Error 8418: The replication operation failed because of a schema mismatch between the servers involved

Sinelnikov Evgeniy Sinelnikov.E at digdes.com
Fri Apr 1 10:39:16 UTC 2016 

> -----Original Message-----
> From: gmastersin at gmail.com [mailto:gmastersin at gmail.com] On Behalf Of
> Evgeny Sinelnikov
> Sent: Thursday, March 31, 2016 9:46 PM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: Sinelnikov Evgeniy <Sinelnikov.E at digdes.com>; samba-
> technical at lists.samba.org; Shumay Konstantin <Shumay.K at digdes.com>
> Subject: Re: Error 8418: The replication operation failed because of a schema
> mismatch between the servers involved
> 
> 2016-03-31 10:18 GMT+03:00 Andrew Bartlett <abartlet at samba.org>:
> > On Tue, 2016-03-29 at 16:06 +0000, Sinelnikov Evgeniy wrote:
> >> Hello,
> >>
> >> I found solution for this problem.
> >>
> >> I it is not due DCERPC interconnection, like I think (
> >> https://bugzilla.samba.org/show_bug.cgi?id=11758).
> >> But it is really due wrong attid in DsGetNCChanges response from
> >> Samba.
> >> To localize this problem I logged all DCERPC packets into files (see
> >> DEBUG patches).
> >>
> >> At next step I filtered all replicated objects expected one only. And
> >> found that is User or Computer with additional linked attributes from
> >> Microsoft Exchange extension like homeMDB, for example.
> >>
> >> I got as result two GetNCChanges responses from Samba DC and
> Windows
> >> DC and compare them.
> >> ...
> >>                                          guid                     :
> >> eb8f5dd6-417a-45ec-8d9d-c52a60285aaf
> >> -                                        sid                      : S
> >> -1-5-21-8659820-343394492-589173015-1126
> >> -                                        __ndr_size_dn            :
> >> 0x00000024 (36)
> >> -                                        dn                       :
> >> 'CN=User11,CN=Users,DC=company3,DC=dd'
> >> -                                attid                    :
> >> UNKNOWN_ENUM_VALUE (0x200F4)
> >> +                                        sid                      : S
> >> -0-0
> >> +                                        __ndr_size_dn            :
> >> 0x00000000 (0)
> >> +                                        dn                       :
> >> ''
> >> +                                attid                    :
> >> UNKNOWN_ENUM_VALUE (0x88EC88B7)
> >>                                  value: struct
> >> drsuapi_DsAttributeValue ...
> >>
> >> At next part I found simple solution, which works for me.
> >>
> >> --- a/source4/rpc_server/drsuapi/getncchanges.c
> >> +++ b/source4/rpc_server/drsuapi/getncchanges.c
> >> @@ -477,7 +477,7 @@ static WERROR
> get_nc_changes_add_la(TALLOC_CTX
> >> *mem_ctx,
> >>                         return WERR_OK;
> >>                 }
> >>         }
> >> -       la->attid = sa->attributeID_id;
> >> +       la->attid = sa->msDS_IntId == 0 ? sa->attributeID_id : sa
> >> ->msDS_IntId;
> >>         la->flags = active?DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE:0;
> >>
> >>         status = dsdb_get_extended_dn_uint32(dsdb_dn->dn, &la
> >> ->meta_data.version, "RMD_VERSION");
> >>
> >>
> >> Please, review my patch for rpc_server/drsuapi.
> >
> > Thanks so much for isolating it down.  Please re-work it to use
> >
> > dsdb_attribute_get_attid(sa, is_schema_nc);
> >
> > And re-submit as a git commit using 'git format-patch -1 -s'
> >
> > Then, finally, we need a test, if at all possible.  I'm about to write
> > one for normal attributes from custom schema, inspecting
> > replPropertMetaData.  We need to work out if we can do the same for
> > this.
> >
> > Thanks!
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> >
> >
> 
> Ok, I re-work patch with dsdb_attribute_get_attid() without check that is
> schema attribute. This is looks like enough. If it is not I have another tested
> patch adds is_schema_nc argument to
> get_nc_changes_add_la() and get_nc_changes_add_links() functions.
> 
> At finally, we need a manual test with replication for normal attributes from
> custom schema. We looks to ndrdump packets with it and inspect it.
> This is not torture reproducable test. Is it right?
> 
> Last time I'm testing rpm build of samba-4.4.0 for CentOS-7. And will retry
> previous test environment after rebuild current staff with dcesrv:stubs
> directory fixes tomorrow.

Lately I tested rpm build of samba-4.4.0 for CentOS-7 (https://goo.gl/lqUM0i) and reproduced previous test environment with my patches in special debug release.

Using extended dcesrv:stubs directory support from my build I logged GetNCChanges responses of MS Exchange attributes mailNickname and msExchUserAccountControl as final test as I understand it.


List of all basic additional MS Exchange User attributes:
+homeMDB	DN	1	CN=Mailbox Store (EX01),CN=First Storage Group,CN=InformationStore,CN=EX01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Company3 Organisation,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company3,DC=dd
+homeMTA	DN	1	CN=Microsoft MTA,CN=EX01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Company3 Organisation,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company3,DC=dd
+legacyExchangeDN	CaseIgnoreString	1	/o=Company3 Organisation/ou=First Administrative Group/cn=Recipients/cn=user6
 logonCount	Integer	1	0
+mailNickname	DirectoryString	1	user6
+mDBUseDefaults	Boolean	1	TRUE
+msExchHomeServerName	DirectoryString	1	/o=Company3 Organisation/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=EX01
+msExchMailboxGuid	OctetString	1	{4C63723E-E7FE-4B38-A5EE-A39B068F4E65}
+msExchMailboxSecurityDescriptor	NTSecurityDescriptor	1	D:(A;CI;CCDCRC;;;PS)
+msExchUserAccountControl	Integer	1	0



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0116-RPC-drsuapi-3-request-call_id_82-common.dat.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160401/4d6a4216/0116-RPC-drsuapi-3-request-call_id_82-common.dat-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0117-RPC-drsuapi-response-call_id_82-common.dat.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160401/4d6a4216/0117-RPC-drsuapi-response-call_id_82-common.dat-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0140-RPC-drsuapi-3-request-call_id_90-common.dat.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160401/4d6a4216/0140-RPC-drsuapi-3-request-call_id_90-common.dat-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0141-RPC-drsuapi-response-call_id_90-common.dat.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160401/4d6a4216/0141-RPC-drsuapi-response-call_id_90-common.dat-0001.txt>

More information about the samba-technical mailing list