with sernet-samba 4.6.7.
> > I updated 4 of them to sernet-samba 4.7.0, one after the other,
> > checked replication, everything seemed to be ok. One day later a
> > colleague wanted to delete a lot of users with a powershell-script
> > and since then the replication doesnt work anymore. (Im sure the
> > script is not the problem, but it seemes like it triggered
> > something)
> >
> > All samba-servers with version 4.7.0 report errors with at least
> > one other ADDC like
> >
> > DC=domain,DC=de
> >   Default-First-Site-Name\ISAMBA4-2 via RPC
> >     DSA object GUID: 5dc32731-e914-486d-96f1-ce065ff956bf
> >     Last attempt @ Fri Sep 29 10:37:24 2017 CEST failed, result 58
> > (WERR_BAD_NET_RESP) 358 consecutive failure(s).
> >     Last success @ Thu Sep 28 10:18:16 2017 CEST
> >
> >
> > The command "samba-tool dbcheck --cross-ncs --fix --yes" reports
> > hundreds of errors like
> >
> >     ERROR: orphaned backlink attribute 'memberOf' ...
> >
> > The dbcheck-command says, it fixed the problems, but when I execute
> > again, a lot of the same error comes again ( I can not say, if the
> > same entries are effected).
> >
> > The log.samba has a lot of entries like
> >     [2017/09/29 10:26:15.502219,
> > 0] ../source4/dsdb/repl/drepl_out_helpers.c:959(dreplsrv_op_pull_source_apply_changes_trigger)
> > Failed to commit objects:
> > WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >
> >
> > If I make the dbcheck on the last server with version 4.6.7, this
> > errors dont appear.
> >
> > How do I get the replication to work again ?
> >
> > Is the error "orphaned backlink attribute" the reason, why
> > replication doesnt work anymore ? And if so, do I have to fix all
> > groups manually like said in a similar problem from the post "Samba
> > 4.7.0 replication issue: failed get spanning tree edges" ?
> > (https://lists.samba.org/archive/samba/2017-September/211225.html)
> >
>
>

Aren’t the orphaned backlinks an artefact of a previous fix ? I seem to
remember they have always been there, but the 'fix' just exposed them.

It might help if we could see the powershell script, just how were the
users deleted, the other question is: why was a powershell script used,
when it would have been easier to write a bash script around
'samba-tool user delete'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
On Sun, 2017-10-01 at 22:27 +0100, Rowland Penny via samba wrote:

> On Mon, 2 Oct 2017 09:59:47 +1300
> Garming Sam via samba <[hidden email]> wrote:
>
> > Can you provide a bit more logs? At first glance, it doesn't seem
> > quite related to group memberships.
> >
> >
> > Cheers,
> >
> > Garming
> >
> > On 29/09/17 22:07, gizmo via samba wrote:
> > > Hallo,
> > > we have 5 ADDCs. All of them did run with sernet-samba 4.6.7.
> > > I updated 4 of them to sernet-samba 4.7.0, one after the other,
> > > checked replication, everything seemed to be ok. One day later a
> > > colleague wanted to delete a lot of users with a powershell-script
> > > and since then the replication doesnt work anymore. (Im sure the
> > > script is not the problem, but it seemes like it triggered
> > > something)
> > >
> > > All samba-servers with version 4.7.0 report errors with at least
> > > one other ADDC like
> > >
> > > DC=domain,DC=de
> > >   Default-First-Site-Name\ISAMBA4-2 via RPC
> > >     DSA object GUID: 5dc32731-e914-486d-96f1-ce065ff956bf
> > >     Last attempt @ Fri Sep 29 10:37:24 2017 CEST failed, result 58
> > > (WERR_BAD_NET_RESP) 358 consecutive failure(s).
> > >     Last success @ Thu Sep 28 10:18:16 2017 CEST
> > >
> > >
> > > The command "samba-tool dbcheck --cross-ncs --fix --yes" reports
> > > hundreds of errors like
> > >
> > >     ERROR: orphaned backlink attribute 'memberOf' ...
> > >
> > > The dbcheck-command says, it fixed the problems, but when I execute
> > > again, a lot of the same error comes again ( I can not say, if the
> > > same entries are effected).
> > >
> > > The log.samba has a lot of entries like
> > >     [2017/09/29 10:26:15.502219,
> > > 0] ../source4/dsdb/repl/drepl_out_helpers.c:959(dreplsrv_op_pull_source_apply_changes_trigger)
> > > Failed to commit objects:
> > > WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> > >
> > >
> > > If I make the dbcheck on the last server with version 4.6.7, this
> > > errors dont appear.
> > >
> > > How do I get the replication to work again ?
> > >
> > > Is the error "orphaned backlink attribute" the reason, why
> > > replication doesnt work anymore ? And if so, do I have to fix all
> > > groups manually like said in a similar problem from the post "Samba
> > > 4.7.0 replication issue: failed get spanning tree edges" ?
> > > (https://lists.samba.org/archive/samba/2017-September/211225.html)
> > >
> >
> >
>
> Aren’t the orphaned backlinks an artefact of a previous fix ? I seem to
> remember they have always been there, but the 'fix' just exposed them.

