samba - Jul 2022 - Error in samba-tool drs updateness

Hi Douglas,
Thanks for the help, and sorry for the delay. I've been away.
I've applied the patch, and the result is this:
Missing dn CN=DC01,CN=Servers,CN=Default-First-Site-Name, from UTD vector for
dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
Missing dn CN=DC02,CN=Servers,CN=Default-First-Site-Name, from UTD vector for
dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
Missing dn CN=DC03,CN=Servers,CN=Default-First-Site-Name, from UTD vector for
dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
...
Missing dn CN=DC10,CN=Servers,CN=Default-First-Site-Name, from UTD vector for
dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name


This DC11 is a Win2008R2 DC

BRGDS,
Bruno Guerreiro





From: samba <samba-bounces at lists.samba.org> on behalf of Douglas
Bagnall via samba <samba at lists.samba.org>
Sent: Monday, July 11, 2022 1:26 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Error in samba-tool drs updateness

EMAIL EXTERNO ? ORGANIZA??O
A abertura de mensagens de origem e/ou conte?do duvidoso poder? comprometer a
sua privacidade e a seguran?a dos dados a que acede. N?o aceda a liga??es
(links), nem abra anexos de remetentes desconhecidos. Nunca forne?a dados
pessoais associados ? sua conta.

hi Bruno,

If you apply the attached patch to samba/uptodateness.py, wherever that
might be on your system, it might tell you which DC is confused. (no
recompiling should be necessary).

On 7/07/22 06:49, Bruno Guerreiro via samba wrote:
> Hi Rowland.
> Here's the full error:
>
> root at DC01:~# samba-tool drs uptodateness
 From a `| sort | uniq -c`, it looks like 5 repetitions of 10 DCs, like this:

       5 Missing dn CN=DC01,CN=Servers,CN=Default-First-Site-Name,
       5 Missing dn CN=DC02,CN=Servers,CN=Default-First-Site-Name,
       5 Missing dn CN=DC03,CN=Servers,CN=Porto,
       5 Missing dn CN=DC04,CN=Servers,CN=Coimbra,
       5 Missing dn CN=DC05,CN=Servers,CN=Evora,
       5 Missing dn CN=DC06,CN=Servers,CN=Faro,
       5 Missing dn CN=DC07,CN=Servers,CN=Funchal,
       5 Missing dn CN=DC08,CN=Servers,CN=Lisboa,
       5 Missing dn CN=DC09,CN=Servers,CN=Lisboa,
       5 Missing dn CN=DC10,CN=Servers,CN=Angra,


5 repetitions because 5 partitions. Is there an 11th DC? Or one that was
not removed completely and/or not smoothly upgraded?
> DOMAIN          maximum: 207  median: 18.0  failure: 10
> CONFIGURATION   maximum: 468  median: 29.0  failure: 10
> SCHEMA          maximum: 318  median: 27.0  failure: 10
> DNSDOMAIN       maximum: 56  median: 3.0  failure: 10
> DNSFOREST       maximum: 378  median: 36.0  failure: 10
I think I'd expect the max/median numbers to be lower here, unless the
network is very busy at the time -- or, of course, a DC that is failing to
replicate.

cheers,
Douglas
Confidencialidade: Esta mensagem (e eventuais ficheiros anexos) ? destinada
exclusivamente ?s pessoas nela indicadas e tem natureza confidencial. Se receber
esta mensagem por engano, por favor contacte o remetente e elimine a mensagem e
ficheiros, sem tomar conhecimento do respectivo conteudo e sem reproduzi-la ou
divulg?-la. Confidentiality Warning: This e-mail message (and any attached
files) is confidential and is intended solely for the use of the individual or
entity to whom it is addressed. lf you are not the intended recipient of this
message please notify the sender and delete and destroy all copies immediately.

On 18/07/22 21:37, Bruno Guerreiro via samba wrote:
> Hi Douglas,
> Thanks for the help, and sorry for the delay. I've been away.
No worries. Me too.
> I've applied the patch, and the result is this:
> Missing dn CN=DC01,CN=Servers,CN=Default-First-Site-Name, from UTD vector
for dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
> Missing dn CN=DC02,CN=Servers,CN=Default-First-Site-Name, from UTD vector
for dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
> Missing dn CN=DC03,CN=Servers,CN=Default-First-Site-Name, from UTD vector
for dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
> ...
> Missing dn CN=DC10,CN=Servers,CN=Default-First-Site-Name, from UTD vector
for dsa CN=DC11,CN=Servers,CN=Default-First-Site-Name
> 
> 
> This DC11 is a Win2008R2 DC
Ok, that's interesting. It's obviously a bug insofar as Samba is not 
playing well with the Windows DC, but if objects are being replicated 
(including to and from DC11), then you don't need to worry.

