[Samba] Tests with Secondary DC

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 23 08:10:53 UTC 2015 

On 23/07/15 03:47, Marcio Demetrio Bacci wrote:
> I have installed a secondary DC in my network, following the tutorial:
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Kerberos
>
> I have ran the following command:
>
> samba-tool domain join mydomain.com.br DC -Uadministrator --realm =
> mydomain.com --dns-backend = BIND_INTERNAL

I do hope that is a typo, there is no dns backend called 'BIND_INTERNAL'

>
> It seems that everything is OK. I have ran the following commands in both
> DC and the result was the same:
>
> ldbsearch -H /opt/samba/private/sam.ldb -b 'DC = mydomain, DC = com, DC =
> br' sub -s '(& (objectClass = group) (cn = Domain Users))' | grep gidNumber
> | sed 's | gidNumber: ||'
>
> ldbsearch -H /opt/samba/private/sam.ldb -b 'DC = mydomain, DC = com, DC =
> br' sub -s '(& (objectClass = group) (cn = Domain Users))' | grep gidNumber
> | sed 's | gidNumber: ||'
>
>
> I did the tests of the following tutorial and everything is correct:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> I also created DNS records in DC and was replicated to the other correctly.
>
> But "wbinfo -i DomainUser" command brings different results.
>
> The Primary DC "smb.conf" file has the attribute "idmap_ldb: use RFC2307 =
> yes". In Secondary DC doesn't have that attribute. Could this generate
> different information between DC?

Possibly, I do not know why the join doesn't add that line, but you can 
easily add it yourself and see if it helps.

> Is this related to the correction of BUG 11313: idmap_rfc2307: Fix wbinfo
> '--gid-to-sid' query?
>
> Finally, the following test showed several errors:
>
> samba-tool ldapcmp ldap: // DC1 ldap: // DC2 -Uadministrator domain
> --filter = msDS-NcType, ServerState
>
> Comparing:
> 'CN=Users,CN=Builtin,DC=mydomain,DC=com,DC=br' [ldap://DC1]
> 'CN=Users,CN=Builtin,DC=mydomain,DC=com,DC=br' [ldap://DC2]
>      Difference in attribute values:
>          whenChanged =>
> ['20150720230414.0Z']
> ['20150722233158.0Z']
>      FAILED
> Comparing:
> 'CN=Windows Authorization Access Group,CN=Builtin,DC=mydomain,DC=com,DC=br'
> [ldap://DC1]
> 'CN=Windows Authorization Access Group,CN=Builtin,DC=mydomain,DC=com,DC=br'
>   [ldap://DC2]
>      Difference in attribute values:
>          whenChanged =>
> ['20150720230630.0Z']
> ['20150722233158.0Z']
>      FAILED
> * Result for [DOMAIN]: FAILURE
> SUMMARY
> ---------
> Attributes with different values:
>      whenChanged
> ERROR: Compare failed: -1
>
> Which tests I could do to make sure everything is right?

'whenChanged' is another attribute that is not replicated, just add it 
to the filter list.

Rowland

>
>
> Regards,
>
> Márcio

More information about the samba mailing list