[Samba] ldapcmp issue

mourik jan heupink heupink at merit.unu.edu
Thu Sep 3 08:42:35 UTC 2015 

Hi Mathias,

I am under the impression that whenChanged is one of the fields that do 
not replicate. Therefore we run ldapcmp like:

samba-tool ldapcmp ldap://dcX ldap://dcY --filter=whenChanged

Hope that helps,
MJ



On 09/01/2015 02:45 PM, mathias dufresne wrote:
> Hi all,
>
> It seems "samba-tool ldapcmp" does not support too much items in Samba's
> database.
>
> Playing for a while with DB I was never able to run ldapcmp successfully.
> So yesterday I installed a platform to fill piece by piece my two small DCs
> and to run ldapcmp. The process follows.
>
> Test platform: 2 DCs using Debian 8.1 "net install" with only system tools,
> up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
> Sernet Samba version 4.2.3.
>
> DC with FSMO is named deb1.domain.tld and provisioned with:
> samba-tool domain provision --use-rfc2307 --server-role=dc
> --realm=domain.tld --domain=domain --adminpass=Passw0rd
>
> Backup DC is joined using:
> samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
> --domain-critical-only
>
> I expect I didn't waited enough for database was fully synchronized as the
> following command was complaining about some "whenChanged" attribute on
> different objects.
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> To solve these little differences I first ran:
> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
>
> This solved most of "whenChanged" issue, except for 'CN=DEB2,OU=Domain
> Controllers,DC=domain,DC=tld' which was still different on both domains:
> ---------------------------------------------------------------------------------
> deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
> domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 4790
>
> Comparing:
> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb2.domain.tld]
> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb1.domain.tld]
>      Difference in attribute values:
>          whenChanged =>
> ['20150901085454.0Z']
> ['20150901085438.0Z']
>      FAILED
>
> * Result for [DOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes with different values:
>
>      whenChanged
> ERROR: Compare failed: -1
> ---------------------------------------------------------------------------------
>
> Finally I ran drs replicate in both ways:
> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
> samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
>
> And "whenChanged" misconfiguration was solved.
>
> Then I added users by bunch of 5000, then once they were all
> auto-replicated I re-ran ldapcmp on both DCs, in both ways:
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
> With absolutely no issue:
> ---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 34790
>
> * Result for [DOMAIN]: SUCCESS
> ---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 34790
>
> * Result for [DOMAIN]: SUCCESS
> ---------------------------------------------------------------------------------
>
>
>   until I reached 39790 objects in database:
> ---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 39790
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 983, in run
>      if b1 == b2:
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 774, in __eq__
>      outf=self.outf, errf=self.errf)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 396, in __init__
>      self.attributes = self.con.get_attributes(self.dn)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 207, in get_attributes
>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
> ---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 39790
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 983, in run
>      if b1 == b2:
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 774, in __eq__
>      outf=self.outf, errf=self.errf)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 396, in __init__
>      self.attributes = self.con.get_attributes(self.dn)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 207, in get_attributes
>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
> ---------------------------------------------------------------------------------
>
> These errors were the very same on both DCs.
>
> Is there a limit about number of objects to be able to run ldapcmp?
>
> Kindly regards,
>
> mathias
>

More information about the samba mailing list