Hello, we use Samba 4.10.13 as RODC for our Kopano mailserver. We have certain users and groups, were not all attributes are synced over to the RODC. For the users in question, we found out that if we do a manual "samba-tool rodc preload user", then that would also make the missing attributes appear on the RODC. So, any reason why certain attributes will not sync to a RODC? In our case it attributes like kopanoAccount, kopanoHidden,kopanoSendAsPrivilege,kopanoAdmin. But, that trick does not work for the groups. Running samba-tool ldapcmp ldap://mail.fqdn ldap://dc01.fqdn gives this: Comparing: 'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://mail] 'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://dc01] Attributes found only in ldap://dc01: KOPANOACCOUNT FAILED * Result for [DOMAIN]: FAILURE SUMMARY --------- Attributes found only in ldap://dc01: KOPANOACCOUNT ERROR: Compare failed: -1 One such group looks like this: samba-tool group show Alle-Eltern dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole objectClass: top objectClass: kopanoGroup objectClass: posixGroup objectClass: group cn: Alle-Eltern description: Alle-Eltern member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole instanceType: 4 whenCreated: 20200223164034.0Z whenChanged: 20200223164034.0Z displayName: Alle-Eltern uSNCreated: 834677 uSNChanged: 834677 name: Alle-Eltern objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695 sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole gidNumber: 19519 kopanoAccount: 1 memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole If I try to preload it, either by uid, dn or name, all I get is samba-tool rodc preload 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01 ERROR: NamingError: Failed to find account But, it is a group, not a user, so preload might not work at all. The sync of these attributes work just fine across all our DC, just not the one RODC we have. -- Klaus Ade Johnstad
On 23/02/2020 18:54, Klaus Ade Johnstad via samba wrote:> One such group looks like this: > samba-tool group show Alle-Eltern > dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole > objectClass: top > objectClass: kopanoGroup > objectClass: posixGroup > objectClass: group > cn: Alle-Eltern > description: Alle-Eltern > member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole > instanceType: 4 > whenCreated: 20200223164034.0Z > whenChanged: 20200223164034.0Z > displayName: Alle-Eltern > uSNCreated: 834677 > uSNChanged: 834677 > name: Alle-Eltern > objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc > objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695 > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole > gidNumber: 19519 > kopanoAccount: 1 > memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole > distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skoleThe ldif above, does not have a sAMAccountName attribute.> > If I try to preload it, either by uid, dn or name, all I get is > samba-tool rodc preload > 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01 > ERROR: NamingError: Failed to find account > > But, it is a group, not a user, so preload might not work at all.A group is an account, but looking at the 'preload' code, it seems it only works for users.> The sync of these attributes work just fine across all our DC, just not > the one RODC we have.As far as I am aware, most attributes should be replicated apart from passwords etc, but there is thing called 'RODC-FAS', perhaps this is what is stopping your attributes replicating, more info here: https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-edit Rowland
Den 23.02.2020 21:32, skrev Rowland penny via samba:>> > The ldif above, does not have a sAMAccountName attribute.Good catch, I did have that in an earlier test, but it does not help.>> >> If I try to preload it, either by uid, dn or name, all I get is >> samba-tool rodc preload >> 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01 >> ERROR: NamingError: Failed to find account >> >> But, it is a group, not a user, so preload might not work at all. > A group is an account, but looking at the 'preload' code, it seems it > only works for users.Right, kind of my suspicion as well, and it makes sense only working for users.>> The sync of these attributes work just fine across all our DC, just not >> the one RODC we have. > > As far as I am aware, most attributes should be replicated apart from > passwords etc, but there is thing called 'RODC-FAS', perhaps this is > what is stopping your attributes replicating, more info here: > > https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-editI've been poking around that as well, so far without success. But, the thing is, that these attributes do get synced for most users, just not all, so I'm uncertain if FAS is the culprit.> > Rowland-- Klaus Ade Johnstad Klaus at linuxavdelingen.no