[Samba] changes on DC not replicated, while showrepl reports no issues

mj lists at merit.unu.edu
Mon Nov 16 13:14:32 UTC 2020 

Hi Rowland,

I think so, see:

> root at dc2:~# date
> Mon 16 Nov 2020 02:11:27 PM CET
> 
> root at dc3:~# date
> Mon 16 Nov 2020 02:11:36 PM CET
> 
> root at dc4:~# date
> Mon 16 Nov 2020 02:11:45 PM CET

Ten seconds apart, because it requires around 10 sec to logon to each DC 
over ssh.

MJ


On 11/16/20 2:07 PM, Rowland penny via samba wrote:
> On 16/11/2020 12:56, mj via samba wrote:
>> Hi all,
>>
>> We are running a three DC samba AD, using 4.12.8 sernet packages. Very 
>> stable for years.
>>
>> Today at 12:30 my colleague moved two users from
>> * CN=Users,DC=samba,DC=company,DC=com
>> to
>> * OU=disabled,DC=samba,DC=company,DC=com
>>
>> This change was done on the DC4 at 12:30 using LAM 
>> (ldap-account-manager version 7.3)
>>
>> Ever since that, my automated samba-tool ldapcmp scripts started 
>> reporting ldapcmp discrepancies between the DCs, like:
>>
>>> * DNs found only in ldap://dc4.samba.company.com:
>>>     CN=USER1,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>>     CN=USER2,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>>
>>> * DNs found only in ldap://dc3.samba.company.com:
>>>     CN=USER1,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>>     CN=USER2,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>
>> It seems DC2 & DC3 are still in sync (both having the two users in 
>> CN=USERS) and only DC4 has the user now in OU=DISABLED.
>>
>> And now the worrying part:
>>
>> "samba-tool drs showrepl" still shows success on all DCs! Recent 
>> timestamps (long after 12:30) on inbound replication, outbound 
>> replication also success (but without timestamps), and every DC 
>> replicates to both other DCs for all partitions.
>>
>> The only reason we actually noticed that this issue is occuring, is 
>> because we run automated ldapcmp between the DC's, otherwise we would 
>> not have known.
>>
>> samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on all 
>> three DCs.
>>
>> Of course we could do try to re-replicate "samba-tool drs replicate" 
>> etc, but should the above not be impossible to happen? What could 
>> cause it?
>>
>> MJ
>>
> My first thought is time, is it the same on all DC's ?
> 
> Rowland
> 
> 
>

More information about the samba mailing list