[Samba] 4.2.2 as AD with 2 DCs: database incoherency

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 16 12:02:30 UTC 2015 

On 16/07/15 12:20, mathias dufresne wrote:
> Here I obtained:
> ---------------------
> * Comparing [DOMAIN] context...
> Failed search of base=DC=ad,DC=domain,DC=tld
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 979, in run
>      outf=self.outf, errf=self.errf)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 698, in __init__
>      self.dn_list = self.get_dn_list(context)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 841, in get_dn_list
>      res = self.con.ldb.search(base=self.search_base,
> scope=self.search_scope, attrs=["dn"])
> ----------------------
>
> Which led me to check my /etc/resolv.conf and on one DC there was only one
> DNS entry to access local Samba and no line to ask to the other DC. I've
> added the second DC as nameserver and rerun the command... to obtain the
> very same error.

Your /etc/resolv.conf should first point the second DC and then to 
itself i.e.

search <your.domain>
nameserver <second DC>
nameserver <this DC>

> I had a line in /etc/hosts with hostname for address 127.0.0.1, I removed
> it and rerun the command. Same error.

/etc/hosts should be:

127.0.0.1    localhost.localdomain    localhost
<ip of this DC>    hostname.domain.com    hostname

I would also suggest you check what is in /etc/hostname, it should just 
contain the DC's short hostname, it may contain 'localhost'

Rowland

> I will try this command from the other DC later, it took around 45min to
> run and I don't have them right now... I'll come back to send you some
> feedback.
>
> Best regards,
>
> Mathias
>
> 2015-07-16 9:37 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 16/07/15 07:19, Daniel Müller wrote:
>>
>>> On my site with samba 4.18 on centos 6:
>>>
>>> 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' failed with
>>> this result msDS-NC Type failed :
>>>
>>>       [root at s4master ~]# samba-tool ldapcmp ldap://s4master
>>> ldap://s4slave -Uadministrator
>>> Password for [TPLK\administrator]:
>>>
>>> * Comparing [DOMAIN] context...
>>>
>>> * Objects to be compared: 606
>>>
>>> Comparing:
>>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4master]
>>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           serverState
>>>       FAILED
>>>
>>> Comparing:
>>> 'DC=tplk,DC=loc' [ldap://s4master]
>>> 'DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           msDS-NcType
>>>           serverState
>>>       FAILED
>>>
>>> * Result for [DOMAIN]: FAILURE
>>>
>>> SUMMARY
>>> ---------
>>>
>>> Attributes found only in ldap://s4master:
>>>
>>>       msDS-NcType
>>>       serverState
>>>
>>> * Comparing [CONFIGURATION] context...
>>>
>>> * Objects to be compared: 1616
>>>
>>> Comparing:
>>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           subRefs
>>>           msDS-NcType
>>>       FAILED
>>>
>>> * Result for [CONFIGURATION]: FAILURE
>>>
>>> SUMMARY
>>> ---------
>>>
>>> Attributes found only in ldap://s4master:
>>>
>>>       msDS-NcType
>>>       subRefs
>>>
>>> * Comparing [SCHEMA] context...
>>>
>>> * Objects to be compared: 1550
>>>
>>> Comparing:
>>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           msDS-NcType
>>>       FAILED
>>>
>>> * Result for [SCHEMA]: FAILURE
>>>
>>> SUMMARY
>>> ---------
>>>
>>> Attributes found only in ldap://s4master:
>>>
>>>       msDS-NcType
>>>
>>> * Comparing [DNSDOMAIN] context...
>>>
>>> * Objects to be compared: 333
>>>
>>> Comparing:
>>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           msDS-NcType
>>>       FAILED
>>>
>>> * Result for [DNSDOMAIN]: FAILURE
>>>
>>> SUMMARY
>>> ---------
>>>
>>> Attributes found only in ldap://s4master:
>>>
>>>       msDS-NcType
>>>
>>> * Comparing [DNSFOREST] context...
>>>
>>> * Objects to be compared: 19
>>>
>>> Comparing:
>>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>>>       Attributes found only in ldap://s4master:
>>>           msDS-NcType
>>>       FAILED
>>>
>>> * Result for [DNSFOREST]: FAILURE
>>>
>>> SUMMARY
>>> ---------
>>>
>>> Attributes found only in ldap://s4master:
>>>
>>>       msDS-NcType
>>> ERROR: Compare failed: -1
>>>
>>>
>>> Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: mueller at tropenklinik.de
>>> Internet: www.tropenklinik.de
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland
>>> Penny
>>> Gesendet: Mittwoch, 15. Juli 2015 17:35
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] 4.2.2 as AD with 2 DCs: database incoherency
>>>
>>> On 15/07/15 14:31, mathias dufresne wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm having a test AD domain composed with 2 DC, using Sernet's version
>>>> of Samba 4.2.2.
>>>>
>>>> These two DC are Centos 6.6 (dc20) and Debian 7.8 (dc00).
>>>>
>>>> These two are using TDB as a backend (as we have no other choice at
>>>> this stage of Samba's development).
>>>>
>>>> *dc20*:~# ldbsearch -H $sam '(objectclass=group)' dn | tail -3 #
>>>> returned 27392 records # *27389* entries # 3 referrals *dc00*:~#
>>>> ldbsearch -H $sam '(objectclass=group)' dn | tail -3 # returned 27892
>>>> records # *27889* entries # 3 referrals
>>>>
>>>> I'm wondering with I'm missing 500 groups on dc20 database.
>>>>
>>>> Perhaps this issue comes from the fact there was a space issue on dc00
>>>> (/var/log/samba/log.samba fulfilled /var (debug) and database is on
>>>> same FS into /var/lib/samba).
>>>>
>>>> Anyway, do we have something to force databases to come back to a
>>>> coherent state?
>>>> Could we tdbdump the DB on one host then tdbrestore it on the other?
>>>>
>>>> Kindly regards,
>>>>
>>>> mathias
>>>>
>>> What does 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' show
>>> ?
>>>
>>> More info, see here: https://wiki.samba.org/index.php/Samba-tool_ldapcmp
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>> Stop worrying, all the failing attributes are non replicating attributes,
>> this has been fixed in later samba4 versions.
>>
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list