I need to do a simple query, against some LDAP data in 'laster draft schema' format i've added to te samba/AD schema. All LDAP query return the same result on all (6) of the DC: root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: rfc822MailMember # # prova123, Aliases, FVG, ad.fvg.lnf.it dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it rfc822MailMember: gaio rfc822MailMember: marco.gaiarin # search reference ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 past ONE dc, that does not return nothing: root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: rfc822MailMember # # search reference ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3 I've checked on that DC with 'samba-tool drs showrepl', and seems all OK. What happens? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> I've checked on that DC with 'samba-tool drs showrepl', and seems all > OK.Forgt to say: data seems here. Acessing directly the sam.ldb on the guity AD: root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" rfc822MailMember # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it rfc822MailMember: gaio rfc822MailMember: marco.gaiarin # Referral ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # Referral ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # Referral ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # returned 4 records # 1 entries # 3 referrals Boh... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> past ONE dc, that does not return nothing:Ok, supposing a xID/ACL trouble, this morning i've copied the 'idmap.ldb' from the DC with FSMO roles to the mulfunctioning DC, but still i get empty answer from the mulfunctioning DC. I've done a 'ldap compare' and all seems in sync: root at vdcsv1:~# samba-tool ldapcmp ldap://vdcsv1.ad.fvg.lnf.it ldap://vdcpp1.ad.fvg.lnf.it -U gaio Password for [LNFFVG\gaio]: * Comparing [DOMAIN] context... * Objects to be compared: 1312 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1673 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1556 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 310 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 41 * Result for [DNSFOREST]: SUCCESS Why?! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> Why?!Sorry but... someone can point me in the right direction? Really i don't know how to look for that problem... I summarize: a) an LDAP lookup for some data works in ALL DC past one b) in that non-working DC, a direct query against the sam.ldb reveal that data are here (so, seems to me an ACL problem) c) checking sync status between DCs reveal no sync troubles. Where i can look for? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)