On Thu, 2012-12-27 at 19:04 +0100, Dominic Evans wrote: > Hi, > > I have a domain with a single Windows 2003 DC running. Today I created > a Samba4 DC (using 4.0.0 release) and asked it to join the existing > domain as an additional controller. Replication of both the objects > and dns entries appears to be working well, and the usual tests of > adding a user to one and confirming it is available in the other is > similarly working. > > However, the `ldapcmp` tool claims there are numerous discrepancies in > the replicated data between the two ldap directories. Note the > 'attributes found only in' list in the example comparison for a > specific user in the directory: > > $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com > ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName > ExampleSecondName,OU=OU,DC=exampledn,DC=com' > --base2='CN=ExampleFirstName > ExampleSecondName,OU=OU,DC=exampledn,DC=com'
What username did you use (administrator or another user) to authenticate in this case? > * Comparing [DOMAIN] context... > > * Objects to be compared: 1 > > Comparing: > 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com' > [ldap://windowsdc.exampledn.com] > 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com' > [ldap://samba4dc.exampledn.com] > Attributes found only in ldap://windowsdc.exampledn.com: > instanceType > whenCreated > pwdLastSet > accountExpires > userAccountControl > FAILED > > * Result for [DOMAIN]: FAILURE > > SUMMARY > --------- > > Attributes found only in ldap://windowsdc.exampledn.com: > > pwdLastSet > whenCreated > instanceType > userAccountControl > accountExpires > ERROR: Compare failed: -1 > > However, using `ldapsearch` to query the directories of both domain > controllers directly, shows that these five attributes all appear to > exist in both? In addition, the diff of the two queries seems to > indicated some missing attributes and differing values on the samba4 > domaincontroller that are not mentioned/caught by the ldapcmp tool? ldapcmp has a hard-coded list of non-replicated attributes that are skipped in the analysis. > --- /tmp/ldapsearch-windowsdc 2012-12-27 18:42:30.193281974 +0100 > +++ /tmp/ldapsearch-samba4dc 2012-12-27 18:42:30.233278605 +0100 > @@ -1,34 +1,29 @@ > dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: ExampleFirstName ExampleSecondName > sn: ExampleSecondName > givenName: ExampleFirstName > distinguishedName: CN=ExampleFirstName > ExampleSecondName,OU=OU,DC=exampledn,DC=com > instanceType: 4 > whenCreated: 20100401152917.0Z > whenChanged: 20100401152918.0Z > displayName: ExampleFirstName ExampleSecondName > -uSNCreated: 236996493 > -uSNChanged: 236996516 > +uSNCreated: 3171 > +uSNChanged: 3171 > name: ExampleFirstName ExampleSecondName > objectGUID:: 2io6fCOdmUW5yeebD85hAA== > userAccountControl: 66048 > -badPwdCount: 0 > codePage: 0 > countryCode: 0 > -badPasswordTime: 130010173443750000 > -lastLogoff: 0 > -lastLogon: 130010708699218750 > pwdLastSet: 129146093579687500 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA== > accountExpires: 9223372036854775807 > -logonCount: 7781 > sAMAccountName: examplesecondname.examplefirstname > sAMAccountType: 805306368 > userPrincipalName: [email protected] > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com > > Should I be concerned by any of this? Assuming that you used a non-administrator user to connect over LDAP, the 'missing' attributes are a concern, but not to your data integrity. We have an outstanding issue where the read ACL is applied incorrectly for non-administrator users, and I need to understand why that is. You can set 'acl:read=false' in your smb.conf to disable this, while we sort out what is going on. This will remove any restriction on any user reading any non-confidential attribute (by the schema flag or being in the list of password attributes). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
