Marcio Demetrio Bacci
2019-Jul-25 14:25 UTC
[Samba] Possible problems with AD Schema in Samba 4
Hi,
I found that the base of Samba 4 DC is different from the base of Windows
Server 2008 DC. There are many mistakes when I make the comparison as the
result as follows (only parts of reult):
samba-tool ldapcmp ldap://WINDC1 ldap://SAMBA4-DC -Uadministrator
Password for [EMPRESA\administrator]:
* Comparing [DOMAIN] context...
* DN lists have different size: 1787 != 1788
* DNs found only in ldap://WINDC1:
CN=TESTE-COMP,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
CN=MANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
* DNs found only in ldap://SAMBA4-DC:
CN=COMP300061111,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
CN=BB,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR
CN=WMANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR
* Objects to be compared: 1785
...
Comparing:
'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
Difference in attribute values:
lastLogonTimestamp =>
[b'132076662777728517']
[b'132084540442594920']
FAILED
Comparing:
'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1]
'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC]
Difference in attribute values:
servicePrincipalName =>
[b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
b'RestrictedKrbHost/COMP10013',
b'RestrictedKrbHost/COMP10013.empresa.com.br',
b'TERMSRV/COMP10013', b'TERMSRV/ass10013.empresa.com.br']
[b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br',
b'RestrictedKrbHost/COMP10013',
b'RestrictedKrbHost/COMP10013.empresa.com.br',
b'TERMSRV/COMP10013', b'TERMSRV/COMP10013.empresa.com.br',
b'TERMSRV/
ass10013.empresa.com.br']
FAILED
...
FAILED
ERROR(<class 'KeyError'>): uncaught exception -
'mS-DS-CreatorSID'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line
957,
in run
if b1.diff(b2):
File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line
781,
in diff
if object1 == object2:
File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line
549,
in __eq__
return self.cmp_attrs(other)
File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line
590,
in cmp_attrs
if isinstance(self.attributes[x], list) and
isinstance(other.attributes[x], list):
########################################
The Schema version of my Windows 2008 Server is 44 and I am using Samba
4.10.6-Debian:
ldbsearch -H /var/lib/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=empresa,dc=com,dc=br' -s base
objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
objectVersion: 44
# returned 1 records
# 1 entries
# 0 referrals
I believe that the problem is related as the Samba 4 works with AD Schema,
as found at: https://wiki.samba.org/index.php/AD_Schema_Version_Support
Would anyone have an idea how to solve this problem?
Regards,
M?rcio Bacci
I don't think the problem is the schema. It's more likely a replication problem. Firstly, the Samba schema is only used when you provision a new domain. In this case you have joined an existing Windows domain, so you are using the *Windows* schema. (I think it's actually impossible to provision a Samba domain with the 2008 schema - Samba only supports 2008R2 onwards). Secondly, ldapcmp is not complaining because the base schema objects are different. It's complaining because ordinary objects (and their attributes) in your domain are different. The most likely cause is that the 2 DCs aren't replicating with each other properly. Try checking 'samba-tool drs showrepl'. On 26/07/19 2:25 AM, Marcio Demetrio Bacci via samba wrote:> Hi, > > I found that the base of Samba 4 DC is different from the base of Windows > Server 2008 DC. There are many mistakes when I make the comparison as the > result as follows (only parts of reult): > > samba-tool ldapcmp ldap://WINDC1 ldap://SAMBA4-DC -Uadministrator > Password for [EMPRESA\administrator]: > > * Comparing [DOMAIN] context... > > * DN lists have different size: 1787 != 1788 > > * DNs found only in ldap://WINDC1: > CN=TESTE-COMP,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR > CN=MANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR > > * DNs found only in ldap://SAMBA4-DC: > CN=COMP300061111,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR > CN=BB,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR > CN=WMANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR > > * Objects to be compared: 1785 > > ... > > Comparing: > 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1] > 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC] > Difference in attribute values: > lastLogonTimestamp => > [b'132076662777728517'] > [b'132084540442594920'] > > FAILED > > Comparing: > 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1] > 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC] > Difference in attribute values: > servicePrincipalName => > [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br', > b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br', > b'TERMSRV/COMP10013', b'TERMSRV/ass10013.empresa.com.br'] > [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br', > b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br', > b'TERMSRV/COMP10013', b'TERMSRV/COMP10013.empresa.com.br', b'TERMSRV/ > ass10013.empresa.com.br'] > > FAILED > > > ... > > FAILED > ERROR(<class 'KeyError'>): uncaught exception - 'mS-DS-CreatorSID' > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, > in _run > return self.run(*args, **kwargs) > File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 957, > in