[Samba] ldapcmp issue

mathias dufresne infractory at gmail.com
Thu Sep 3 08:59:41 UTC 2015 

Hi Mourik,

whenChanged was replicated in my test once I did replicate in both way, so
it seems to me it is supposed to be replicated... Then the fact it is not
always replicated seems to me an issue.

Perhaps a bug report for these two issue (whenChanged not always replicated
and ldapcmp hanging once DB is too much filled) would be the right way to
proceed...

Cheers,

mat

2015-09-03 10:42 GMT+02:00 mourik jan heupink <heupink at merit.unu.edu>:

> Hi Mathias,
>
> I am under the impression that whenChanged is one of the fields that do
> not replicate. Therefore we run ldapcmp like:
>
> samba-tool ldapcmp ldap://dcX ldap://dcY --filter=whenChanged
>
> Hope that helps,
> MJ
>
>
>
>
> On 09/01/2015 02:45 PM, mathias dufresne wrote:
>
>> Hi all,
>>
>> It seems "samba-tool ldapcmp" does not support too much items in Samba's
>> database.
>>
>> Playing for a while with DB I was never able to run ldapcmp successfully.
>> So yesterday I installed a platform to fill piece by piece my two small
>> DCs
>> and to run ldapcmp. The process follows.
>>
>> Test platform: 2 DCs using Debian 8.1 "net install" with only system
>> tools,
>> up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
>> Sernet Samba version 4.2.3.
>>
>> DC with FSMO is named deb1.domain.tld and provisioned with:
>> samba-tool domain provision --use-rfc2307 --server-role=dc
>> --realm=domain.tld --domain=domain --adminpass=Passw0rd
>>
>> Backup DC is joined using:
>> samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
>> --domain-critical-only
>>
>> I expect I didn't waited enough for database was fully synchronized as the
>> following command was complaining about some "whenChanged" attribute on
>> different objects.
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> To solve these little differences I first ran:
>> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
>> --full-sync --sync-forced
>>
>> This solved most of "whenChanged" issue, except for 'CN=DEB2,OU=Domain
>> Controllers,DC=domain,DC=tld' which was still different on both domains:
>>
>> ---------------------------------------------------------------------------------
>> deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
>> domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 4790
>>
>> Comparing:
>> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb2.domain.tld]
>> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld' [ldap://deb1.domain.tld]
>>      Difference in attribute values:
>>          whenChanged =>
>> ['20150901085454.0Z']
>> ['20150901085438.0Z']
>>      FAILED
>>
>> * Result for [DOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes with different values:
>>
>>      whenChanged
>> ERROR: Compare failed: -1
>>
>> ---------------------------------------------------------------------------------
>>
>> Finally I ran drs replicate in both ways:
>> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
>> --full-sync --sync-forced
>> samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
>> --full-sync --sync-forced
>>
>> And "whenChanged" misconfiguration was solved.
>>
>> Then I added users by bunch of 5000, then once they were all
>> auto-replicated I re-ran ldapcmp on both DCs, in both ways:
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>> With absolutely no issue:
>>
>> ---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 34790
>>
>> * Result for [DOMAIN]: SUCCESS
>>
>> ---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 34790
>>
>> * Result for [DOMAIN]: SUCCESS
>>
>> ---------------------------------------------------------------------------------
>>
>>
>>   until I reached 39790 objects in database:
>>
>> ---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 39790
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 983, in run
>>      if b1 == b2:
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 774, in __eq__
>>      outf=self.outf, errf=self.errf)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 396, in __init__
>>      self.attributes = self.con.get_attributes(self.dn)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 207, in get_attributes
>>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
>>
>> ---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 39790
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 983, in run
>>      if b1 == b2:
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 774, in __eq__
>>      outf=self.outf, errf=self.errf)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 396, in __init__
>>      self.attributes = self.con.get_attributes(self.dn)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 207, in get_attributes
>>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"])
>>
>> ---------------------------------------------------------------------------------
>>
>> These errors were the very same on both DCs.
>>
>> Is there a limit about number of objects to be able to run ldapcmp?
>>
>> Kindly regards,
>>
>> mathias
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list