samba - Sep 2015 - ldapcmp issue

Hi all,

It seems "samba-tool ldapcmp" does not support too much items in
Samba's
database.

Playing for a while with DB I was never able to run ldapcmp successfully.
So yesterday I installed a platform to fill piece by piece my two small DCs
and to run ldapcmp. The process follows.

Test platform: 2 DCs using Debian 8.1 "net install" with only system
tools,
up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
Sernet Samba version 4.2.3.

DC with FSMO is named deb1.domain.tld and provisioned with:
samba-tool domain provision --use-rfc2307 --server-role=dc
--realm=domain.tld --domain=domain --adminpass=Passw0rd

Backup DC is joined using:
samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
--domain-critical-only

I expect I didn't waited enough for database was fully synchronized as the
following command was complaining about some "whenChanged" attribute
on
different objects.
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

To solve these little differences I first ran:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced

This solved most of "whenChanged" issue, except for
'CN=DEB2,OU=Domain
Controllers,DC=domain,DC=tld' which was still different on both domains:
---------------------------------------------------------------------------------
deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
domain

* Comparing [DOMAIN] context...

* Objects to be compared: 4790

Comparing:
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb2.domain.tld]
'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb1.domain.tld]
    Difference in attribute values:
        whenChanged =>
['20150901085454.0Z']
['20150901085438.0Z']
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes with different values:

    whenChanged
ERROR: Compare failed: -1
---------------------------------------------------------------------------------

Finally I ran drs replicate in both ways:
samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced
samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
--full-sync --sync-forced

And "whenChanged" misconfiguration was solved.

Then I added users by bunch of 5000, then once they were all
auto-replicated I re-ran ldapcmp on both DCs, in both ways:
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
With absolutely no issue:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 34790

* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 34790

* Result for [DOMAIN]: SUCCESS
---------------------------------------------------------------------------------


 until I reached 39790 objects in database:
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
983, in run
    if b1 == b2:
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
774, in __eq__
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
396, in __init__
    self.attributes = self.con.get_attributes(self.dn)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
207, in get_attributes
    res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
---------------------------------------------------------------------------------
samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain

* Comparing [DOMAIN] context...

* Objects to be compared: 39790
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
983, in run
    if b1 == b2:
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
774, in __eq__
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
396, in __init__
    self.attributes = self.con.get_attributes(self.dn)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line
207, in get_attributes
    res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
---------------------------------------------------------------------------------

These errors were the very same on both DCs.

Is there a limit about number of objects to be able to run ldapcmp?

Kindly regards,

mathias

Hi Mathias,

I am under the impression that whenChanged is one of the fields that do 
not replicate. Therefore we run ldapcmp like:

samba-tool ldapcmp ldap://dcX ldap://dcY --filter=whenChanged

Hope that helps,
MJ



On 09/01/2015 02:45 PM, mathias dufresne wrote:
> Hi all,
>
> It seems "samba-tool ldapcmp" does not support too much items in
Samba's
> database.
>
> Playing for a while with DB I was never able to run ldapcmp successfully.
> So yesterday I installed a platform to fill piece by piece my two small DCs
> and to run ldapcmp. The process follows.
>
> Test platform: 2 DCs using Debian 8.1 "net install" with only
system tools,
> up to date, almost nothing added (munin-node, vim, ssh, gmond) and using
> Sernet Samba version 4.2.3.
>
> DC with FSMO is named deb1.domain.tld and provisioned with:
> samba-tool domain provision --use-rfc2307 --server-role=dc
> --realm=domain.tld --domain=domain --adminpass=Passw0rd
>
> Backup DC is joined using:
> samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
> --domain-critical-only
>
> I expect I didn't waited enough for database was fully synchronized as
the
> following command was complaining about some "whenChanged"
attribute on
> different objects.
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> To solve these little differences I first ran:
> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
>
> This solved most of "whenChanged" issue, except for
'CN=DEB2,OU=Domain
> Controllers,DC=domain,DC=tld' which was still different on both
domains:
>
---------------------------------------------------------------------------------
> deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld
> domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 4790
>
> Comparing:
> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb2.domain.tld]
> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb1.domain.tld]
>      Difference in attribute values:
>          whenChanged =>
> ['20150901085454.0Z']
> ['20150901085438.0Z']
>      FAILED
>
> * Result for [DOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes with different values:
>
>      whenChanged
> ERROR: Compare failed: -1
>
---------------------------------------------------------------------------------
>
> Finally I ran drs replicate in both ways:
> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
> samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld' --sync-all
> --full-sync --sync-forced
>
> And "whenChanged" misconfiguration was solved.
>
> Then I added users by bunch of 5000, then once they were all
> auto-replicated I re-ran ldapcmp on both DCs, in both ways:
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
> With absolutely no issue:
>
---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 34790
>
> * Result for [DOMAIN]: SUCCESS
>
---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 34790
>
> * Result for [DOMAIN]: SUCCESS
>
---------------------------------------------------------------------------------
>
>
>   until I reached 39790 objects in database:
>
---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 39790
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 983, in run
>      if b1 == b2:
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 774, in __eq__
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 396, in __init__
>      self.attributes = self.con.get_attributes(self.dn)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 207, in get_attributes
>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
>
---------------------------------------------------------------------------------
> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 39790
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 983, in run
>      if b1 == b2:
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 774, in __eq__
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 396, in __init__
>      self.attributes = self.con.get_attributes(self.dn)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 207, in get_attributes
>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
>
---------------------------------------------------------------------------------
>
> These errors were the very same on both DCs.
>
> Is there a limit about number of objects to be able to run ldapcmp?
>
> Kindly regards,
>
> mathias
>

Hi Mourik,

whenChanged was replicated in my test once I did replicate in both way, so
it seems to me it is supposed to be replicated... Then the fact it is not
always replicated seems to me an issue.

Perhaps a bug report for these two issue (whenChanged not always replicated
and ldapcmp hanging once DB is too much filled) would be the right way to
proceed...

Cheers,

mat

2015-09-03 10:42 GMT+02:00 mourik jan heupink <heupink at merit.unu.edu>:
> Hi Mathias,
>
> I am under the impression that whenChanged is one of the fields that do
> not replicate. Therefore we run ldapcmp like:
>
> samba-tool ldapcmp ldap://dcX ldap://dcY --filter=whenChanged
>
> Hope that helps,
> MJ
>
>
>
>
> On 09/01/2015 02:45 PM, mathias dufresne wrote:
>
>> Hi all,
>>
>> It seems "samba-tool ldapcmp" does not support too much items
in Samba's
>> database.
>>
>> Playing for a while with DB I was never able to run ldapcmp
successfully.
>> So yesterday I installed a platform to fill piece by piece my two small
>> DCs
>> and to run ldapcmp. The process follows.
>>
>> Test platform: 2 DCs using Debian 8.1 "net install" with only
system
>> tools,
>> up to date, almost nothing added (munin-node, vim, ssh, gmond) and
using
>> Sernet Samba version 4.2.3.
>>
>> DC with FSMO is named deb1.domain.tld and provisioned with:
>> samba-tool domain provision --use-rfc2307 --server-role=dc
>> --realm=domain.tld --domain=domain --adminpass=Passw0rd
>>
>> Backup DC is joined using:
>> samba-tool domain join domain.tld dc -Uadministrator --realm=domain.tld
>> --domain-critical-only
>>
>> I expect I didn't waited enough for database was fully synchronized
as the
>> following command was complaining about some "whenChanged"
attribute on
>> different objects.
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> To solve these little differences I first ran:
>> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld'
--sync-all
>> --full-sync --sync-forced
>>
>> This solved most of "whenChanged" issue, except for
'CN=DEB2,OU=Domain
>> Controllers,DC=domain,DC=tld' which was still different on both
domains:
>>
>>
---------------------------------------------------------------------------------
>> deb2:~# samba-tool ldapcmp ldap://deb2.domain.tld
ldap://deb1.domain.tld
>> domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 4790
>>
>> Comparing:
>> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb2.domain.tld]
>> 'CN=DEB2,OU=Domain Controllers,DC=domain,DC=tld'
[ldap://deb1.domain.tld]
>>      Difference in attribute values:
>>          whenChanged =>
>> ['20150901085454.0Z']
>> ['20150901085438.0Z']
>>      FAILED
>>
>> * Result for [DOMAIN]: FAILURE
>>
>> SUMMARY
>> ---------
>>
>> Attributes with different values:
>>
>>      whenChanged
>> ERROR: Compare failed: -1
>>
>>
---------------------------------------------------------------------------------
>>
>> Finally I ran drs replicate in both ways:
>> samba-tool drs replicate deb2 deb1 'dc=domain,dc=tld'
--sync-all
>> --full-sync --sync-forced
>> samba-tool drs replicate deb1 deb2 'dc=domain,dc=tld'
--sync-all
>> --full-sync --sync-forced
>>
>> And "whenChanged" misconfiguration was solved.
>>
>> Then I added users by bunch of 5000, then once they were all
>> auto-replicated I re-ran ldapcmp on both DCs, in both ways:
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>> With absolutely no issue:
>>
>>
---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 34790
>>
>> * Result for [DOMAIN]: SUCCESS
>>
>>
---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 34790
>>
>> * Result for [DOMAIN]: SUCCESS
>>
>>
---------------------------------------------------------------------------------
>>
>>
>>   until I reached 39790 objects in database:
>>
>>
---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb2.domain.tld ldap://deb1.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 39790
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 983, in run
>>      if b1 == b2:
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 774, in __eq__
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 396, in __init__
>>      self.attributes = self.con.get_attributes(self.dn)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 207, in get_attributes
>>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
>>
>>
---------------------------------------------------------------------------------
>> samba-tool ldapcmp ldap://deb1.domain.tld ldap://deb2.domain.tld domain
>>
>> * Comparing [DOMAIN] context...
>>
>> * Objects to be compared: 39790
>> ERROR(ldb): uncaught exception - LDAP client internal error:
>> NT_STATUS_UNEXPECTED_NETWORK_ERROR
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 983, in run
>>      if b1 == b2:
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 774, in __eq__
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 396, in __init__
>>      self.attributes = self.con.get_attributes(self.dn)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
>> 207, in get_attributes
>>      res = self.ldb.search(base=object_dn, scope=SCOPE_BASE,
attrs=["*"])
>>
>>
---------------------------------------------------------------------------------
>>
>> These errors were the very same on both DCs.
>>
>> Is there a limit about number of objects to be able to run ldapcmp?
>>
>> Kindly regards,
>>
>> mathias
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>