Sinelnikov Evgeniy
2016-Feb-11 18:44 UTC
[Samba] Schema extension for Exchange and WERR_DS_DRA_SCHEMA_MISMATCH
Hello,
A couple days ago I wrote a message about replication problem with Exchange to
samba-technical@:
https://lists.samba.org/archive/samba-technical/2016-February/112019.html
Problem I want to resolve looks like "exchange schema _not_ installed on
the samba4 AD DC":
https://lists.samba.org/archive/samba/2015-May/191636.html
I try to search additional information and found old message about same problem:
https://lists.samba.org/archive/samba-technical/2013-February/090513.html
Could anybody say about Samba readiness "to be used an exchange
server" with
all needed "ldap controls / construction that are required by
exchange" in current time?
At this time I don't understand how to know which schema is really applied
on Samba DC
after join it to existing domain.
I try to verify it for my current configuration:
- dc01 - Windows 2003 R2 with Exchange 2003 extended schema
- dc02 - CentOS 7.2 with Samba-4.3.4
_________________________________
At first, I got ldif on Linux with ldbsearch:
_________________________________
$ ldbsearch --paged -S -k yes -H ldap://dc01.company3.dd -b
CN=Schema,CN=Configuration,DC=company3,DC=dd (objectclass=*)
$ ldbsearch --paged -S -k yes -H ldap://dc02.company3.dd -b
CN=Schema,CN=Configuration,DC=company3,DC=dd (objectclass=*)
attribute comparison looks here as is:
...
@@ -74427,8 +74427,8 @@
schemaIDGUID: d2888db3-2b0d-4d6a-831e-4efdfc036584
searchFlags: 0
showInAdvancedViewOnly: TRUE
-uSNChanged: 24179
-uSNCreated: 24179
+uSNChanged: 2061
+uSNCreated: 2061
whenChanged: 20160127131052.0Z
whenCreated: 20160127131052.0Z
@@ -74453,23 +74453,32 @@
objectClass: dMD
objectGUID: 7a51a45f-0110-445f-977a-6e9dbe745abd
objectVersion: 30
-prefixMap:: CAAAAIIAAAA0EwsAKoZIhvcUAQS2WGZLEwsAKoZIhvcUAQW2WD5lEwwAKoZIhvcUAQ
- S2WGaDaBMMACqGSIb3FAEEtlhmgYITDAAqhkiG9xQBBbZYPoESFAwAKoZIhvcUAQW2WD6DpBUKACq
- GSIb3FAEGFAGqFQoAKoZIhvcUAQYUAg=-repsTo::
AQAAAAAAAAAUAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAADwAAAAQAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKX3QKCbVzp
- Om7VKH4rY8V0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAGEwNDBm
- N2E1LTU3OWItNGUzYS05YmI1LTRhMWY4YWQ4ZjE1ZC5fbXNkY3MuY29tcGFueTMuZGQA
-repsTo:: AQAAAAAAAAAUAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAADwAAAAQAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALaL9n9hzQp
- HgOGari5Kz5oAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAADdmZjY4
- YmI2LWNkNjEtNDcwYS04MGUxLTlhYWUyZTRhY2Y5YS5fbXNkY3MuY29tcGFueTMuZGQA
+prefixMap: 0:2.5.4;1:2.5.6;2:1.2.840.113556.1.2;3:1.2.840.113556.1.3;4:2.16.84
+ 0.1.101.2.2.1;5:2.16.840.1.101.2.2.3;6:2.16.840.1.101.2.1.5;7:2.16.840.1.101.
+ 2.1.4;8:2.5.5;9:1.2.840.113556.1.4;10:1.2.840.113556.1.5;19:0.9.2342.19200300
+ .100;20:2.16.840.1.113730.3;21:0.9.2342.19200300.100.1;22:2.16.840.1.113730.3
+ .1;23:1.2.840.113556.1.5.7000;24:2.5.21;25:2.5.18;26:2.5.20;11:1.2.840.113556
+ .1.4.260;12:1.2.840.113556.1.5.56;13:1.2.840.113556.1.4.262;14:1.2.840.113556
+ .1.5.57;15:1.2.840.113556.1.4.263;16:1.2.840.113556.1.5.58;17:1.2.840.113556.
+ 1.5.73;18:1.2.840.113556.1.4.305;27:1.3.6.1.4.1.1466.101.119;28:2.16.840.1.11
+ 3730.3.2;29:1.3.6.1.4.1.250.1;30:1.2.840.113549.1.9;31:0.9.2342.19200300.100.