run > if b1.diff(b2): > File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 781, > in diff > if object1 == object2: > File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 549, > in __eq__ > return self.cmp_attrs(other) > File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 590, > in cmp_attrs > if isinstance(self.attributes[x], list) and > isinstance(other.attributes[x], list): > > > ######################################## > > The Schema version of my Windows 2008 Server is 44 and I am using Samba > 4.10.6-Debian: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'cn=Schema,cn=Configuration,dc=empresa,dc=com,dc=br' -s base objectVersion > # record 1 > dn: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br > objectVersion: 44 > > # returned 1 records > # 1 entries > # 0 referrals > > I believe that the problem is related as the Samba 4 works with AD Schema, > as found at: https://wiki.samba.org/index.php/AD_Schema_Version_Support > > Would anyone have an idea how to solve this problem? > > Regards, > > M?rcio Bacci
You could also try running: samba-tool visualize uptodateness -rS If you see something other than '00' for a partition, it probably means replication is out of date. There's also some more info on checking the replication status here. https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses On 26/07/19 1:21 PM, Tim Beale via samba wrote:> I don't think the problem is the schema. It's more likely a replication > problem. > > Firstly, the Samba schema is only used when you provision a new domain. > In this case you have joined an existing Windows domain, so you are > using the *Windows* schema. (I think it's actually impossible to > provision a Samba domain with the 2008 schema - Samba only supports > 2008R2 onwards). > > Secondly, ldapcmp is not complaining because the base schema objects are > different. It's complaining because ordinary objects (and their > attributes) in your domain are different. The most likely cause is that > the 2 DCs aren't replicating with each other properly. > > Try checking 'samba-tool drs showrepl'. > > On 26/07/19 2:25 AM, Marcio Demetrio Bacci via samba wrote: >> Hi, >> >> I found that the base of Samba 4 DC is different from the base of Windows >> Server 2008 DC. There are many mistakes when I make the comparison as the >> result as follows (only parts of reult): >> >> samba-tool ldapcmp ldap://WINDC1 ldap://SAMBA4-DC -Uadministrator >> Password for [EMPRESA\administrator]: >> >> * Comparing [DOMAIN] context... >> >> * DN lists have different size: 1787 != 1788 >> >> * DNs found only in ldap://WINDC1: >> CN=TESTE-COMP,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR >> CN=MANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR >> >> * DNs found only in ldap://SAMBA4-DC: >> CN=COMP300061111,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR >> CN=BB,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR >> CN=WMANE,CN=USERS,DC=EMPRESA,DC=COM,DC=BR >> >> * Objects to be compared: 1785 >> >> ... >> >> Comparing: >> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1] >> 'CN=SERGIO,CN=USERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC] >> Difference in attribute values: >> lastLogonTimestamp => >> [b'132076662777728517'] >> [b'132084540442594920'] >> >> FAILED >> >> Comparing: >> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://WINDC1] >> 'CN=COMP10013,CN=COMPUTERS,DC=EMPRESA,DC=COM,DC=BR' [ldap://SAMBA4-DC] >> Difference in attribute values: >> servicePrincipalName => >> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br', >> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br', >> b'TERMSRV/COMP10013', b'TERMSRV/ass10013.empresa.com.br'] >> [b'HOST/COMP10013', b'HOST/COMP10013.empresa.com.br', >> b'RestrictedKrbHost/COMP10013', b'RestrictedKrbHost/COMP10013.empresa.com.br', >> b'TERMSRV/COMP10013', b'TERMSRV/COMP10013.empresa.com.br', b'TERMSRV/ >> ass10013.empresa.com.br'] >> >> FAILED >> >> >> ... >> >> FAILED >> ERROR(<class 'KeyError'>): uncaught exception - 'mS-DS-CreatorSID' >> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, >> in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 957, >> in run >> if b1.diff(b2): >> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 781, >> in diff >> if object1 == object2: >> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 549, >> in __eq__ >> return self.cmp_attrs(other) >> File "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py", line 590, >> in cmp_attrs >> if isinstance(self.attributes[x], list) and >> isinstance(other.attributes[x], list): >> >> >> ######################################## >> >> The Schema version of my Windows 2008 Server is 44 and I am using Samba >> 4.10.6-Debian: >> >> ldbsearch -H /var/lib/samba/private/sam.ldb -b >> 'cn=Schema,cn=Configuration,dc=empresa,dc=com,dc=br' -s base objectVersion >> # record 1 >> dn: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br >> objectVersion: 44 >> >> # returned 1 records >> # 1 entries >> # 0 referrals >> >> I believe that the problem is related as the Samba 4 works with AD Schema, >> as found at: https://wiki.samba.org/index.php/AD_Schema_Version_Support >> >> Would anyone have an idea how to solve this problem? >> >> Regards, >> >> M?rcio Bacci
Seemingly Similar Threads
- Possible problems with AD Schema in Samba 4
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- samba-tool ldapcmp without --filter errors out.
- Problem to join Samba 4 DC an existing Windows AD