[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller

Dominic Evans oldmanuk at gmail.com
Thu Dec 27 11:04:17 MST 2012 

Hi,

I have a domain with a single Windows 2003 DC running. Today I created
a Samba4 DC (using 4.0.0 release) and asked it to join the existing
domain as an additional controller. Replication of both the objects
and dns entries appears to be working well, and the usual tests of
adding a user to one and confirming it is available in the other is
similarly working.

However, the `ldapcmp` tool claims there are numerous discrepancies in
the replicated data between the two ldap directories. Note the
'attributes found only in' list in the example comparison for a
specific user in the directory:

$ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'
--base2='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'

* Comparing [DOMAIN] context...

* Objects to be compared: 1

Comparing:
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://windowsdc.exampledn.com]
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://samba4dc.exampledn.com]
    Attributes found only in ldap://windowsdc.exampledn.com:
        instanceType
        whenCreated
        pwdLastSet
        accountExpires
        userAccountControl
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://windowsdc.exampledn.com:

    pwdLastSet
    whenCreated
    instanceType
    userAccountControl
    accountExpires
ERROR: Compare failed: -1

However, using `ldapsearch` to query the directories of both domain
controllers directly, shows that these five attributes all appear to
exist in both? In addition, the diff of the two queries seems to
indicated some missing attributes and differing values on the samba4
domaincontroller that are not mentioned/caught by the ldapcmp tool?

--- /tmp/ldapsearch-windowsdc	2012-12-27 18:42:30.193281974 +0100
+++ /tmp/ldapsearch-samba4dc	2012-12-27 18:42:30.233278605 +0100
@@ -1,34 +1,29 @@
 dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
 cn: ExampleFirstName ExampleSecondName
 sn: ExampleSecondName
 givenName: ExampleFirstName
 distinguishedName: CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com
 instanceType: 4
 whenCreated: 20100401152917.0Z
 whenChanged: 20100401152918.0Z
 displayName: ExampleFirstName ExampleSecondName
-uSNCreated: 236996493
-uSNChanged: 236996516
+uSNCreated: 3171
+uSNChanged: 3171
 name: ExampleFirstName ExampleSecondName
 objectGUID:: 2io6fCOdmUW5yeebD85hAA==
 userAccountControl: 66048
-badPwdCount: 0
 codePage: 0
 countryCode: 0
-badPasswordTime: 130010173443750000
-lastLogoff: 0
-lastLogon: 130010708699218750
 pwdLastSet: 129146093579687500
 primaryGroupID: 513
 objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA==
 accountExpires: 9223372036854775807
-logonCount: 7781
 sAMAccountName: examplesecondname.examplefirstname
 sAMAccountType: 805306368
 userPrincipalName: examplesecondname.examplefirstname at exampledn.com
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com

Should I be concerned by any of this?

Cheers,
Dominic

More information about the samba mailing list