[Samba] Possible problems with AD Schema in Samba 4
Tim Beale
timbeale at catalyst.net.nz
Fri Jul 26 01:21:58 UTC 2019
I don't think the problem is the schema. It's more likely a replication
problem.
Firstly, the Samba schema is only used when you provision a new domain.
In this case you have joined an existing Windows domain, so you are
using the *Windows* schema. (I think it's actually impossible to
provision a Samba domain with the 2008 schema - Samba only supports
2008R2 onwards).
Secondly, ldapcmp is not complaining because the base schema objects are
different. It's complaining because ordinary objects (and their
attributes) in your domain are different. The most likely cause is that
the 2 DCs aren't replicating with each other properly.
Try checking 'samba-tool drs showrepl'.
On 26/07/19 2:25 AM, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I found that the base of Samba 4 DC is different from the base of Windows
> Server 2008 DC. There are many mistakes when I make the comparison as the
> result as follows (only parts of reult):
>
> samba-tool ldapcmp ldap://WINDC1 ldap://SAMBA4-DC -Uadministrator
> Password for [EMPRESA\administrator]:
>
> * Comparing [DOMAIN] context...
>
> * DN lists have different size: 1787 != 1788
>
> * DNs found only in ldap://WINDC1:
> CN=TESTE-COMP,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
> CN=MANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
>
> * DNs found only in ldap://SAMBA4-DC:
> CN=COMP300061111,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
> CN=BB,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
> CN=WMANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
>
> * Objects to be compared: 1785
>
> ...
>
> Comparing:
> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
> Difference in attribute values:
> lastLogonTimestamp =>
> [b'132076662777728517']
> [b'132084540442594920']
>
> FAILED
>
> Comparing:
> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
> Difference in attribute values:
> servicePrincipalName =>
> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br',
> b'TERMSRV/COMP10013', b'TERMSRV/ass10013.empresa.com.br']
> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br',
> b'TERMSRV/COMP10013', b'TERMSRV/COMP10013.empresa.com.br', b'TERMSRV/
> ass10013.empresa.com.br']
>
> FAILED
>
>
> ...
>
> FAILED
> ERROR(<class 'KeyError'>): uncaught exception - 'mS-DS-CreatorSID'
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
> in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 957,
> in run
> if b1.diff(b2):
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 781,
> in diff
> if object1 == object2:
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 549,
> in __eq__
> return self.cmp_attrs(other)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 590,
> in cmp_attrs
> if isinstance(self.attributes[x], list) and
> isinstance(other.attributes[x], list):
>
>
> ########################################
>
> The Schema version of my Windows 2008 Server is 44 and I am using Samba
> 4.10.6-Debian:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'cn=Schema,cn=Configuration,dc=empresa,dc=com,dc=br' -s base objectVersion
> # record 1
> dn: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
> objectVersion: 44
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> I believe that the problem is related as the Samba 4 works with AD Schema,
> as found at: https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> Would anyone have an idea how to solve this problem?
>
> Regards,
>
> Márcio Bacci
More information about the samba
mailing list