mourik jan heupink - merit
2014-Sep-16 17:27 UTC
[Samba] 4.1.12: ldapcmp differences on attribute 'whenChanged'
Hi all,
I have just updated our dc's from sernet 4.1.11 to sernet 4.1.12. And
suddenly since that update, we're getting many ldapcmp failures on the
attribute 'whenChanged'. In 4.1.11 life was good, and ldapcmp reported
no differences at all.
Here is a sample: (dc2 <-> dc3)
Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc3]
Difference in attribute values:
whenChanged =>
['20140507142704.0Z']
['20140715153329.0Z']
FAILED
and: (dc2 <-> dc4)
Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc4]
Difference in attribute values:
whenChanged =>
['20140507142704.0Z']
['20140826123226.0Z']
FAILED
As you can see, all three dc's have a different 'whenChanged'
attribute
value.
I'm started thinking that perhaps the 'starting'
"whenChanged" is the
time that the DC is installed (meaning: replicated for the first time),
and that only after the first actual change in the AD, the whenChanged
is updated and replicated to all DC's.
So, I changed something in CN=podcast, and tested again:
Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc3]
Difference in attribute values:
whenChanged =>
['20140916171443.0Z']
['20140916171433.0Z']
FAILED
Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
Difference in attribute values:
whenChanged =>.
['20140916171503.0Z']
['20140916171443.0Z']
FAILED
So what I guess now, is that 'whenChanged' is actually the LOCAL time on
the specific DC that the change was RECEIVED. So it's value can change a
bit between dc's, slow replication lines, etc, etc.
I have also seen this bugreport:
https://bugzilla.samba.org/show_bug.cgi?id=10788
and I'm not sure if that patch is included in 4.1.12, but in that patch
I see some mention of attribute 'whenChanged'. One example:
+ # "whenChanged", # This is implicitly replicated
So... all very interesting, but what are you seeing on your AD's? Anyone
running sernet 4.1.12, and tried ldapcmp already? Are you seeing the
same as us?
Mourik Jan
mourik jan heupink - merit
2014-Sep-16 17:38 UTC
[Samba] 4.1.12: ldapcmp differences on attribute 'whenChanged'
> I have also seen this bugreport: > https://bugzilla.samba.org/show_bug.cgi?id=10788 > and I'm not sure if that patch is included in 4.1.12, but in that patch > I see some mention of attribute 'whenChanged'. One example: > > + # "whenChanged", # This is implicitly replicated >I checked my local 4.1.12 ldapcmp.py, and it contains exactly the above line, including that it's *commented out*. If I remove the comment sign, my ldapcmp finishes successfully again. Sooo... Should I add this whole excersise to this bugreport? Are you observing the same behaviour in your S4 AD's? I guess this can be considered a bug? Regards, MJ