[Samba] DN lists have different size: 4065 != 4029

Elias Pereira empbilly at gmail.com
Tue May 7 13:47:56 UTC 2019 

Hello,

dc3 = principal DC
dc4 = secondary DC

I had this problem last month after updating samba to version 4.10.x. and
also the schema from 45 to 69. But it looked like it had been corrected.
Today I noticed that on dc4 there are computers that are not on dc3.

I updated:
4.7.x to 4.8.x
4.8.x to 4.9.x and only after that I upgrade to 4.10.x version.

When I run these commands:

samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes ---- OK
samba_dnsupdate --verbose --all-names -------------------------------------
OK
samba-tool drs showrepl
---------------------------------------------------------- OK

all show OK.

*dc3 schema: *

# ldbsearch -H /var/lib/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=campus,dc=sertao,dc=ifrs,dc=edu,dc=br' -s
base objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
objectVersion: 69

# returned 1 records
# 1 entries
# 0 referrals

*dc4 schema:*

# ldbsearch -H /var/lib/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=campus,dc=sertao,dc=ifrs,dc=edu,dc=br' -s
base objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
objectVersion: 69

# returned 1 records
# 1 entries
# 0 referrals

*smb.conf dc3*

# Global parameters
[global]
        netbios name = DC3
        realm = CAMPUS.SERTAO.IFRS.EDU.BR
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CAMPUS
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        bind interfaces only = yes
        interfaces = lo eth0

        ldap server require strong auth = no
        #log file = /var/log/samba/log.%m
        #log level = 10
        ntlm auth = yes
        #ntlm auth = mschapv2-and-ntlmv2-only

        allow dns updates = nonsecure

        # SSL CERTS
        #tls enabled  = yes
        #tls keyfile  = tls/sertao.ifrs.edu.br.key.npw
        #tls certfile = tls/sertao.ifrs.edu.br.crt
        #tls cafile   = tls/ca_join_icpedu.crt

[netlogon]
        path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*smb.conf dc4*

# Global parameters
[global]
        netbios name = DC4
        realm = CAMPUS.SERTAO.IFRS.EDU.BR
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CAMPUS
        idmap_ldb:use rfc2307  = yes

        bind interfaces only = yes
        interfaces = lo eth0

        ldap server require strong auth = no
        #log file = /var/log/samba/log.%m
        #log level = 10
        ntlm auth = yes
        #ntlm auth = mschapv2-and-ntlmv2-only

        allow dns updates = nonsecure

[netlogon]
        path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*samba-tool fsmo show dc3:*

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br

*samba-tool fsmo show dc4:*

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=campus,DC=sertao,DC=ifrs,DC=edu,DC=br

Any ideas on how to debug this problem better? Any other log or config you
need, just ask.
-- 
Elias Pereira

More information about the samba mailing list