Yes, dbcheck now sees these, since 4.5 I think.

> It might help if we could see the powershell script, just how were the
> users deleted, the other question is: why was a powershell script used,
> when it would have been easier to write a bash script around
> 'samba-tool user delete'

Both are likely to be getting to the same operation under the hood.  

In any case, the logs Garming requested are the key to making progress here.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 2017-10-02 at 09:59 +1300, Garming Sam via samba wrote:
> Can you provide a bit more logs? At first glance, it doesn't seem quite
> related to group memberships.
>

I agree, we need more logs here.  Turn up the log level and see what
the error causing that final error is.  

However, take care not to publish confidential details like staff names
and sensitive attributes like unicodePwd or supplimentalCredentials to
a public mailing list.

Running 'samba-tool drs clone-dc-database' against one of the DCs would
be very instructive.  This does the same thing as a fresh join, but
without adding any DC objects.

The dbcheck errors you mention are interesting.  Backlinks are only
implicitly transferred over DRS replication, but if they are very wrong
perhaps the update of them failed.  What did the powershell script do?
Did it just delete users, or did it try to remove them from the group
first?

If replication broke only after user/group modification, then this may
be due to a latent DB issue, not detected after the initial upgrade
because nothing read or modified those DB entries.  Once they were
touched the issue became 'live'.

In particular, Samba 4.7.0 includes code to sort links like member
within an attribute.  The process to modify the group list after the
upgrade to sorted links might fail if the DB wasn't clean.

A downgrade to Samba 4.6 should be safe in the meantime, we haven't
changed the DB format and it is much less strict in this area (the
change was made to improve performance), however we would really like
to understand the issue more.

Thanks!

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
Hello list,

maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted Objects,DC=DOMAIN,DC=intern (0 results): Operations error
Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.

If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.

Some other notes:

If I run dbcheck with --cross-ncs and --fix I got some other errors like this:

ERROR: missing backlink attribute 'memberOf' in CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
Fix missing backlink memberOf [YES]
Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already exists")

I didn’t see it for USER object, but a lot of other objects.



Andrej

-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Andrew Bartlett via samba
Gesendet: Samstag, 14. Oktober 2017 20:52
An: Garming Sam <[hidden email]>; [hidden email]; [hidden email]
Betreff: Re: [Samba] samba 4.7.0 replication errors

On Mon, 2017-10-02 at 09:59 +1300, Garming Sam via samba wrote:
> Can you provide a bit more logs? At first glance, it doesn't seem
> quite related to group memberships.
>

I agree, we need more logs here.  Turn up the log level and see what the error causing that final error is.  

