I need to do a simple query, against some LDAP data in 'laster draft
schema' format i've added to te samba/AD schema.
All LDAP query return the same result on all (6) of the DC:
root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D
CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it
"(cn=prova123)" rfc822MailMember
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
# filter: (cn=prova123)
# requesting: rfc822MailMember
#
# prova123, Aliases, FVG, ad.fvg.lnf.it
dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
rfc822MailMember: gaio
rfc822MailMember: marco.gaiarin
# search reference
ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it
# search reference
ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it
# search reference
ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
past ONE dc, that does not return nothing:
root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it
"(cn=prova123)" rfc822MailMember
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
# filter: (cn=prova123)
# requesting: rfc822MailMember
#
# search reference
ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it
# search reference
ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it
# search reference
ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
I've checked on that DC with 'samba-tool drs showrepl', and seems
all
OK.
What happens? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> I've checked on that DC with 'samba-tool drs showrepl', and seems all > OK.Forgt to say: data seems here. Acessing directly the sam.ldb on the guity AD: root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" rfc822MailMember # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it rfc822MailMember: gaio rfc822MailMember: marco.gaiarin # Referral ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # Referral ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # Referral ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # returned 4 records # 1 entries # 3 referrals Boh... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> past ONE dc, that does not return nothing:Ok, supposing a xID/ACL trouble, this morning i've copied the 'idmap.ldb' from the DC with FSMO roles to the mulfunctioning DC, but still i get empty answer from the mulfunctioning DC. I've done a 'ldap compare' and all seems in sync: root at vdcsv1:~# samba-tool ldapcmp ldap://vdcsv1.ad.fvg.lnf.it ldap://vdcpp1.ad.fvg.lnf.it -U gaio Password for [LNFFVG\gaio]: * Comparing [DOMAIN] context... * Objects to be compared: 1312 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1673 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1556 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 310 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 41 * Result for [DNSFOREST]: SUCCESS Why?! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> Why?!Sorry but... someone can point me in the right direction? Really i don't know how to look for that problem... I summarize: a) an LDAP lookup for some data works in ALL DC past one b) in that non-working DC, a direct query against the sam.ldb reveal that data are here (so, seems to me an ACL problem) c) checking sync status between DCs reveal no sync troubles. Where i can look for? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)