[Samba] 4.1.12: ldapcmp differences on attribute 'whenChanged'

mourik jan heupink - merit heupink at merit.unu.edu
Tue Sep 16 11:27:17 MDT 2014 

Hi all,

I have just updated our dc's from sernet 4.1.11 to sernet 4.1.12. And 
suddenly since that update, we're getting many ldapcmp failures on the 
attribute 'whenChanged'. In 4.1.11 life was good, and ldapcmp reported 
no differences at all.

Here is a sample: (dc2 <-> dc3)

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc3]
     Difference in attribute values:
         whenChanged =>
['20140507142704.0Z']
['20140715153329.0Z']
     FAILED

and: (dc2 <-> dc4)

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc4]
     Difference in attribute values:
         whenChanged =>
['20140507142704.0Z']
['20140826123226.0Z']
     FAILED

As you can see, all three dc's have a different 'whenChanged' attribute 
value.

I'm started thinking that perhaps the 'starting' "whenChanged" is the 
time that the DC is installed (meaning: replicated for the first time), 
and that only after the first actual change in the AD, the whenChanged 
is updated and replicated to all DC's.

So, I changed something in CN=podcast, and tested again:

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc3]
     Difference in attribute values:
         whenChanged =>
['20140916171443.0Z']
['20140916171433.0Z']
     FAILED

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
     Difference in attribute values:
         whenChanged =>.
['20140916171503.0Z']
['20140916171443.0Z']
     FAILED

So what I guess now, is that 'whenChanged' is actually the LOCAL time on 
the specific DC that the change was RECEIVED. So it's value can change a 
bit between dc's, slow replication lines, etc, etc.

I have also seen this bugreport:
https://bugzilla.samba.org/show_bug.cgi?id=10788
and I'm not sure if that patch is included in 4.1.12, but in that patch 
I see some mention of attribute 'whenChanged'. One example:

+                # "whenChanged", # This is implicitly replicated


So... all very interesting, but what are you seeing on your AD's? Anyone 
running sernet 4.1.12, and tried ldapcmp already? Are you seeing the 
same as us?

Mourik Jan

More information about the samba mailing list