+ 4;32:1.2.840.113556.1.6.23;33:1.2.840.113556.1.6.18.1;34:1.2.840.113556.1.6.1
+ 8.2;35:1.2.840.113556.1.6.13.3;36:1.2.840.113556.1.6.13.4;37:1.3.6.1.1.1.1;38
+ :1.3.6.1.1.1.2;4916:1.2.840.113556.1.4.7000.102;4939:1.2.840.113556.1.5.7000.
+ 62;4965:1.2.840.113556.1.4.7000.102:0x83;4968:1.2.840.113556.1.4.7000.102:0x8
+ 1;4994:1.2.840.113556.1.5.7000.62:0x81;5138:1.2.840.113556.1.5.7000.62:0x83;5
+ 540:1.2.840.113556.1.6.20.1;5546:1.2.840.113556.1.6.20.2
+replUpToDateVector:: AgAAAAAAAAABAAAAAAAAAAXiIq5GX+9IsWUn30RohDuloAAAAAAAABZZz
+ QwDAAAA
+repsFrom:: AQAAAAAAAAAMAQAAAAAAABdZzQwDAAAAF1nNDAMAAAAAAAAA0AAAADwAAAB0AAAAERE
+ RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
+ ERERERERERERERERERERERERERERERERAAAAAHugAAAAAAAAAAAAAAAAAAB7oAAAAAAAAAXiIq5GX
+ +9IsWUn30RohDsF4iKuRl/vSLFlJ99EaIQ7AAAAAAAAAAAAAAAAAAAAADgAAABhZTIyZTIwNS01Zj
+ Q2LTQ4ZWYtYjE2NS0yN2RmNDQ2ODg0M2IuX21zZGNzLmNvbXBhbnkzLmRkAA= schemaInfo::
/wAACG4F4iKuRl/vSLFlJ99EaIQ7
showInAdvancedViewOnly: TRUE
-uSNChanged: 25028
-uSNCreated: 4102
+uSNChanged: 8
+uSNCreated: 8
whenChanged: 20160127131142.0Z
whenCreated: 20160127092803.0Z
_________________________________
At second, I got a list of attribuites on Windows with adexplorer:
_________________________________
attribute comparison looks here as is:
@@ -10,11 +10,12 @@
objectClass OID 2 top;dMD
objectGUID OctetString 1 {7A51A45F-0110-445F-977A-6E9DBE745ABD}
objectVersion Integer 1 30
-prefixMap OctetString 1 8 0 0 0 130 0 0 0 52 19 11 0 42 134 72 134 247 20 1 4
182 88 102 75 19 11 0 42 134 72 134 247 20 1 5 182 88 62 101 19 12 0 42 134 72
134 247 20 1 4 182 88 102 131 104 19 12 0 42 134 72 134 247 20 1 4 182 88 102
129 130 19 12 0 42 134 72 134 247 20 1 5 182 88 62 129 18 20 12 0 42 134 72 134
247 20 1 5 182 88 62 131 164 21 10 0 42 134 72 134 247 20 1 6 20 1 170 21 10 0
42 134 72 134 247 20 1 6 20 2
-repsTo ReplicaLink 2 1 0 0 0 0 0 0 0 20 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 216 0 0 0 60 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 165 247 64 160 155 87 58 78 155 181 74 31 138 216 241
93 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 56 0 0 0 97 48 52 48 102 55 97 53 45 53 55 57 98 45 52 101 51 97 45 57 98 98
53 45 52 97 49 102 56 97 100 56 102 49 53 100 46 95 109 115 100 99 115 46 99 111
109 112 97 110 121 51 46 100 100 0;1 0 0 0 0 0 0 0 20 1 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 216 0 0 0 60 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 182 139 246 127 97 205 10 71 128 225 154
17
+prefixMap OctetString 1 66 68 83 68 0 0 0 0 47 0 0 0 0 0 2 0 47 0 0 0 0 0 0 0 2
0 0 0 4 0 2 0 1 0 0 0 2 0 0 0 8 0 2 0 2 0 0 0 8 0 0 0 12 0 2 0 3 0 0 0 8 0 0 0
16 0 2 0 4 0 0 0 8 0 0 0 20 0 2 0 5 0 0 0 8 0 0 0 24 0 2 0 6 0 0 0 8 0 0 0 28 0
2 0 7 0 0 0 8 0 0 0 32 0 2 0 8 0 0 0 2 0 0 0 36 0 2 0 9 0 0 0 8 0 0 0 40 0 2 0
10 0 0 0 8 0 0 0 44 0 2 0 19 0 0 0 8 0 0 0 48 0 2 0 20 0 0 0 8 0 0 0 52 0 2 0 21
0 0 0 9 0 0 0 56 0 2 0 22 0 0 0 9 0 0 0 60 0 2 0 23 0 0 0 10 0 0 0 64 0 2 0 24 0
0 0 2 0 0 0 68 0 2 0 25 0 0 0 2 0 0 0 72 0 2 0 26 0 0 0 2 0 0 0 76 0 2 0 11 0 0
0 10 0 0 0 80 0 2 0 12 0 0 0 9 0 0 0 84 0 2 0 13 0 0 0 10 0 0 0 88 0 2 0 14 0 0
0 9 0 0 0 92 0 2 0 15 0 0 0 10 0 0 0 96 0 2 0 16 0 0 0 9 0 0 0 100 0 2 0 17 0 0
