samba - Dec 2012 - Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller

Hi,

I have a domain with a single Windows 2003 DC running. Today I created
a Samba4 DC (using 4.0.0 release) and asked it to join the existing
domain as an additional controller. Replication of both the objects
and dns entries appears to be working well, and the usual tests of
adding a user to one and confirming it is available in the other is
similarly working.

However, the `ldapcmp` tool claims there are numerous discrepancies in
the replicated data between the two ldap directories. Note the
'attributes found only in' list in the example comparison for a
specific user in the directory:

$ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'
--base2='CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com'

* Comparing [DOMAIN] context...

* Objects to be compared: 1

Comparing:
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://windowsdc.exampledn.com]
'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
[ldap://samba4dc.exampledn.com]
    Attributes found only in ldap://windowsdc.exampledn.com:
        instanceType
        whenCreated
        pwdLastSet
        accountExpires
        userAccountControl
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://windowsdc.exampledn.com:

    pwdLastSet
    whenCreated
    instanceType
    userAccountControl
    accountExpires
ERROR: Compare failed: -1

However, using `ldapsearch` to query the directories of both domain
controllers directly, shows that these five attributes all appear to
exist in both? In addition, the diff of the two queries seems to
indicated some missing attributes and differing values on the samba4
domaincontroller that are not mentioned/caught by the ldapcmp tool?

--- /tmp/ldapsearch-windowsdc	2012-12-27 18:42:30.193281974 +0100
+++ /tmp/ldapsearch-samba4dc	2012-12-27 18:42:30.233278605 +0100
@@ -1,34 +1,29 @@
 dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
 cn: ExampleFirstName ExampleSecondName
 sn: ExampleSecondName
 givenName: ExampleFirstName
 distinguishedName: CN=ExampleFirstName
ExampleSecondName,OU=OU,DC=exampledn,DC=com
 instanceType: 4
 whenCreated: 20100401152917.0Z
 whenChanged: 20100401152918.0Z
 displayName: ExampleFirstName ExampleSecondName
-uSNCreated: 236996493
-uSNChanged: 236996516
+uSNCreated: 3171
+uSNChanged: 3171
 name: ExampleFirstName ExampleSecondName
 objectGUID:: 2io6fCOdmUW5yeebD85hAA= userAccountControl: 66048
-badPwdCount: 0
 codePage: 0
 countryCode: 0
-badPasswordTime: 130010173443750000
-lastLogoff: 0
-lastLogon: 130010708699218750
 pwdLastSet: 129146093579687500
 primaryGroupID: 513
 objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA= accountExpires:
9223372036854775807
-logonCount: 7781
 sAMAccountName: examplesecondname.examplefirstname
 sAMAccountType: 805306368
 userPrincipalName: examplesecondname.examplefirstname at exampledn.com
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com

Should I be concerned by any of this?

Cheers,
Dominic

On Thu, 2012-12-27 at 19:04 +0100, Dominic Evans wrote:
> Hi,
> 
> I have a domain with a single Windows 2003 DC running. Today I created
> a Samba4 DC (using 4.0.0 release) and asked it to join the existing
> domain as an additional controller. Replication of both the objects
> and dns entries appears to be working well, and the usual tests of
> adding a user to one and confirming it is available in the other is
> similarly working.
> 
> However, the `ldapcmp` tool claims there are numerous discrepancies in
> the replicated data between the two ldap directories. Note the
> 'attributes found only in' list in the example comparison for a
> specific user in the directory:
> 
> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> --base2='CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
What username did you use (administrator or another user) to
authenticate in this case?
> * Comparing [DOMAIN] context...
> 
> * Objects to be compared: 1
> 
> Comparing:
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://windowsdc.exampledn.com]
> 'CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> [ldap://samba4dc.exampledn.com]
>     Attributes found only in ldap://windowsdc.exampledn.com:
>         instanceType
>         whenCreated
>         pwdLastSet
>         accountExpires
>         userAccountControl
>     FAILED
> 
> * Result for [DOMAIN]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes found only in ldap://windowsdc.exampledn.com:
> 
>     pwdLastSet
>     whenCreated
>     instanceType
>     userAccountControl
>     accountExpires
> ERROR: Compare failed: -1
> 
> However, using `ldapsearch` to query the directories of both domain
> controllers directly, shows that these five attributes all appear to
> exist in both? In addition, the diff of the two queries seems to
> indicated some missing attributes and differing values on the samba4
> domaincontroller that are not mentioned/caught by the ldapcmp tool?
ldapcmp has a hard-coded list of non-replicated attributes that are
skipped in the analysis. 
> --- /tmp/ldapsearch-windowsdc	2012-12-27 18:42:30.193281974 +0100
> +++ /tmp/ldapsearch-samba4dc	2012-12-27 18:42:30.233278605 +0100
> @@ -1,34 +1,29 @@
>  dn: CN=ExampleFirstName ExampleSecondName,OU=OU,DC=exampledn,DC=com
>  objectClass: top
>  objectClass: person
>  objectClass: organizationalPerson
>  objectClass: user
>  cn: ExampleFirstName ExampleSecondName
>  sn: ExampleSecondName
>  givenName: ExampleFirstName
>  distinguishedName: CN=ExampleFirstName
> ExampleSecondName,OU=OU,DC=exampledn,DC=com
>  instanceType: 4
>  whenCreated: 20100401152917.0Z
>  whenChanged: 20100401152918.0Z
>  displayName: ExampleFirstName ExampleSecondName
> -uSNCreated: 236996493
> -uSNChanged: 236996516
> +uSNCreated: 3171
> +uSNChanged: 3171
>  name: ExampleFirstName ExampleSecondName
>  objectGUID:: 2io6fCOdmUW5yeebD85hAA=>  userAccountControl: 66048
> -badPwdCount: 0
>  codePage: 0
>  countryCode: 0
> -badPasswordTime: 130010173443750000
> -lastLogoff: 0
> -lastLogon: 130010708699218750
>  pwdLastSet: 129146093579687500
>  primaryGroupID: 513
>  objectSid:: AQUAAAAAAAUVAAAAdPiuHDqU7zAoMuUqaAoAAA=>  accountExpires:
9223372036854775807
> -logonCount: 7781
>  sAMAccountName: examplesecondname.examplefirstname
>  sAMAccountType: 805306368
>  userPrincipalName: examplesecondname.examplefirstname at exampledn.com
>  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=exampledn,DC=com
> 
> Should I be concerned by any of this?
Assuming that you used a non-administrator user to connect over LDAP,
the 'missing' attributes are a concern, but not to your data integrity.
We have an outstanding issue where the read ACL is applied incorrectly
for non-administrator users, and I need to understand why that is.

You can set 'acl:read=false' in your smb.conf to disable this, while we
sort out what is going on.  This will remove any restriction on any user
reading any non-confidential attribute (by the schema flag or being in
the list of password attributes). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org