[Samba] ldapcmp issue
mathias dufresne
infractory at gmail.com
Tue Sep 1 12:45:11 UTC 2015
Hi all,
It seems "samba-tool ldapcmp" does not support too much items in Samba's
database.
Playing for a while with DB I was never able to run ldapcmp successfully.
So yesterday I installed a platform to fill piece by piece my two small DCs
and to run ldapcmp. The process follows.
Test platform: 2 DCs using Debian 8.1 "net install" with only system tools,
up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
Sernet Samba version 4.2.3.
DC with FSMO is named deb1.domain.tld and provisioned with:
samba-tool domain provision --use-rfc2307 --server-role=dc
--realm=domain.tld --domain=domain --adminpass=Passw0rd
Backup DC is joined using:
samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
--domain-critical-only
I expect I didn't waited enough for database was fully synchronized as the
following command was complaining about some "whenChanged" attribute on
different objects.
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
To solve these little differences I first ran:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced
This solved most of "whenChanged" issue, except for 'CN=DEB2,OU=Domain
Controllers,DC=domain,DC=tld' which was still different on both domains:
---------------------------------------------------------------------------------
deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
domain
* Comparing [DOMAIN] context...
* Objects to be compared: 4790
Comparing:
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb2.domain.tld]
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb1.domain.tld]
Difference in attribute values:
whenChanged =>
['20150901085454.0Z']
['20150901085438.0Z']
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
whenChanged
ERROR: Compare failed: -1
---------------------------------------------------------------------------------
Finally I ran drs replicate in both ways:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced
samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced
And "whenChanged" misconfiguration was solved.
Then I added users by bunch of 5000, then once they were all
auto-replicated I re-ran ldapcmp on both DCs, in both ways:
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
With absolutely no issue:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
* Comparing [DOMAIN] context...
* Objects to be compared: 34790
* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
* Comparing [DOMAIN] context...
* Objects to be compared: 34790
* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------
until I reached 39790 objects in database:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
* Comparing [DOMAIN] context...
* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
983, in run
if b1 == b2:
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
774, in __eq__
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
396, in __init__
self.attributes = self.con.get_attributes(self.dn)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
207, in get_attributes
res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
* Comparing [DOMAIN] context...
* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
983, in run
if b1 == b2:
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
774, in __eq__
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
396, in __init__
self.attributes = self.con.get_attributes(self.dn)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
207, in get_attributes
res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
---------------------------------------------------------------------------------
These errors were the very same on both DCs.
Is there a limit about number of objects to be able to run ldapcmp?
Kindly regards,
mathias
More information about the samba
mailing list