[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller
Dominic Evans
oldmanuk at gmail.com
Thu Dec 27 11:04:17 MST 2012
Hi,
I have a domain with a single Windows 2003 DC running. Today I created
a Samba4 DC (using 4.0.0 release) and asked it to join the existing
domain as an additional controller. Replication of both the objects
and dns entries appears to be working well, and the usual tests of
adding a user to one and confirming it is available in the other is
similarly working.
However, the `ldapcmp` tool claims there are numerous discrepancies in
the replicated data between the two ldap directories. Note the
'attributes found only in' list in the example comparison for a
specific user in the directory:
$ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'
--base2='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'
* Comparing [DOMAIN] context...
* Objects to be compared: 1
Comparing:
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://windowsdc.exampledn.com]
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://samba4dc.exampledn.com]
Attributes found only in ldap://windowsdc.exampledn.com:
instanceType
whenCreated
pwdLastSet
accountExpires
userAccountControl
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://windowsdc.exampledn.com:
pwdLastSet
whenCreated
instanceType
userAccountControl
accountExpires
ERROR: Compare failed: -1
However, using `ldapsearch` to query the directories of both domain
controllers directly, shows that these five attributes all appear to
exist in both? In addition, the diff of the two queries seems to
indicated some missing attributes and differing values on the samba4
domaincontroller that are not mentioned/caught by the ldapcmp tool?
--- /tmp/ldapsearch-windowsdc 2012-12-27 18:42:30.193281974 +0100
+++ /tmp/ldapsearch-samba4dc 2012-12-27 18:42:30.233278605 +0100
@@ -1,34 +1,29 @@
dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ExampleFirstName ExampleSecondName
sn: ExampleSecondName
givenName: ExampleFirstName
distinguishedName: CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com
instanceType: 4
whenCreated: 20100401152917.0Z
whenChanged: 20100401152918.0Z
displayName: ExampleFirstName ExampleSecondName
-uSNCreated: 236996493
-uSNChanged: 236996516
+uSNCreated: 3171
+uSNChanged: 3171
name: ExampleFirstName ExampleSecondName
objectGUID:: 2io6fCOdmUW5yeebD85hAA==
userAccountControl: 66048
-badPwdCount: 0
codePage: 0
countryCode: 0
-badPasswordTime: 130010173443750000
-lastLogoff: 0
-lastLogon: 130010708699218750
pwdLastSet: 129146093579687500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA==
accountExpires: 9223372036854775807
-logonCount: 7781
sAMAccountName: examplesecondname.examplefirstname
sAMAccountType: 805306368
userPrincipalName: examplesecondname.examplefirstname at exampledn.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com
Should I be concerned by any of this?
Cheers,
Dominic
More information about the samba
mailing list