Univention Bugzilla – Bug 35443
AD Takeover vs. AD Recycle bin Feature
Last modified: 2014-10-22 16:07:31 CEST
The samba join to the AD domain fails if the Recycle bin Feature is activated in AD, at least if there is one "recycled" object: 2014-06-12 18:22:09,103 Failed to apply linked attribute change 'attribute 'isRecycled': invalid modify flags on 'CN=NTDS Settings\0ADEL:f9d73a10-4f32-4e97-9cfb-9190638ed948,CN=MASTER\0ADEL:8e34bb58-eac1-44cd-b681-e0bcd043 ed82,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k12,DC=test': 0x0' 2014-06-12 18:22:09,103 dn: <GUID=f9d73a10-4f32-4e97-9cfb-9190638ed948>;CN=NTDS Settings\0ADEL:f9d73a10-4f32-4e97-9cfb-9190638ed948,CN=MASTER\0ADEL:8e34bb58-eac1-44cd-b681-e0bcd043 ed82,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k12,DC=test I found no way to delete this object in AD, but there is a script in the samba source tree source4/scripting/bin/enablerecyclebin to activate Recycle bin in Samba, maybe we have to run this during the takeover To activate this Feature in AD, see http://technet.microsoft.com/de-de/library/dd379481%28v=ws.10%29.aspx discussion about a similar problem: https://groups.google.com/forum/#!topic/linux.samba/8lipvkVhJxE
We need to test if this also happens with Windows 2008 (R2). If not then this would be duplicate of Bug 28913.
Ticket#2014061621000457 > For the recycle bin feature we found some information to delete/clean this: > http://blogs.technet.com/b/ad/archive/2009/03/24/taking-out-the-trash.aspx > [...] > Performing the actions in the article (changing the tombstone lifetime > to 3 days and forcing a garbage collection run) does indeed help to > perform the AD takeover process. > > The only problem is that when the ad-takeover fails, for whatever > reason, a new item is added into the AD recycle bin (being the > Univention DC server), so you can only try again after 3 days (minimal > tombstone value).
Created attachment 6054 [details] Fix for error in handling deleted entries in repl_meta_data LDB module
LS, I found (and fixed) the problem with performing an AD-takeover with items in the AD recyclebin. There was an error in creating an array with search parameters, caused the Deleted items to not be detected. The included patch fixes the problems I had in my test-environment. After applying the patch, the ad-takeover was completed succesfully.
Ok, the proposed patch will be in UCS 4.0-0 as it has been committed upstream: https://git.samba.org/?p=autobuild.flakey/.git;a=commitdiff;h=5b22222421c77c8c379c828c5da7e6c8c38cfb88 ( discussed here https://bugzilla.samba.org/show_bug.cgi?id=10294 ). We still need to QA if the takeover succeeds.
Retagged for errata3.2-3
Samba has been rebuilt with the upstram 98_fix_join_with_recycle_bin.patch. Advisory:
OK - 3.2-3 OK - YAML
http://errata.univention.de/ucs/3.2/205.html
http://errata.univention.de/ucs/3.2/224.html