[Samba] changes on DC not replicated, while showrepl reports no issues

Thu Nov 26 09:45:35 UTC 2020

On 26/11/2020 08:10, mj via samba wrote:
> Hi,
>
> Just to follow-up this post.
>
> We are now working with sernet support to get this resolved.
>
> It seems the reason this occured is unclear, but the most likely cause 
> is:
>
> We are using ldap-account-manager (LAM) to manage our samba AD through 
> LDAP access. We access samba LDAPs over an HAProxy server that has the 
> three samba DCs configured as backend servers.
>
> (so in LAM we only configured one haproxy source that holds all DCs)
>
> However:
>
> The default load balancing mechanism of HAProxy is round-robin, so 
> haproxy talks to a different backend server for each request.
> This can potentially cause problems when writing/editing, and HAProxy 
> switches backend servers but replication has not yet been completed.
>
> We have now switched the haproxy load balancing method to 'source', 
> where a connection will 'stick' to the same backend server, as long as 
> the backend server is available.
>
> That should work better. Time will tell.
>
> MJ
>
>
> On 11/16/20 1:56 PM, mj via samba wrote:
>> Hi all,
>>
>> We are running a three DC samba AD, using 4.12.8 sernet packages. 
>> Very stable for years.
>>
>> Today at 12:30 my colleague moved two users from
>> * CN=Users,DC=samba,DC=company,DC=com
>> to
>> * OU=disabled,DC=samba,DC=company,DC=com
>>
>> This change was done on the DC4 at 12:30 using LAM 
>> (ldap-account-manager version 7.3)
>>
>> Ever since that, my automated samba-tool ldapcmp scripts started 
>> reporting ldapcmp discrepancies between the DCs, like:
>>
>>> * DNs found only in ldap://dc4.samba.company.com:
>>>     CN=USER1,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>>     CN=USER2,OU=DISABLED,DC=SAMBA,DC=COMPANY,DC=COM
>>>
>>> * DNs found only in ldap://dc3.samba.company.com:
>>>     CN=USER1,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>>     CN=USER2,CN=USERS,DC=SAMBA,DC=COMPANY,DC=COM
>>
>> It seems DC2 & DC3 are still in sync (both having the two users in 
>> CN=USERS) and only DC4 has the user now in OU=DISABLED.
>>
>> And now the worrying part:
>>
>> "samba-tool drs showrepl" still shows success on all DCs! Recent 
>> timestamps (long after 12:30) on inbound replication, outbound 
>> replication also success (but without timestamps), and every DC 
>> replicates to both other DCs for all partitions.
>>
>> The only reason we actually noticed that this issue is occuring, is 
>> because we run automated ldapcmp between the DC's, otherwise we would 
>> not have known.
>>
>> samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on 
>> all three DCs.
>>
>> Of course we could do try to re-replicate "samba-tool drs replicate" 
>> etc, but should the above not be impossible to happen? What could 
>> cause it?
>>
>> MJ
>>
>
Well, I can understand having your clients use such a set up, but you 
should only do changes to AD on specific DCs or you can get collisions. 
Do not do changes through any type of proxy.

Rowland