However, take care not to publish confidential details like staff names and sensitive attributes like unicodePwd or supplimentalCredentials to a public mailing list.

Running 'samba-tool drs clone-dc-database' against one of the DCs would be very instructive.  This does the same thing as a fresh join, but without adding any DC objects.

The dbcheck errors you mention are interesting.  Backlinks are only implicitly transferred over DRS replication, but if they are very wrong perhaps the update of them failed.  What did the powershell script do?
Did it just delete users, or did it try to remove them from the group first?

If replication broke only after user/group modification, then this may be due to a latent DB issue, not detected after the initial upgrade because nothing read or modified those DB entries.  Once they were touched the issue became 'live'.

In particular, Samba 4.7.0 includes code to sort links like member within an attribute.  The process to modify the group list after the upgrade to sorted links might fail if the DB wasn't clean.

A downgrade to Samba 4.6 should be safe in the meantime, we haven't changed the DB format and it is much less strict in this area (the change was made to improve performance), however we would really like to understand the issue more.

Thanks!

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
> Hello list,
>
> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Does it change if you don't use that option?

> Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted Objects,DC=DOMAIN,DC=intern (0 results): Operations error
> Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
>
> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
>
> Some other notes:
>
> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
>
> ERROR: missing backlink attribute 'memberOf' in
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
> Fix missing backlink memberOf [YES]
> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already exists")

Can you show me the memberOf value son that user?

ldbsearch -s base -b
CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
--reveal --extended-dn

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
Hello Andrew,

I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available.

if I run ldbsearch with --extended-dn I got this error message:

search failed - Unsupported critical extension 1.2.840.113556.1.4.529

If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group.


Andrej

-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:[hidden email]]
Gesendet: Dienstag, 17. Oktober 2017 12:12
An: Andrej Gessel <[hidden email]>; [hidden email]
Betreff: Re: [Samba] samba 4.7.0 replication errors

On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
> Hello list,
>
> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Does it change if you don't use that option?

> Failed to apply records:
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to
> remove backlink of memberOf when deleting
> CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted
> Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base
> dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted
> Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to
> commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
>
> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
>
> Some other notes:
>
> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
>
> ERROR: missing backlink attribute 'memberOf' in
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
> Fix missing backlink memberOf [YES]
> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf':
> value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern'
> already exists")

Can you show me the memberOf value son that user?

ldbsearch -s base -b
CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
--reveal --extended-dn

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba 4.7.0 replication errors

Samba - General mailing list
I wasn't using the domain-critical-only setting when I had the backlink
issues.

Thanks,
Arthur

On 10/17/2017 6:16 AM, Andrej Gessel via samba wrote:

> Hello Andrew,
>
> I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available.
>
> if I run ldbsearch with --extended-dn I got this error message:
>
> search failed - Unsupported critical extension 1.2.840.113556.1.4.529
>
> If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group.
>
>
> Andrej
>
> -----Ursprüngliche Nachricht-----
> Von: Andrew Bartlett [mailto:[hidden email]]
> Gesendet: Dienstag, 17. Oktober 2017 12:12
> An: Andrej Gessel <[hidden email]>; [hidden email]
> Betreff: Re: [Samba] samba 4.7.0 replication errors
>
> On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
>> Hello list,
>>
>> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:
> Does it change if you don't use that option?
>
>> Failed to apply records:
>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to
>> remove backlink of memberOf when deleting
>> CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted
>> Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base
>> dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted
>> Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to
>> commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>
>> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
>>
>> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
>>
>> Some other notes:
>>
>> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
>>
>> ERROR: missing backlink attribute 'memberOf' in
>> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
>> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
>> Fix missing backlink memberOf [YES]
>> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf':
>> value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern'
>> already exists")
> Can you show me the memberOf value son that user?
>
> ldbsearch -s base -b
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
> --reveal --extended-dn
>
> Thanks,
>
> Andrew Bartlett


This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at [hidden email].


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba