> Turns out I made a dumb mistake. I did a kinit before ldapcmp, but > omitted the "-k 1" on the latter. When I do it correctly, all three DC's > are exactly the same. Phew.I thought kinit is not required on samba-tool ldapcmp I just tried _with_ kinit, and only saw the same differences on whenChanged. MJ
On Mon, 11 May 2015, mourik jan heupink wrote:> I thought kinit is not required on samba-tool ldapcmpOne can either kinit and use "-k 1" with ldapcmp, or use -Uadministrator instead. Without either, I get masses of differences (attributes that cannot be read). With either kinit or -U, I get exact equality for all three DC's. Steve
On 5/11/2015 13:38, Steve Thompson wrote:> One can either kinit and use "-k 1" with ldapcmp, or use -Uadministrator > instead. Without either, I get masses of differences (attributes that > cannot be read). With either kinit or -U, I get exact equality for all > three DC's.Ok, I do neither: I simply logon as root, and type: samba-tool ldapcmp ldap://dc3 ldap://dc2 --filter=whenChanged (nothing else!) and this checks all attributes. (and again: I just tried with kinit, and it gives identical results)