Hello, we use Samba 4.10.13 as RODC for our Kopano mailserver. We have
certain users and groups, were not all attributes are synced over to the
RODC. For the users in question, we found out that if we do a manual
"samba-tool rodc preload user", then that would also make the missing
attributes appear on the RODC. So, any reason why certain attributes
will not sync to a RODC? In our case it attributes like kopanoAccount,
kopanoHidden,kopanoSendAsPrivilege,kopanoAdmin.
But, that trick does not work for the groups.
Running samba-tool ldapcmp ldap://mail.fqdn ldap://dc01.fqdn gives this:
Comparing:
'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://mail]
'CN=ALLE-ELTERN,OU=KOPANO KONTAKTER,OU=SKOLE,DC=SKOLE' [ldap://dc01]
Attributes found only in ldap://dc01:
KOPANOACCOUNT
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://dc01:
KOPANOACCOUNT
ERROR: Compare failed: -1
One such group looks like this:
samba-tool group show Alle-Eltern
dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole
objectClass: top
objectClass: kopanoGroup
objectClass: posixGroup
objectClass: group
cn: Alle-Eltern
description: Alle-Eltern
member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole
instanceType: 4
whenCreated: 20200223164034.0Z
whenChanged: 20200223164034.0Z
displayName: Alle-Eltern
uSNCreated: 834677
uSNChanged: 834677
name: Alle-Eltern
objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc
objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole
gidNumber: 19519
kopanoAccount: 1
memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole
distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole
If I try to preload it, either by uid, dn or name, all I get is
samba-tool rodc preload
'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01
ERROR: NamingError: Failed to find account
But, it is a group, not a user, so preload might not work at all.
The sync of these attributes work just fine across all our DC, just not
the one RODC we have.
--
Klaus Ade Johnstad
On 23/02/2020 18:54, Klaus Ade Johnstad via samba wrote:> One such group looks like this: > samba-tool group show Alle-Eltern > dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole > objectClass: top > objectClass: kopanoGroup > objectClass: posixGroup > objectClass: group > cn: Alle-Eltern > description: Alle-Eltern > member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole > instanceType: 4 > whenCreated: 20200223164034.0Z > whenChanged: 20200223164034.0Z > displayName: Alle-Eltern > uSNCreated: 834677 > uSNChanged: 834677 > name: Alle-Eltern > objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc > objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695 > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole > gidNumber: 19519 > kopanoAccount: 1 > memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole > distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skoleThe ldif above, does not have a sAMAccountName attribute.> > If I try to preload it, either by uid, dn or name, all I get is > samba-tool rodc preload > 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01 > ERROR: NamingError: Failed to find account > > But, it is a group, not a user, so preload might not work at all.A group is an account, but looking at the 'preload' code, it seems it only works for users.> The sync of these attributes work just fine across all our DC, just not > the one RODC we have.As far as I am aware, most attributes should be replicated apart from passwords etc, but there is thing called 'RODC-FAS', perhaps this is what is stopping your attributes replicating, more info here: https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-edit Rowland
Den 23.02.2020 21:32, skrev Rowland penny via samba:>> > The ldif above, does not have a sAMAccountName attribute.Good catch, I did have that in an earlier test, but it does not help.>> >> If I try to preload it, either by uid, dn or name, all I get is >> samba-tool rodc preload >> 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01 >> ERROR: NamingError: Failed to find account >> >> But, it is a group, not a user, so preload might not work at all. > A group is an account, but looking at the 'preload' code, it seems it > only works for users.Right, kind of my suspicion as well, and it makes sense only working for users.>> The sync of these attributes work just fine across all our DC, just not >> the one RODC we have. > > As far as I am aware, most attributes should be replicated apart from > passwords etc, but there is thing called 'RODC-FAS', perhaps this is > what is stopping your attributes replicating, more info here: > > https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-editI've been poking around that as well, so far without success. But, the thing is, that these attributes do get synced for most users, just not all, so I'm uncertain if FAS is the culprit.> > Rowland-- Klaus Ade Johnstad Klaus at linuxavdelingen.no