[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller

Andrew Bartlett abartlet at samba.org
Thu Dec 27 21:43:11 MST 2012 

On Thu, 2012-12-27 at 19:04 +0100, Dominic Evans wrote:
> Hi,
> 
> I have a domain with a single Windows 2003 DC running. Today I created
> a Samba4 DC (using 4.0.0 release) and asked it to join the existing
> domain as an additional controller. Replication of both the objects
> and dns entries appears to be working well, and the usual tests of
> adding a user to one and confirming it is available in the other is
> similarly working.
> 
> However, the `ldapcmp` tool claims there are numerous discrepancies in
> the replicated data between the two ldap directories. Note the
> 'attributes found only in' list in the example comparison for a
> specific user in the directory:
> 
> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> --base2='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'

What username did you use (administrator or another user) to
authenticate in this case?

> * Comparing [DOMAIN] context...
> 
> * Objects to be compared: 1
> 
> Comparing:
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://windowsdc.exampledn.com]
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://samba4dc.exampledn.com]
>     Attributes found only in ldap://windowsdc.exampledn.com:
>         instanceType
>         whenCreated
>         pwdLastSet
>         accountExpires
>         userAccountControl
>     FAILED
> 
> * Result for [DOMAIN]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes found only in ldap://windowsdc.exampledn.com:
> 
>     pwdLastSet
>     whenCreated
>     instanceType
>     userAccountControl
>     accountExpires
> ERROR: Compare failed: -1
> 
> However, using `ldapsearch` to query the directories of both domain
> controllers directly, shows that these five attributes all appear to
> exist in both? In addition, the diff of the two queries seems to
> indicated some missing attributes and differing values on the samba4
> domaincontroller that are not mentioned/caught by the ldapcmp tool?

ldapcmp has a hard-coded list of non-replicated attributes that are
skipped in the analysis. 

> --- /tmp/ldapsearch-windowsdc	2012-12-27 18:42:30.193281974 +0100
> +++ /tmp/ldapsearch-samba4dc	2012-12-27 18:42:30.233278605 +0100
> @@ -1,34 +1,29 @@
>  dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
>  objectClass: top
>  objectClass: person
>  objectClass: organizationalPerson
>  objectClass: user
>  cn: ExampleFirstName ExampleSecondName
>  sn: ExampleSecondName
>  givenName: ExampleFirstName
>  distinguishedName: CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com
>  instanceType: 4
>  whenCreated: 20100401152917.0Z
>  whenChanged: 20100401152918.0Z
>  displayName: ExampleFirstName ExampleSecondName
> -uSNCreated: 236996493
> -uSNChanged: 236996516
> +uSNCreated: 3171
> +uSNChanged: 3171
>  name: ExampleFirstName ExampleSecondName
>  objectGUID:: 2io6fCOdmUW5yeebD85hAA==
>  userAccountControl: 66048
> -badPwdCount: 0
>  codePage: 0
>  countryCode: 0
> -badPasswordTime: 130010173443750000
> -lastLogoff: 0
> -lastLogon: 130010708699218750
>  pwdLastSet: 129146093579687500
>  primaryGroupID: 513
>  objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA==
>  accountExpires: 9223372036854775807
> -logonCount: 7781
>  sAMAccountName: examplesecondname.examplefirstname
>  sAMAccountType: 805306368
>  userPrincipalName: examplesecondname.examplefirstname at exampledn.com
>  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com
> 
> Should I be concerned by any of this?

Assuming that you used a non-administrator user to connect over LDAP,
the 'missing' attributes are a concern, but not to your data integrity.
We have an outstanding issue where the read ACL is applied incorrectly
for non-administrator users, and I need to understand why that is.

You can set 'acl:read=false' in your smb.conf to disable this, while we
sort out what is going on.  This will remove any restriction on any user
reading any non-confidential attribute (by the schema flag or being in
the list of password attributes). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list