Bug 43126 - samba-tool dbcheck --fix fails: "Attribute member already deleted for target GUID" (4.2)
samba-tool dbcheck --fix fails: "Attribute member already deleted for target ...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Depends on:
Blocks: 47618
  Show dependency treegraph
Reported: 2016-12-06 18:56 CET by Arvid Requate
Modified: 2018-08-20 17:59 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2016120521000588
Bug group (optional):
Max CVSS v3 score:

use-DSDB_CONTROL_REPLMD_VANISH_LINKS-control-in-dbchecker-err_incorrect_dn_GUID.diff (676 bytes, patch)
2016-12-06 20:39 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-12-06 18:56:16 CET
In two customer environments (one UCS@school and one plain UCS) we found the following error, which samba-tool dbcheck (from samba 4.5.1) cannot fix:

ERROR: incorrect GUID component for member in object CN=DC Slave Hosts,CN=Groups,DC=domain,DC=local - <GUID=7f95b5151561c24eaf99d804b6a4671a>;<RMD_ADDTIME=130936344750000000>;<RMD_CHANGETIME=131057144670000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c867a5c459679b67bfe60f35e1914597>;<RMD_LOCAL_USN=53251>;<RMD_ORIGINATING_USN=53251>;<RMD_VERSION=1>;<SID=010500000000000515000000123456789abcdefabcedef0000>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local
Change DN to <GUID=7fc4721a-17F2-18a4-8ca4-123456789abc>;<SID=S-1-5-21-1234567890-123456789-123456789-abcde>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local? [YES]
ERROR: Failed to fix incorrect GUID on attribute member : (53, 'Attribute member already deleted for target GUID 15b5957f-6115-4ec2-af99-d804b6a4671a')

Intense research of one of both cases didn't reveal where samba-tool dbcheck finds this GUID "15b5957f-6115-4ec2-af99-d804b6a4671a" that the final error message refers to. I also search the output of tdbdump for the binary NDR encoded value.

root@slave:~# univention-s4search "CN=FOO" objectguid
# record 1
dn: CN=FOO,OU=Domain Controllers,DC=domain,DC=local
objectGUID: 7fc4721a-17F2-18a4-8ca4-123456789abc

root@slave:~# python
>>> from samba.dcerpc import misc
>>> from samba.ndr import ndr_pack, ndr_unpack
>>> ndr_pack(misc.GUID("15b5957f-6115-4ec2-af99-d804b6a4671a"))

Then I looked for \\F3S\\B3Z\\B5C in

tdbdump /var/lib/samba/private/sam.ldb.d/DC\=DOMAIN\,DC\=LOCAL.ldb | less

The recommendation from http://www.spinics.net/lists/samba/msg137293.html didn't help.

There doesn't seem to be any visible consequence for this error though. Samba finds the machine in the group:

root@slave:~# samba-tool group listmembers "DC Slave Hosts" | grep FOO

And group membership is also Ok in OpenLDAP (and thus in getent group).
Comment 1 Arvid Requate univentionstaff 2016-12-06 20:38:39 CET
Ok, I tracked down the object, but it seems to be present only as leftover data in unreferenced parts of the tdb:

CN=FOO\0ADEL:15b5957f-6115-4ec2-af99-d804b6a4671a,CN=Deleted Objects,DC=domain,DC=local

My impression is that there is something going wrong in the code of source4/dsdb/samdb/ldb_modules/repl_meta_data.c. That file is the origin of the message "already deleted for target GUID":

* Either replmd_modify_handle_linked_attribs obtains structurally inconsistent data from dsdb_module_search_dn for the "old" object as currently found in the LDB file.

* Or the replmd_modify_la_delete function triggers a bug, which finally results in iterating past the end of valid indices of the "dns" array. That code has been touched via upstream git commit 5ce969d0c70afc1f14a9b223edbaec7a847c64de, but I cannot see a corresponding error in that commit.

But there is something interesting about that commit which may help for a workaround in samba-tool dbcheck: That commit introduces a new DSDB control "DSDB_CONTROL_REPLMD_VANISH_LINKS" which, according to the code, should make replmd_modify_la_delete skip the validation of links before deleting them.

I'll attach an untested, experimental patch for dbchecker.py. We need to create a safe test environment to check if that fixes the issue.
Comment 2 Arvid Requate univentionstaff 2016-12-06 20:39:11 CET
Created attachment 8290 [details]
Comment 3 Arvid Requate univentionstaff 2016-12-06 20:41:06 CET
commit 5ce969d0c70afc1f14a9b223edbaec7a847c64de is in git branch v4-5-stable.
Comment 4 Arvid Requate univentionstaff 2016-12-07 13:26:12 CET
Hmm, interesting, running dbcheck with the new control results in an even weirder error message:

Change DN to <GUID=7fc4721a-17F2-18a4-8ca4-123456789abc>;<SID=S-1-5-21-1234567890-123456789-123456789-abcde>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local? [YES]
Deleting deleted linked attribute member to 15b5957f-6115-4ec2-af99-d804b6a4671a, because vanish_links control is set
ERROR: Failed to fix incorrect GUID on attribute member : (68, 'Attribute member already exists for target GUID 7fc4721a-17F2-18a4-8ca4-123456789abc')