mathias dufresne
2015-Jul-16 11:20 UTC
[Samba] 4.2.2 as AD with 2 DCs: database incoherency
Here I obtained:
---------------------
* Comparing [DOMAIN] context...
Failed search of base=DC=ad,DC=domain,DC=tld
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
979, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
698, in __init__
self.dn_list = self.get_dn_list(context)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
841, in get_dn_list
res = self.con.ldb.search(base=self.search_base,
scope=self.search_scope, attrs=["dn"])
----------------------
Which led me to check my /etc/resolv.conf and on one DC there was only one
DNS entry to access local Samba and no line to ask to the other DC. I've
added the second DC as nameserver and rerun the command... to obtain the
very same error.
I had a line in /etc/hosts with hostname for address 127.0.0.1, I removed
it and rerun the command. Same error.
I will try this command from the other DC later, it took around 45min to
run and I don't have them right now... I'll come back to send you some
feedback.
Best regards,
Mathias
2015-07-16 9:37 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 16/07/15 07:19, Daniel Müller wrote:
>
>> On my site with samba 4.18 on centos 6:
>>
>> 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator'
failed with
>> this result msDS-NC Type failed :
>>
>> [root at s4master ~]# samba-tool ldapcmp ldap://s4master
>> ldap://s4slave -Uadministrator
>> Password for [TPLK\administrator]:
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 606
>>
>> Comparing:
>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> serverState
>> FAILED
>>
>> Comparing:
>> 'DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> msDS-NcType
>> serverState
>> FAILED
>>
>> * Result for [DOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>> msDS-NcType
>> serverState
>>
>> * Comparing [CONFIGURATION] context...
>>
>> * Objects to be compared: 1616
>>
>> Comparing:
>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> subRefs
>> msDS-NcType
>> FAILED
>>
>> * Result for [CONFIGURATION]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>> msDS-NcType
>> subRefs
>>
>> * Comparing [SCHEMA] context...
>>
>> * Objects to be compared: 1550
>>
>> Comparing:
>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4master]
>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> msDS-NcType
>> FAILED
>>
>> * Result for [SCHEMA]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>> msDS-NcType
>>
>> * Comparing [DNSDOMAIN] context...
>>
>> * Objects to be compared: 333
>>
>> Comparing:
>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> msDS-NcType
>> FAILED
>>
>> * Result for [DNSDOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>> msDS-NcType
>>
>> * Comparing [DNSFOREST] context...
>>
>> * Objects to be compared: 19
>>
>> Comparing:
>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4master]
>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4slave]
>> Attributes found only in ldap://s4master:
>> msDS-NcType
>> FAILED
>>
>> * Result for [DNSFOREST]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes found only in ldap://s4master:
>>
>> msDS-NcType
>> ERROR: Compare failed: -1
>>
>>
>> Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
Rowland
>> Penny
>> Gesendet: Mittwoch, 15. Juli 2015 17:35
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] 4.2.2 as AD with 2 DCs: database incoherency
>>
>> On 15/07/15 14:31, mathias dufresne wrote:
>>
>>> Hi all,
>>>
>>> I'm having a test AD domain composed with 2 DC, using
Sernet's version
>>> of Samba 4.2.2.
>>>
>>> These two DC are Centos 6.6 (dc20) and Debian 7.8 (dc00).
>>>
>>> These two are using TDB as a backend (as we have no other choice at
>>> this stage of Samba's development).
>>>
>>> *dc20*:~# ldbsearch -H $sam '(objectclass=group)' dn | tail
-3 #
>>> returned 27392 records # *27389* entries # 3 referrals *dc00*:~#
>>> ldbsearch -H $sam '(objectclass=group)' dn | tail -3 #
returned 27892
>>> records # *27889* entries # 3 referrals
>>>
>>> I'm wondering with I'm missing 500 groups on dc20 database.
>>>
>>> Perhaps this issue comes from the fact there was a space issue on
dc00
>>> (/var/log/samba/log.samba fulfilled /var (debug) and database is on
>>> same FS into /var/lib/samba).
>>>
>>> Anyway, do we have something to force databases to come back to a
>>> coherent state?
>>> Could we tdbdump the DB on one host then tdbrestore it on the
other?
>>>
>>> Kindly regards,
>>>
>>> mathias
>>>
>> What does 'samba-tool ldapcmp ldap://DC1 ldap://DC2
-Uadministrator' show
>> ?