0 9 0 0 0 104 0 2 0 18 0 0 0 10 0 0 0 108 0 2 0 27 0 0 0 9 0 0 0 112 0 2 0 28 0
0 0 9 0 0 0 116 0 2 0 29 0 0 0 8 0 0 0 120 0 2 0 30 0 0 0 8 0 0 0 124 0 2 0 31 0
0 0 9 0 0 0 128 0 2 0 32 0 0 0 9 0 0 0 132 0 2 0 33 0 0 0 10 0 0 0 136 0 2 0 34
0 0 0 10 0 0 0 140 0 2 0 35 0 0 0 10 0 0 0 144 0 2 0 36 0 0 0 10 0 0 0 148 0 2 0
37 0
+replUpToDateVector OctetString 1 2 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 5 226 34 174
70 95 239 72 177 101 39 223 68 104 132 59 197 160 0 0 0 0 0 0 62 90 205 12 3 0 0
0
+repsFrom ReplicaLink 1 1 0 0 0 0 0 0 0 12 1 0 0 0 0 0 0 62 90 205 12 3 0 0 0 62
90 205 12 3 0 0 0 0 0 0 0 208 0 0 0 60 0 0 0 116 0 0 0 17 17 17 17 17 17 17 17
17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17
17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17
17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 0 0 0 0 165
160 0 0 0 0 0 0 0 0 0 0 0 0 0 0 165 160 0 0 0 0 0 0 5 226 34 174 70 95 239 72
177 101 39 223 68 104 132 59 5 226 34 174 70 95 239 72 177 101 39 223 68 104 132
59 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 56 0 0 0 97 101 50 50 101 50 48 53 45 53 102
52 54 45 52 56 101 102 45 98 49 54 53 45 50 55 100 102 52 52 54 56 56 52 51 98
46 95 109 115 100 99 115 46 99 111 109 112 97 110 121 51 46 100 100 0
schemaInfo OctetString 1 255 0 0 8 110 5 226 34 174 70 95 239 72 177 101 39 223
68 104 132 59
showInAdvancedViewOnly Boolean 1 TRUE
-uSNChanged Integer8 1 0x61C4
-uSNCreated Integer8 1 0x1006
+uSNChanged Integer8 1 0x8
+uSNCreated Integer8 1 0x8
whenChanged GeneralizedTime 1 27.01.2016 13:11:42
whenCreated GeneralizedTime 1 27.01.2016 9:28:03
_____________________________
At finally, problem looks like WERR_DS_DRA_SCHEMA_MISMATCH replication problem
During replication from Samba DC on Windows DC, but not vice versa:
# samba-tool drs replicate dc01 dc02 dc=company3,dc=dd
Start replicating for source GUID a040f7a5-579b-4e3a-9bb5-4a1f8ad8f15d.
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (8418,
'WERR_DS_DRA_SCHEMA_MISMATCH')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
line 349, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
# samba-tool drs replicate dc02 dc01 dc=company3,dc=dd
Start replicating for source GUID ae22e205-5f46-48ef-b165-27df4468843b.
Replicate from dc01 to dc02 was successful.
Also Schema replication looks like works fine:
# samba-tool drs replicate dc02 dc01
cn=Schema,cn=Configuration,dc=company3,dc=dd
Start replicating for source GUID ae22e205-5f46-48ef-b165-27df4468843b.
Replicate from dc01 to dc02 was successful.
# samba-tool drs replicate dc01 dc02
cn=Schema,cn=Configuration,dc=company3,dc=dd
Start replicating for source GUID a040f7a5-579b-4e3a-9bb5-4a1f8ad8f15d.
Replicate from dc02 to dc01 was successful.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dc01-dc02-adexplorer-schemas.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160211/dc28d0ef/dc01-dc02-adexplorer-schemas.txt>
Apparently Analagous Threads
- LDAP and prefetch
- Replication errors (WERR_DS_DRA_SCHEMA_MISMATCH)
- WERR_DS_DRA_SCHEMA_MISMATCH against a W2008R2 DC
- 8418 WERR_DS_DRA_SCHEMA_MISMATCH + Exchange 2013
- AD error 8418: The replication operation failed because of a schema mismatch between the servers involved (WERR_DS_DRA_SCHEMA_MISMATCH)
Wisdom of the Ancients
