[Samba] 4.2.2 as AD with 2 DCs: database incoherency

mathias dufresne infractory at gmail.com
Thu Jul 16 11:20:52 UTC 2015 

Here I obtained:
---------------------
* Comparing [DOMAIN] context...
Failed search of base=DC=ad,DC=domain,DC=tld
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
979, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
698, in __init__
    self.dn_list = self.get_dn_list(context)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
841, in get_dn_list
    res = self.con.ldb.search(base=self.search_base,
scope=self.search_scope, attrs=["dn"])
----------------------

Which led me to check my /etc/resolv.conf and on one DC there was only one
DNS entry to access local Samba and no line to ask to the other DC. I've
added the second DC as nameserver and rerun the command... to obtain the
very same error.

I had a line in /etc/hosts with hostname for address 127.0.0.1, I removed
it and rerun the command. Same error.

I will try this command from the other DC later, it took around 45min to
run and I don't have them right now... I'll come back to send you some
feedback.

Best regards,

Mathias

2015-07-16 9:37 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 16/07/15 07:19, Daniel Müller wrote:
>
>> On my site with samba 4.18 on centos 6:
>>
>> 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' failed with
>> this result msDS-NC Type failed :
>>
>>      [root at s4master ~]# samba-tool ldapcmp ldap://s4master
>> ldap://s4slave -Uadministrator
>> Password for [TPLK\administrator]:
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 606
>>
>> Comparing:
>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          serverState
>>      FAILED
>>
>> Comparing:
>> 'DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          msDS-NcType
>>          serverState
>>      FAILED
>>
>> * Result for [DOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>>      msDS-NcType
>>      serverState
>>
>> * Comparing [CONFIGURATION] context...
>>
>> * Objects to be compared: 1616
>>
>> Comparing:
>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          subRefs
>>          msDS-NcType
>>      FAILED
>>
>> * Result for [CONFIGURATION]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>>      msDS-NcType
>>      subRefs
>>
>> * Comparing [SCHEMA] context...
>>
>> * Objects to be compared: 1550
>>
>> Comparing:
>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          msDS-NcType
>>      FAILED
>>
>> * Result for [SCHEMA]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>>      msDS-NcType
>>
>> * Comparing [DNSDOMAIN] context...
>>
>> * Objects to be compared: 333
>>
>> Comparing:
>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          msDS-NcType
>>      FAILED
>>
>> * Result for [DNSDOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>>      msDS-NcType
>>
>> * Comparing [DNSFOREST] context...
>>
>> * Objects to be compared: 19
>>
>> Comparing:
>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>>      Attributes found only in ldap://s4master:
>>          msDS-NcType
>>      FAILED
>>
>> * Result for [DNSFOREST]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>>      msDS-NcType
>> ERROR: Compare failed: -1
>>
>>
>> Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland
>> Penny
>> Gesendet: Mittwoch, 15. Juli 2015 17:35
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] 4.2.2 as AD with 2 DCs: database incoherency
>>
>> On 15/07/15 14:31, mathias dufresne wrote:
>>
>>> Hi all,
>>>
>>> I'm having a test AD domain composed with 2 DC, using Sernet's version
>>> of Samba 4.2.2.
>>>
>>> These two DC are Centos 6.6 (dc20) and Debian 7.8 (dc00).
>>>
>>> These two are using TDB as a backend (as we have no other choice at
>>> this stage of Samba's development).
>>>
>>> *dc20*:~# ldbsearch -H $sam '(objectclass=group)' dn | tail -3 #
>>> returned 27392 records # *27389* entries # 3 referrals *dc00*:~#
>>> ldbsearch -H $sam '(objectclass=group)' dn | tail -3 # returned 27892
>>> records # *27889* entries # 3 referrals
>>>
>>> I'm wondering with I'm missing 500 groups on dc20 database.
>>>
>>> Perhaps this issue comes from the fact there was a space issue on dc00
>>> (/var/log/samba/log.samba fulfilled /var (debug) and database is on
>>> same FS into /var/lib/samba).
>>>
>>> Anyway, do we have something to force databases to come back to a
>>> coherent state?
>>> Could we tdbdump the DB on one host then tdbrestore it on the other?
>>>
>>> Kindly regards,
>>>
>>> mathias
>>>
>> What does 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' show
>> ?
>>
>> More info, see here: https://wiki.samba.org/index.php/Samba-tool_ldapcmp
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> Stop worrying, all the failing attributes are non replicating attributes,
> this has been fixed in later samba4 versions.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list