[Samba] ldapcmp issue

mathias dufresne infractory at gmail.com
Tue Sep 1 12:45:11 UTC 2015


Hi all,

It seems "samba-tool ldapcmp" does not support too much items in Samba's
database.

Playing for a while with DB I was never able to run ldapcmp successfully.
So yesterday I installed a platform to fill piece by piece my two small DCs
and to run ldapcmp. The process follows.

Test platform: 2 DCs using Debian 8.1 "net install" with only system tools,
up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
Sernet Samba version 4.2.3.

DC with FSMO is named deb1.domain.tld and provisioned with:
samba-tool domain provision --use-rfc2307 --server-role=dc
--realm=domain.tld --domain=domain --adminpass=Passw0rd

Backup DC is joined using:
samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
--domain-critical-only

I expect I didn't waited enough for database was fully synchronized as the
following command was complaining about some "whenChanged" attribute on
different objects.
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

To solve these little differences I first ran:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced

This solved most of "whenChanged" issue, except for 'CN=DEB2,OU=Domain
Controllers,DC=domain,DC=tld' which was still different on both domains:
---------------------------------------------------------------------------------
deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
domain

* Comparing [DOMAIN] context...

* Objects to be compared: 4790

Comparing:
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb2.domain.tld]
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb1.domain.tld]
    Difference in attribute values:
        whenChanged =>
['20150901085454.0Z']
['20150901085438.0Z']
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes with different values:

    whenChanged
ERROR: Compare failed: -1
---------------------------------------------------------------------------------

Finally I ran drs replicate in both ways:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced
samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced

And "whenChanged" misconfiguration was solved.

Then I added users by bunch of 5000, then once they were all
auto-replicated I re-ran ldapcmp on both DCs, in both ways:
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
With absolutely no issue:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 34790

* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 34790

* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------


 until I reached 39790 objects in database:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
983, in run
    if b1 == b2:
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
774, in __eq__
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
396, in __init__
    self.attributes = self.con.get_attributes(self.dn)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
207, in get_attributes
    res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
983, in run
    if b1 == b2:
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
774, in __eq__
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
396, in __init__
    self.attributes = self.con.get_attributes(self.dn)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
207, in get_attributes
    res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
---------------------------------------------------------------------------------

These errors were the very same on both DCs.

Is there a limit about number of objects to be able to run ldapcmp?

Kindly regards,

mathias


More information about the samba mailing list