Univention Bugzilla – Bug 33616
Tool for list and remove conflicted and deleted objects
Last modified: 2018-01-31 10:13:05 CET
A Samba tool would be helpful to list and delete all deleted and conflicted objects (*\0CNF:* and *\0DEL:*). With this tool it should be possible to run an interactive or non-interactive mode. All objects selected for deletion should be written to /var/univention-backup/samba4.
Would be VERY helpful at support work, at least.
Conflicts: ---------- (97_bug33616-samba-tool-drs-new-subcommand-conflicts.patch) Added "samba-tool drs conflicts" to list and delete "\0ACNF" objects. --verbose print ldif of conflict objects --delete delete all conflict objects --dn=DN delete only given dn/conflict (if found) --non-interactive do not ask for deletion -> samba-tool drs conflicts Conflict: CN=test2\0ACNF:745998bf-3d6d-43a6-addf-984552e51f1b,DC=perf,DC=test -> samba-tool drs conflicts --delete Conflict: CN=test2\0ACNF:745998bf-3d6d-43a6-addf-984552e51f1b,DC=perf,DC=test Delete object with dn CN=test2\0ACNF:745998bf-3d6d-43a6-addf-984552e51f1b,DC=perf,DC=test? [y/N/all/none] Object without objectclass: --------------------------- (97_bug33616-samba-tool-dbcheck-handle-missing-objectclass.patch) We don't want to delete \0DEL objects (they maybe needed for drs replication). But it turned out, that all those objects, that caused an error, where indeed deleted objects but without an objectclass. So i added a test for objects without objectclass in samba-tool dbcheck. -> samba-tool dbcheck Checking 1378 objects ERROR: missing objectclass in object cn=pbackup\0ADEL:9929fb9c-556f-45f5-bc20-51583589b51a,CN=Deleted Objects,DC=perf,DC=test Not deleting object with missing objectclass 'cn=pbackup\0ADEL:9929fb9c-556f-45f5-bc20-51583589b51a,CN=Deleted Objects,DC=perf,DC=test' ERROR: missing objectclass in object CN=test8,DC=perf,DC=test Not deleting object with missing objectclass 'CN=test8,DC=perf,DC=test' Links to removed objects: ------------------------- See http://sdb.univention.de/content/6/242/en/samba-4-_-deleted-objects.html This is already repaired by dbcheck. -> ldbsearch -H /var/lib/samba/private/sam.ldb objectclass=domain masteredBy # record 1 dn: DC=perf,DC=test masteredBy: CN=NTDS Settings,CN=PMASTER,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=perf,DC=test masteredBy: cn=pbackup\0ADEL:9929fb9c-556f-45f5-bc20-51583589b51a,CN=Deleted O bjects,DC=perf,DC=test -> samba-tool dbcheck --fix Checking 1377 objects ERROR: target DN is deleted for masteredBy in object DC=perf,DC=test - <GUID=9929fb9c-556f-45f5-bc20-51583589b51a>;cn=pbackup\0ADEL:9929fb9c-556f-45f5- bc20-51583589b51a,CN=Deleted Objects,DC=perf,DC=test Target GUID points at deleted DN cn=pbackup\0ADEL:9929fb9c-556f-45f5-bc20-51583589b51a,CN=Deleted Objects,DC=perf,DC=test Remove DN link? [y/N/all/none] y Removed deleted DN on attribute masteredBy ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL" masteredBy: CN=NTDS Settings\0ADEL:269337d0-8610-4613-a2a4-ecf1bd4ea78e,CN=BAC KUP\0ADEL:785f0de4-88b1-47bd-b4cd-69ab02e73f6c,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=test -> ldbsearch -H /var/lib/samba/private/sam.ldb objectclass=domain masteredBy # record 1 dn: DC=perf,DC=test masteredBy: CN=NTDS Settings,CN=PMASTER,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=perf,DC=test YAML: 2014-01-08-samba.yaml
A) missing objectclass: I now have a script to somehow trigger samba DRS replication to create an object with missing objectclass. After doing this, the samba-tool dbcheck now reports about the broken object. If I choose to delete it, samba-tool dbcheck --fix turns the object into an \0ADEL: object below "CN=Deleted Objects", which might not be exactly what I want, since we still have an object with missing objectclass. If I rund the --fix again, I can finally remove the \0ADEL: object as well. So, maybe we should purge this object out of existance directly? B) conflicting objects: OK, "samba-tool drs conflicts" and --delete work. The --delete turns the object into an \0ADEL: object below "CN=Deleted Objects". I think this is ok in this case?
A) This is the upstream patch and should be enough for now. B) handling of name conflic objects has moved to "samba-tool dbcheck --check-for-conflicts"
Ok, both features work.
http://errata.univention.de/ucs/3.2/81.html