Bug 43126 - samba-tool dbcheck --fix fails: "Attribute member already deleted for target GUID" (4.2)
samba-tool dbcheck --fix fails: "Attribute member already deleted for target ...
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Depends on:
Blocks: 47618
  Show dependency treegraph
Reported: 2016-12-06 18:56 CET by Arvid Requate
Modified: 2020-07-03 20:52 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016120521000588
Bug group (optional):
Max CVSS v3 score:

use-DSDB_CONTROL_REPLMD_VANISH_LINKS-control-in-dbchecker-err_incorrect_dn_GUID.diff (676 bytes, patch)
2016-12-06 20:39 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-12-06 18:56:16 CET
In two customer environments (one UCS@school and one plain UCS) we found the following error, which samba-tool dbcheck (from samba 4.5.1) cannot fix:

ERROR: incorrect GUID component for member in object CN=DC Slave Hosts,CN=Groups,DC=domain,DC=local - <GUID=7f95b5151561c24eaf99d804b6a4671a>;<RMD_ADDTIME=130936344750000000>;<RMD_CHANGETIME=131057144670000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c867a5c459679b67bfe60f35e1914597>;<RMD_LOCAL_USN=53251>;<RMD_ORIGINATING_USN=53251>;<RMD_VERSION=1>;<SID=010500000000000515000000123456789abcdefabcedef0000>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local
Change DN to <GUID=7fc4721a-17F2-18a4-8ca4-123456789abc>;<SID=S-1-5-21-1234567890-123456789-123456789-abcde>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local? [YES]
ERROR: Failed to fix incorrect GUID on attribute member : (53, 'Attribute member already deleted for target GUID 15b5957f-6115-4ec2-af99-d804b6a4671a')

Intense research of one of both cases didn't reveal where samba-tool dbcheck finds this GUID "15b5957f-6115-4ec2-af99-d804b6a4671a" that the final error message refers to. I also search the output of tdbdump for the binary NDR encoded value.

root@slave:~# univention-s4search "CN=FOO" objectguid
# record 1
dn: CN=FOO,OU=Domain Controllers,DC=domain,DC=local
objectGUID: 7fc4721a-17F2-18a4-8ca4-123456789abc

root@slave:~# python
>>> from samba.dcerpc import misc
>>> from samba.ndr import ndr_pack, ndr_unpack
>>> ndr_pack(misc.GUID("15b5957f-6115-4ec2-af99-d804b6a4671a"))

Then I looked for \\F3S\\B3Z\\B5C in

tdbdump /var/lib/samba/private/sam.ldb.d/DC\=DOMAIN\,DC\=LOCAL.ldb | less

The recommendation from http://www.spinics.net/lists/samba/msg137293.html didn't help.

There doesn't seem to be any visible consequence for this error though. Samba finds the machine in the group:

root@slave:~# samba-tool group listmembers "DC Slave Hosts" | grep FOO

And group membership is also Ok in OpenLDAP (and thus in getent group).
Comment 1 Arvid Requate univentionstaff 2016-12-06 20:38:39 CET
Ok, I tracked down the object, but it seems to be present only as leftover data in unreferenced parts of the tdb:

CN=FOO\0ADEL:15b5957f-6115-4ec2-af99-d804b6a4671a,CN=Deleted Objects,DC=domain,DC=local

My impression is that there is something going wrong in the code of source4/dsdb/samdb/ldb_modules/repl_meta_data.c. That file is the origin of the message "already deleted for target GUID":

* Either replmd_modify_handle_linked_attribs obtains structurally inconsistent data from dsdb_module_search_dn for the "old" object as currently found in the LDB file.

* Or the replmd_modify_la_delete function triggers a bug, which finally results in iterating past the end of valid indices of the "dns" array. That code has been touched via upstream git commit 5ce969d0c70afc1f14a9b223edbaec7a847c64de, but I cannot see a corresponding error in that commit.

But there is something interesting about that commit which may help for a workaround in samba-tool dbcheck: That commit introduces a new DSDB control "DSDB_CONTROL_REPLMD_VANISH_LINKS" which, according to the code, should make replmd_modify_la_delete skip the validation of links before deleting them.

I'll attach an untested, experimental patch for dbchecker.py. We need to create a safe test environment to check if that fixes the issue.
Comment 2 Arvid Requate univentionstaff 2016-12-06 20:39:11 CET
Created attachment 8290 [details]
Comment 3 Arvid Requate univentionstaff 2016-12-06 20:41:06 CET
commit 5ce969d0c70afc1f14a9b223edbaec7a847c64de is in git branch v4-5-stable.
Comment 4 Arvid Requate univentionstaff 2016-12-07 13:26:12 CET
Hmm, interesting, running dbcheck with the new control results in an even weirder error message:

Change DN to <GUID=7fc4721a-17F2-18a4-8ca4-123456789abc>;<SID=S-1-5-21-1234567890-123456789-123456789-abcde>;CN=FOO,OU=Domain Controllers,DC=domain,DC=local? [YES]
Deleting deleted linked attribute member to 15b5957f-6115-4ec2-af99-d804b6a4671a, because vanish_links control is set
ERROR: Failed to fix incorrect GUID on attribute member : (68, 'Attribute member already exists for target GUID 7fc4721a-17F2-18a4-8ca4-123456789abc')
Comment 5 Ingo Steuwer univentionstaff 2020-07-03 20:52:38 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.