This might cause problems if DC11 was selected as a bridgehead for 
communication between Default-First-Site-Name and the other sites. That 
won't happen spontaneously, but adding more DCs could trigger a 
reorganisation.

These commands will draw you a graph of the network

   samba-tool visualize ntdsconn  -S --dot -o network.dot
   dot -Tpng network.dot > network.png

Adding -H ldap://dc11... -UAdministrator to the samba-tool should allow 
you to query Windows' view of the network. They *should* be the same.

cheers,
Douglas

> BRGDS,
> Bruno Guerreiro
> 
> 
> 
> 
> 
> From: samba <samba-bounces at lists.samba.org> on behalf of Douglas
Bagnall via samba <samba at lists.samba.org>
> Sent: Monday, July 11, 2022 1:26 AM
> To: samba at lists.samba.org <samba at lists.samba.org>
> Subject: Re: [Samba] Error in samba-tool drs updateness
> 
> EMAIL EXTERNO ? ORGANIZA??O
> A abertura de mensagens de origem e/ou conte?do duvidoso poder? comprometer
a sua privacidade e a seguran?a dos dados a que acede. N?o aceda a liga??es
(links), nem abra anexos de remetentes desconhecidos. Nunca forne?a dados
pessoais associados ? sua conta.
> 
> hi Bruno,
> 
> If you apply the attached patch to samba/uptodateness.py, wherever that
> might be on your system, it might tell you which DC is confused. (no
> recompiling should be necessary).
> 
> On 7/07/22 06:49, Bruno Guerreiro via samba wrote:
>> Hi Rowland.
>> Here's the full error:
>>
>> root at DC01:~# samba-tool drs uptodateness
> 
>   From a `| sort | uniq -c`, it looks like 5 repetitions of 10 DCs, like
this:
> 
>         5 Missing dn CN=DC01,CN=Servers,CN=Default-First-Site-Name,
>         5 Missing dn CN=DC02,CN=Servers,CN=Default-First-Site-Name,
>         5 Missing dn CN=DC03,CN=Servers,CN=Porto,
>         5 Missing dn CN=DC04,CN=Servers,CN=Coimbra,
>         5 Missing dn CN=DC05,CN=Servers,CN=Evora,
>         5 Missing dn CN=DC06,CN=Servers,CN=Faro,
>         5 Missing dn CN=DC07,CN=Servers,CN=Funchal,
>         5 Missing dn CN=DC08,CN=Servers,CN=Lisboa,
>         5 Missing dn CN=DC09,CN=Servers,CN=Lisboa,
>         5 Missing dn CN=DC10,CN=Servers,CN=Angra,
> 
> 
> 5 repetitions because 5 partitions. Is there an 11th DC? Or one that was
> not removed completely and/or not smoothly upgraded?
> 
>> DOMAIN          maximum: 207  median: 18.0  failure: 10
>> CONFIGURATION   maximum: 468  median: 29.0  failure: 10
>> SCHEMA          maximum: 318  median: 27.0  failure: 10
>> DNSDOMAIN       maximum: 56  median: 3.0  failure: 10
>> DNSFOREST       maximum: 378  median: 36.0  failure: 10
> 
> I think I'd expect the max/median numbers to be lower here, unless the
> network is very busy at the time -- or, of course, a DC that is failing to
> replicate.
> 
> cheers,
> Douglas
> Confidencialidade: Esta mensagem (e eventuais ficheiros anexos) ? destinada
exclusivamente ?s pessoas nela indicadas e tem natureza confidencial. Se receber
esta mensagem por engano, por favor contacte o remetente e elimine a mensagem e
ficheiros, sem tomar conhecimento do respectivo conteudo e sem reproduzi-la ou
divulg?-la. Confidentiality Warning: This e-mail message (and any attached
files) is confidential and is intended solely for the use of the individual or
entity to whom it is addressed. lf you are not the intended recipient of this
message please notify the sender and delete and destroy all copies immediately.
>