>>
>> More info, see here:
https://wiki.samba.org/index.php/Samba-tool_ldapcmp
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> Stop worrying, all the failing attributes are non replicating attributes,
> this has been fixed in later samba4 versions.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 16/07/15 12:20, mathias dufresne wrote:> Here I obtained: > --------------------- > * Comparing [DOMAIN] context... > Failed search of base=DC=ad,DC=domain,DC=tld > ERROR(ldb): uncaught exception - LDAP client internal error: > NT_STATUS_UNEXPECTED_NETWORK_ERROR > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 979, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 698, in __init__ > self.dn_list = self.get_dn_list(context) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line > 841, in get_dn_list > res = self.con.ldb.search(base=self.search_base, > scope=self.search_scope, attrs=["dn"]) > ---------------------- > > Which led me to check my /etc/resolv.conf and on one DC there was only one > DNS entry to access local Samba and no line to ask to the other DC. I've > added the second DC as nameserver and rerun the command... to obtain the > very same error.Your /etc/resolv.conf should first point the second DC and then to itself i.e. search <your.domain> nameserver <second DC> nameserver <this DC>> I had a line in /etc/hosts with hostname for address 127.0.0.1, I removed > it and rerun the command. Same error./etc/hosts should be: 127.0.0.1 localhost.localdomain localhost <ip of this DC> hostname.domain.com hostname I would also suggest you check what is in /etc/hostname, it should just contain the DC's short hostname, it may contain 'localhost' Rowland> I will try this command from the other DC later, it took around 45min to > run and I don't have them right now... I'll come back to send you some > feedback. > > Best regards, > > Mathias > > 2015-07-16 9:37 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 16/07/15 07:19, Daniel Müller wrote: >> >>> On my site with samba 4.18 on centos 6: >>> >>> 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' failed with >>> this result msDS-NC Type failed : >>> >>> [root at s4master ~]# samba-tool ldapcmp ldap://s4master >>> ldap://s4slave -Uadministrator >>> Password for [TPLK\administrator]: >>> >>> * Comparing [DOMAIN] context... >>> >>> * Objects to be compared: 606 >>> >>> Comparing: >>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4master] >>> 'CN=Builtin,DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> serverState >>> FAILED >>> >>> Comparing: >>> 'DC=tplk,DC=loc' [ldap://s4master] >>> 'DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> msDS-NcType >>> serverState >>> FAILED >>> >>> * Result for [DOMAIN]: FAILURE >>> >>> SUMMARY >>> --------- >>> >>> Attributes found only in ldap://s4master: >>> >>> msDS-NcType >>> serverState >>> >>> * Comparing [CONFIGURATION] context... >>> >>> * Objects to be compared: 1616 >>> >>> Comparing: >>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4master] >>> 'CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> subRefs >>> msDS-NcType >>> FAILED >>> >>> * Result for [CONFIGURATION]: FAILURE >>> >>> SUMMARY >>> --------- >>> >>> Attributes found only in ldap://s4master: >>> >>> msDS-NcType >>> subRefs >>> >>> * Comparing [SCHEMA] context... >>> >>> * Objects to be compared: 1550 >>> >>> Comparing: >>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4master] >>> 'CN=Schema,CN=Configuration,DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> msDS-NcType >>> FAILED >>> >>> * Result for [SCHEMA]: FAILURE >>> >>> SUMMARY >>> --------- >>> >>> Attributes found only in ldap://s4master: >>> >>> msDS-NcType >>> >>> * Comparing [DNSDOMAIN] context... >>> >>> * Objects to be compared: 333 >>> >>> Comparing: >>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4master] >>> 'DC=DomainDnsZones,DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> msDS-NcType >>> FAILED >>> >>> * Result for [DNSDOMAIN]: FAILURE >>> >>> SUMMARY >>> --------- >>> >>> Attributes found only in ldap://s4master: >>> >>> msDS-NcType >>> >>> * Comparing [DNSFOREST] context... >>> >>> * Objects to be compared: 19 >>> >>> Comparing: >>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4master] >>> 'DC=ForestDnsZones,DC=tplk,DC=loc' [ldap://s4slave] >>> Attributes found only in ldap://s4master: >>> msDS-NcType >>> FAILED >>> >>> * Result for [DNSFOREST]: FAILURE >>> >>> SUMMARY >>> --------- >>> >>> Attributes found only in ldap://s4master: >>> >>> msDS-NcType >>> ERROR: Compare failed: -1 >>> >>> >>> Daniel Müller >>> >>> Leitung EDV >>> Tropenklinik Paul-Lechler-Krankenhaus >>> Paul-Lechler-Str. 24 >>> 72076 Tübingen >>> Tel.: 07071/206-463, Fax: 07071/206-499 >>> eMail: mueller at tropenklinik.de >>> Internet: www.tropenklinik.de >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland >>> Penny >>> Gesendet: Mittwoch, 15. Juli 2015 17:35 >>> An: samba at lists.samba.org >>> Betreff: Re: [Samba] 4.2.2 as AD with 2 DCs: database incoherency >>> >>> On 15/07/15 14:31, mathias dufresne wrote: >>> >>>> Hi all, >>>> >>>> I'm having a test AD domain composed with 2 DC, using Sernet's version >>>> of Samba 4.2.2. >>>> >>>> These two DC are Centos 6.6 (dc20) and Debian 7.8 (dc00). >>>> >>>> These two are using TDB as a backend (as we have no other choice at >>>> this stage of Samba's development). >>>> >>>> *dc20*:~# ldbsearch -H $sam '(objectclass=group)' dn | tail -3 # >>>> returned 27392 records # *27389* entries # 3 referrals *dc00*:~# >>>> ldbsearch -H $sam '(objectclass=group)' dn | tail -3 # returned 27892 >>>> records # *27889* entries # 3 referrals >>>> >>>> I'm wondering with I'm missing 500 groups on dc20 database. >>>> >>>> Perhaps this issue comes from the fact there was a space issue on dc00 >>>> (/var/log/samba/log.samba fulfilled /var (debug) and database is on >>>> same FS into /var/lib/samba). >>>> >>>> Anyway, do we have something to force databases to come back to a >>>> coherent state? >>>> Could we tdbdump the DB on one host then tdbrestore it on the other? >>>> >>>> Kindly regards, >>>> >>>> mathias >>>> >>> What does 'samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator' show >>> ? >>> >>> More info, see here: https://wiki.samba.org/index.php/Samba-tool_ldapcmp >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> Stop worrying, all the failing attributes are non replicating attributes, >> this has been fixed in later samba4 versions. >> >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Am 16.07.2015 um 14:02 schrieb Rowland Penny:> /etc/hosts should be: > > 127.0.0.1 localhost.localdomain localhostuhm no - you want 127.0.0.1 normally resolved to localhost and hence 127.0.0.1 localhost localhost.localdomain -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150716/57408f24/signature.sig>