Author Topic: Corrupt db?  (Read 229 times)

einarha

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
Corrupt db?
« on: November 21, 2019, 11:37:40 pm »
I inherited two zentyal servers, one PDC and one BDC. They started life as somewhere around Zentyal 4, but through a rough life of upgrades and clean installs have ended up as the PDC running 5.1 and the BDC running 6.1. The problem is that only a few of the users in the domain are being replicated to the BDC. We have around 50 users in the domain but only about 15 are replicated, and it's all users created in the last year or so. Another thing I've noticed is that if I add a user to a group on the PDC, in the textbox for the user to add, the interface shows me a list of users which matches the users that are actually replicated to the BDC.

So it seems to me that users that were created before some change have been corrupted in some way. They can be used to authenticate, but they aren't replicated to the BDC and Zentyal won't show them when offering a list of users to add to a group.

I also see alot of

Discarding older DRS linked attribute update to member

in the logs.

I ran
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes
which found and fixed a lot of errors, but the symptoms still remain. I tried restarting
samba-ad-dc.service but nothing. I haven't tried restarting zs out of fear of what might
happen since I only have one working DC now. Anyone with a possible cause and/or solution
other than spinning up two new servers and starting over?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 331
  • Karma: +68/-1
    • View Profile
Re: Corrupt db?
« Reply #1 on: December 13, 2019, 06:06:09 pm »
 :)

Please check the replication status:

Code: [Select]
sudo samba-tool drs showrepl

You can force manually the replication by using samba-tool. Read this: https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions

NB: don't mistakes DC1 and DC2!

(If you have some issues with deleted objects (I have seen it in old systems running without active management) read about these commands:

Code: [Select]
sudo ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL"
sudo ldbdel -H /var/lib/samba/private/sam.ldb <DN-of-conflicting-object> [--relax]
# or remove the reference to the deleted object
sudo ldbedit -H /var/lib/samba/private/sam.ldb -b <object dn> -s base
)

Tell me if you need some more help.

Cheers!
« Last Edit: December 13, 2019, 06:08:40 pm by doncamilo »
"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

einarha

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
Re: Corrupt db?
« Reply #2 on: January 07, 2020, 11:41:06 am »
Sorry for the late reply, I completely missed the answer.

I've given up on the current db, I think it's to far gone with custom modifications or something
for it to be really usable again. Fortunately it's only a few users, so starting over isn't that hard.

What is hard is deciding the best way to connect our Unix servers (FreeBSD and Linux)
to Zentyal but I'll create another post with that question. Thanks for the help.

einarha

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
Re: Corrupt db?
« Reply #3 on: January 07, 2020, 12:32:29 pm »
I finally discovered what was happening. Zentyal has a hardcoded
lower limit on uid's, it is now 2000, I guess it was lower before or
a previous sysadmin here hacked his way around it, since our users
had uid's starting at 1000.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 331
  • Karma: +68/-1
    • View Profile
Re: Corrupt db?
« Reply #4 on: January 07, 2020, 03:08:28 pm »
"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.