[Samba] Possible problems with AD Schema in Samba 4

Tim Beale timbeale at catalyst.net.nz
Fri Jul 26 03:33:24 UTC 2019 

You could also try running: samba-tool visualize uptodateness -rS

If you see something other than '00' for a partition, it probably means
replication is out of date.

There's also some more info on checking the replication status here.
https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses

On 26/07/19 1:21 PM, Tim Beale via samba wrote:
> I don't think the problem is the schema. It's more likely a replication
> problem.
>
> Firstly, the Samba schema is only used when you provision a new domain.
> In this case you have joined an existing Windows domain, so you are
> using the *Windows* schema. (I think it's actually impossible to
> provision a Samba domain with the 2008 schema - Samba only supports
> 2008R2 onwards).
>
> Secondly, ldapcmp is not complaining because the base schema objects are
> different. It's complaining because ordinary objects (and their
> attributes) in your domain are different. The most likely cause is that
> the 2 DCs aren't replicating with each other properly.
>
> Try checking 'samba-tool drs showrepl'.
>
> On 26/07/19 2:25 AM, Marcio Demetrio Bacci via samba wrote:
>> Hi,
>>
>> I found that the base of Samba 4 DC is different from the base of Windows
>> Server 2008 DC. There are many mistakes when  I make the comparison as the
>> result as follows (only parts of reult):
>>
>> samba-tool ldapcmp ldap://WINDC1 ldap://SAMBA4-DC -Uadministrator
>> Password for [EMPRESA\administrator]:
>>
>> * Comparing [DOMAIN] context...
>>
>> * DN lists have different size: 1787 != 1788
>>
>> * DNs found only in ldap://WINDC1:
>>     CN=TESTE-COMP,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
>>     CN=MANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
>>
>> * DNs found only in ldap://SAMBA4-DC:
>>     CN=COMP300061111,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
>>     CN=BB,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
>>     CN=WMANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
>>
>> * Objects to be compared: 1785
>>
>> ...
>>
>> Comparing:
>> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
>> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
>>     Difference in attribute values:
>>         lastLogonTimestamp =>
>> [b'132076662777728517']
>> [b'132084540442594920']
>>
>>     FAILED
>>
>> Comparing:
>> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
>> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
>>     Difference in attribute values:
>>         servicePrincipalName =>
>> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
>> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br',
>> b'TERMSRV/COMP10013', b'TERMSRV/ass10013.empresa.com.br']
>> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
>> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br',
>> b'TERMSRV/COMP10013', b'TERMSRV/COMP10013.empresa.com.br', b'TERMSRV/
>> ass10013.empresa.com.br']
>>
>>     FAILED
>>
>>
>> ...
>>
>>     FAILED
>> ERROR(<class 'KeyError'>): uncaught exception - 'mS-DS-CreatorSID'
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
>> in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 957,
>> in run
>>     if b1.diff(b2):
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 781,
>> in diff
>>     if object1 == object2:
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 549,
>> in __eq__
>>     return self.cmp_attrs(other)
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 590,
>> in cmp_attrs
>>     if isinstance(self.attributes[x], list) and
>> isinstance(other.attributes[x], list):
>>
>>
>> ########################################
>>
>> The Schema version of my Windows 2008 Server is 44 and I am using Samba
>> 4.10.6-Debian:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> 'cn=Schema,cn=Configuration,dc=empresa,dc=com,dc=br' -s base objectVersion
>> # record 1
>> dn: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
>> objectVersion: 44
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> I believe that the problem is related as the Samba 4 works with AD Schema,
>> as found at: https://wiki.samba.org/index.php/AD_Schema_Version_Support
>>
>> Would anyone have an idea how to solve this problem?
>>
>> Regards,
>>
>> Márcio Bacci

More information about the samba mailing list