[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller
Andrew Bartlett
abartlet at samba.org
Thu Dec 27 21:43:11 MST 2012
On Thu, 2012-12-27 at 19:04 +0100, Dominic Evans wrote:
> Hi,
>
> I have a domain with a single Windows 2003 DC running. Today I created
> a Samba4 DC (using 4.0.0 release) and asked it to join the existing
> domain as an additional controller. Replication of both the objects
> and dns entries appears to be working well, and the usual tests of
> adding a user to one and confirming it is available in the other is
> similarly working.
>
> However, the `ldapcmp` tool claims there are numerous discrepancies in
> the replicated data between the two ldap directories. Note the
> 'attributes found only in' list in the example comparison for a
> specific user in the directory:
>
> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> --base2='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
What username did you use (administrator or another user) to
authenticate in this case?
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 1
>
> Comparing:
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://windowsdc.exampledn.com]
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://samba4dc.exampledn.com]
> Attributes found only in ldap://windowsdc.exampledn.com:
> instanceType
> whenCreated
> pwdLastSet
> accountExpires
> userAccountControl
> FAILED
>
> * Result for [DOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes found only in ldap://windowsdc.exampledn.com:
>
> pwdLastSet
> whenCreated
> instanceType
> userAccountControl
> accountExpires
> ERROR: Compare failed: -1
>
> However, using `ldapsearch` to query the directories of both domain
> controllers directly, shows that these five attributes all appear to
> exist in both? In addition, the diff of the two queries seems to
> indicated some missing attributes and differing values on the samba4
> domaincontroller that are not mentioned/caught by the ldapcmp tool?
ldapcmp has a hard-coded list of non-replicated attributes that are
skipped in the analysis.
> --- /tmp/ldapsearch-windowsdc 2012-12-27 18:42:30.193281974 +0100
> +++ /tmp/ldapsearch-samba4dc 2012-12-27 18:42:30.233278605 +0100
> @@ -1,34 +1,29 @@
> dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: ExampleFirstName ExampleSecondName
> sn: ExampleSecondName
> givenName: ExampleFirstName
> distinguishedName: CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com
> instanceType: 4
> whenCreated: 20100401152917.0Z
> whenChanged: 20100401152918.0Z
> displayName: ExampleFirstName ExampleSecondName
> -uSNCreated: 236996493
> -uSNChanged: 236996516
> +uSNCreated: 3171
> +uSNChanged: 3171
> name: ExampleFirstName ExampleSecondName
> objectGUID:: 2io6fCOdmUW5yeebD85hAA==
> userAccountControl: 66048
> -badPwdCount: 0
> codePage: 0
> countryCode: 0
> -badPasswordTime: 130010173443750000
> -lastLogoff: 0
> -lastLogon: 130010708699218750
> pwdLastSet: 129146093579687500
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA==
> accountExpires: 9223372036854775807
> -logonCount: 7781
> sAMAccountName: examplesecondname.examplefirstname
> sAMAccountType: 805306368
> userPrincipalName: examplesecondname.examplefirstname at exampledn.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com
>
> Should I be concerned by any of this?
Assuming that you used a non-administrator user to connect over LDAP,
the 'missing' attributes are a concern, but not to your data integrity.
We have an outstanding issue where the read ACL is applied incorrectly
for non-administrator users, and I need to understand why that is.
You can set 'acl:read=false' in your smb.conf to disable this, while we
sort out what is going on. This will remove any restriction on any user
reading any non-confidential attribute (by the schema flag or being in
the list of password attributes).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list