[Samba] changes on DC not replicated, while showrepl reports no issues

Rowland penny rpenny at samba.org
Mon Nov 16 13:07:32 UTC 2020


On 16/11/2020 12:56, mj via samba wrote:
> Hi all,
>
> We are running a three DC samba AD, using 4.12.8 sernet packages. Very 
> stable for years.
>
> Today at 12:30 my colleague moved two users from
> * CN=Users,DC=samba,DC=company,DC=com
> to
> * OU=disabled,DC=samba,DC=company,DC=com
>
> This change was done on the DC4 at 12:30 using LAM 
> (ldap-account-manager version 7.3)
>
> Ever since that, my automated samba-tool ldapcmp scripts started 
> reporting ldapcmp discrepancies between the DCs, like:
>
>> * DNs found only in ldap://dc4.samba.company.com:
>>     CN=USER1,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>     CN=USER2,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>
>> * DNs found only in ldap://dc3.samba.company.com:
>>     CN=USER1,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>     CN=USER2,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>
> It seems DC2 & DC3 are still in sync (both having the two users in 
> CN=USERS) and only DC4 has the user now in OU=DISABLED.
>
> And now the worrying part:
>
> "samba-tool drs showrepl" still shows success on all DCs! Recent 
> timestamps (long after 12:30) on inbound replication, outbound 
> replication also success (but without timestamps), and every DC 
> replicates to both other DCs for all partitions.
>
> The only reason we actually noticed that this issue is occuring, is 
> because we run automated ldapcmp between the DC's, otherwise we would 
> not have known.
>
> samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on all 
> three DCs.
>
> Of course we could do try to re-replicate "samba-tool drs replicate" 
> etc, but should the above not be impossible to happen? What could 
> cause it?
>
> MJ
>
My first thought is time, is it the same on all DC's ?

Rowland





More information about the samba mailing list