[Samba] Samba AD DC Replication Problems due to missing schema comparison support

Andrew Bartlett abartlet at samba.org
Mon Oct 21 13:25:58 MDT 2013 

On Mon, 2013-10-21 at 12:29 -0600, Nick Couchman wrote:
> >>> On 2013/10/20 at 17:03, "Nick Couchman" <Nick.Couchman at seakr.com> wrote: 
> > I've seen a couple of posts related to this, but nothing with definitive 
> > solutions or even hints that helped me in the right direction.  I'm 
> > attempting to add Samba4 DCs to my existing AD domain.  This mostly works - it 
> > replicates in information from the Windows DCs, starts the services, and 
> > appears to have all of the necessary information.  Scheduled replications 
> > from the Windows DCs to the Samba DCs work fine, but the Samba -> Windows 
> > replication is failing with a "Schema Mismatch" error (8418, 
> > 'WERR_DS_DRA_SCHEMA_MISMATCH').  The schema in the Samba DC was replicated 
> > from the Windows DC, so it should be identical, but it is not.  Anyone know 
> > what might be going on here - what schema Samba has that AD does not, what 
> > schema I might need to add to AD, or even how to debug this?  I've turned up 
> > the logging level on one of my Samba DCs, but it isn't yielding any useful 
> > information - nothing that tells me what about the schema is mis-matched.
> > 
> > Any insights, anyone - I'd love to get Samba up and running as a DC, 
> > especially with Samba 4.1 supporting the additional schemas from Windows!
> > 
> > Thanks,
> > Nick
> > 
> > 
> 
> Well, I figured out what was causing the replication error, but perhaps someone can help me understand why this happened.  I was getting a schema error, but the reality was that, in one of the attributes for one of the computer entries, there was a duplicate value.  The duplicate was there because the case was different - I believe the attribute was servicePrincipalName or something like that, which has multiple values, anyway.  On one of the values, there were two identical entries, except that one entry was entirely upper case, and one was entirely lower-case.
> 
> Anyone know how/why this would happen, and if there's some setting I need to change to prevent it?

We have a series of patches to fix this, but these have not yet hit
master due to issues in the patches, and some of the complexity
involved.  We hope to have them in for 4.2, sadly they were too risky to
rush for 4.1. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list