[Samba] changes on DC not replicated, while showrepl reports no issues
mj
lists at merit.unu.edu
Mon Nov 16 12:56:38 UTC 2020
Hi all,
We are running a three DC samba AD, using 4.12.8 sernet packages. Very
stable for years.
Today at 12:30 my colleague moved two users from
* CN=Users,DC=samba,DC=company,DC=com
to
* OU=disabled,DC=samba,DC=company,DC=com
This change was done on the DC4 at 12:30 using LAM (ldap-account-manager
version 7.3)
Ever since that, my automated samba-tool ldapcmp scripts started
reporting ldapcmp discrepancies between the DCs, like:
> * DNs found only in ldap://dc4.samba.company.com:
> CN=USER1,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
> CN=USER2,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>
> * DNs found only in ldap://dc3.samba.company.com:
> CN=USER1,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
> CN=USER2,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
It seems DC2 & DC3 are still in sync (both having the two users in
CN=USERS) and only DC4 has the user now in OU=DISABLED.
And now the worrying part:
"samba-tool drs showrepl" still shows success on all DCs! Recent
timestamps (long after 12:30) on inbound replication, outbound
replication also success (but without timestamps), and every DC
replicates to both other DCs for all partitions.
The only reason we actually noticed that this issue is occuring, is
because we run automated ldapcmp between the DC's, otherwise we would
not have known.
samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on all
three DCs.
Of course we could do try to re-replicate "samba-tool drs replicate"
etc, but should the above not be impossible to happen? What could cause it?
MJ
More information about the samba
mailing list