[Samba] changes on DC not replicated, while showrepl reports no issues

mj lists at merit.unu.edu
Thu Nov 26 08:10:36 UTC 2020


Hi,

Just to follow-up this post.

We are now working with sernet support to get this resolved.

It seems the reason this occured is unclear, but the most likely cause is:

We are using ldap-account-manager (LAM) to manage our samba AD through 
LDAP access. We access samba LDAPs over an HAProxy server that has the 
three samba DCs configured as backend servers.

(so in LAM we only configured one haproxy source that holds all DCs)

However:

The default load balancing mechanism of HAProxy is round-robin, so 
haproxy talks to a different backend server for each request.
This can potentially cause problems when writing/editing, and HAProxy 
switches backend servers but replication has not yet been completed.

We have now switched the haproxy load balancing method to 'source', 
where a connection will 'stick' to the same backend server, as long as 
the backend server is available.

That should work better. Time will tell.

MJ


On 11/16/20 1:56 PM, mj via samba wrote:
> Hi all,
> 
> We are running a three DC samba AD, using 4.12.8 sernet packages. Very 
> stable for years.
> 
> Today at 12:30 my colleague moved two users from
> * CN=Users,DC=samba,DC=company,DC=com
> to
> * OU=disabled,DC=samba,DC=company,DC=com
> 
> This change was done on the DC4 at 12:30 using LAM (ldap-account-manager 
> version 7.3)
> 
> Ever since that, my automated samba-tool ldapcmp scripts started 
> reporting ldapcmp discrepancies between the DCs, like:
> 
>> * DNs found only in ldap://dc4.samba.company.com:
>>     CN=USER1,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>     CN=USER2,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>
>> * DNs found only in ldap://dc3.samba.company.com:
>>     CN=USER1,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>     CN=USER2,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
> 
> It seems DC2 & DC3 are still in sync (both having the two users in 
> CN=USERS) and only DC4 has the user now in OU=DISABLED.
> 
> And now the worrying part:
> 
> "samba-tool drs showrepl" still shows success on all DCs! Recent 
> timestamps (long after 12:30) on inbound replication, outbound 
> replication also success (but without timestamps), and every DC 
> replicates to both other DCs for all partitions.
> 
> The only reason we actually noticed that this issue is occuring, is 
> because we run automated ldapcmp between the DC's, otherwise we would 
> not have known.
> 
> samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on all 
> three DCs.
> 
> Of course we could do try to re-replicate "samba-tool drs replicate" 
> etc, but should the above not be impossible to happen? What could cause it?
> 
> MJ
> 



More information about the samba mailing list