[Samba] changes on DC not replicated, while showrepl reports no issues

Rowland penny rpenny at samba.org
Thu Nov 26 09:45:35 UTC 2020

On 26/11/2020 08:10, mj via samba wrote:
> Hi,
> Just to follow-up this post.
> We are now working with sernet support to get this resolved.
> It seems the reason this occured is unclear, but the most likely cause 
> is:
> We are using ldap-account-manager (LAM) to manage our samba AD through 
> LDAP access. We access samba LDAPs over an HAProxy server that has the 
> three samba DCs configured as backend servers.
> (so in LAM we only configured one haproxy source that holds all DCs)
> However:
> The default load balancing mechanism of HAProxy is round-robin, so 
> haproxy talks to a different backend server for each request.
> This can potentially cause problems when writing/editing, and HAProxy 
> switches backend servers but replication has not yet been completed.
> We have now switched the haproxy load balancing method to 'source', 
> where a connection will 'stick' to the same backend server, as long as 
> the backend server is available.
> That should work better. Time will tell.
> MJ
> On 11/16/20 1:56 PM, mj via samba wrote:
>> Hi all,
>> We are running a three DC samba AD, using 4.12.8 sernet packages. 
>> Very stable for years.
>> Today at 12:30 my colleague moved two users from
>> * CN=Users,DC=samba,DC=company,DC=com
>> to
>> * OU=disabled,DC=samba,DC=company,DC=com
>> This change was done on the DC4 at 12:30 using LAM 
>> (ldap-account-manager version 7.3)
>> Ever since that, my automated samba-tool ldapcmp scripts started 
>> reporting ldapcmp discrepancies between the DCs, like:
>>> * DNs found only in ldap://dc4.samba.company.com:
>>> * DNs found only in ldap://dc3.samba.company.com:
>> It seems DC2 & DC3 are still in sync (both having the two users in 
>> CN=USERS) and only DC4 has the user now in OU=DISABLED.
>> And now the worrying part:
>> "samba-tool drs showrepl" still shows success on all DCs! Recent 
>> timestamps (long after 12:30) on inbound replication, outbound 
>> replication also success (but without timestamps), and every DC 
>> replicates to both other DCs for all partitions.
>> The only reason we actually noticed that this issue is occuring, is 
>> because we run automated ldapcmp between the DC's, otherwise we would 
>> not have known.
>> samba-tool dbcheck --cross-ncs reports 0 errors on 5413 objects on 
>> all three DCs.
>> Of course we could do try to re-replicate "samba-tool drs replicate" 
>> etc, but should the above not be impossible to happen? What could 
>> cause it?
>> MJ
Well, I can understand having your clients use such a set up, but you 
should only do changes to AD on specific DCs or you can get collisions. 
Do not do changes through any type of proxy.


More information about the samba mailing list