samba - Sep 2014 - 4.1.12: ldapcmp differences on attribute 'whenChanged'

Hi all,

I have just updated our dc's from sernet 4.1.11 to sernet 4.1.12. And 
suddenly since that update, we're getting many ldapcmp failures on the 
attribute 'whenChanged'. In 4.1.11 life was good, and ldapcmp reported 
no differences at all.

Here is a sample: (dc2 <-> dc3)

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc3]
     Difference in attribute values:
         whenChanged =>
['20140507142704.0Z']
['20140715153329.0Z']
     FAILED

and: (dc2 <-> dc4)

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=company,DC=com' [ldap://dc4]
     Difference in attribute values:
         whenChanged =>
['20140507142704.0Z']
['20140826123226.0Z']
     FAILED

As you can see, all three dc's have a different 'whenChanged'
attribute
value.

I'm started thinking that perhaps the 'starting'
"whenChanged" is the
time that the DC is installed (meaning: replicated for the first time), 
and that only after the first actual change in the AD, the whenChanged 
is updated and replicated to all DC's.

So, I changed something in CN=podcast, and tested again:

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc3]
     Difference in attribute values:
         whenChanged =>
['20140916171443.0Z']
['20140916171433.0Z']
     FAILED

Comparing:
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc2]
'CN=podcast,CN=Users,DC=samba,DC=merit,DC=unu,DC=edu' [ldap://dc4]
     Difference in attribute values:
         whenChanged =>.
['20140916171503.0Z']
['20140916171443.0Z']
     FAILED

So what I guess now, is that 'whenChanged' is actually the LOCAL time on
the specific DC that the change was RECEIVED. So it's value can change a 
bit between dc's, slow replication lines, etc, etc.

I have also seen this bugreport:
https://bugzilla.samba.org/show_bug.cgi?id=10788
and I'm not sure if that patch is included in 4.1.12, but in that patch 
I see some mention of attribute 'whenChanged'. One example:

+                # "whenChanged", # This is implicitly replicated


So... all very interesting, but what are you seeing on your AD's? Anyone 
running sernet 4.1.12, and tried ldapcmp already? Are you seeing the 
same as us?

Mourik Jan

> I have also seen this bugreport:
> https://bugzilla.samba.org/show_bug.cgi?id=10788
> and I'm not sure if that patch is included in 4.1.12, but in that patch
> I see some mention of attribute 'whenChanged'. One example:
>
> +                # "whenChanged", # This is implicitly replicated
>
I checked my local 4.1.12 ldapcmp.py, and it contains exactly the above 
line, including that it's *commented out*.

If I remove the comment sign, my ldapcmp finishes successfully again.

Sooo... Should I add this whole excersise to this bugreport? Are you 
observing the same behaviour in your S4 AD's? I guess this can be 
considered a bug?

Regards,
MJ