[Samba] Missing attributes on RODC.

Klaus Ade Johnstad klaus at linuxavdelingen.no
Sun Feb 23 18:54:33 UTC 2020 

Hello, we use Samba 4.10.13 as RODC for our Kopano mailserver. We have
certain users and groups, were not all attributes are synced over to the
RODC. For the users in question, we found out that if we do a manual
"samba-tool rodc preload user", then that would also make the missing
attributes appear on the RODC. So, any reason why certain attributes
will not sync to a RODC? In our case it attributes like kopanoAccount,
kopanoHidden,kopanoSendAsPrivilege,kopanoAdmin.

But, that trick does not work for the groups.

Running samba-tool ldapcmp  ldap://mail.fqdn ldap://dc01.fqdn gives this:
Comparing:
'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://mail]
'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://dc01]
    Attributes found only in ldap://dc01:
KOPANOACCOUNT
    FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://dc01:

    KOPANOACCOUNT
ERROR: Compare failed: -1


One such group looks like this:
samba-tool group show Alle-Eltern
dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole
objectClass: top
objectClass: kopanoGroup
objectClass: posixGroup
objectClass: group
cn: Alle-Eltern
description: Alle-Eltern
member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole
instanceType: 4
whenCreated: 20200223164034.0Z
whenChanged: 20200223164034.0Z
displayName: Alle-Eltern
uSNCreated: 834677
uSNChanged: 834677
name: Alle-Eltern
objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc
objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole
gidNumber: 19519
kopanoAccount: 1
memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole
distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole

If I try to preload it, either by uid, dn or name, all I get is
samba-tool rodc preload
'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01
ERROR: NamingError: Failed to find account

But, it is a group, not a user, so preload might not work at all.

The sync of these attributes work just fine across all our DC, just not
the one RODC we have.


-- 
Klaus Ade Johnstad

More information about the samba mailing list