Difference between revisions of "Samba-tool ldapcmp"

From SambaWiki
(Refresh ldapcmp page. It's meanwhile integrated in samba-tool)
(Added examples and an explanation how to filter about non-synced attribute)
Line 32: Line 32:
 
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
 
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
 
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
 
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
  +
  +
= Filter non-synced attributes =
  +
  +
* Some attribute are [https://lists.samba.org/archive/samba/2012-September/169136.html known to be different between dc], you can filter them out with the "--filter" switch
  +
  +
* Example without any filter on a perfectly working replication:
  +
  +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain'''
  +
Password for [SAMDOM\administrator]:
  +
  +
* Comparing [DOMAIN] context...
  +
  +
* Objects to be compared: 308
  +
  +
Comparing:
  +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
  +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
  +
Attributes found only in ldap://DC1:
  +
serverState
  +
FAILED
  +
  +
Comparing:
  +
'DC=samdom,DC=example,DC=com' [ldap://DC1]
  +
'DC=samdom,DC=example,DC=com' [ldap://DC2]
  +
Attributes found only in ldap://DC1:
  +
serverState
  +
msDS-NcType
  +
FAILED
  +
  +
* Result for [DOMAIN]: FAILURE
  +
  +
SUMMARY
  +
---------
  +
  +
Attributes found only in ldap://DC1:
  +
  +
msDS-NcType
  +
serverState
  +
ERROR: Compare failed: -1
  +
  +
* And with the filter:
  +
  +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState'''
  +
Password for [SAMDOM\administrator]:
  +
  +
* Comparing [DOMAIN] context...
  +
  +
* Objects to be compared: 308
  +
  +
* Result for [DOMAIN]: SUCCESS

Revision as of 21:21, 10 May 2015

Introduction

samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regarless if they are running Samba or Windows or mixed.



Restrictions

  • The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  • It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  • There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs.



How to use?

  • Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  • Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Filter non-synced attributes

  • Example without any filter on a perfectly working replication:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
 Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
    FAILED

Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
        msDS-NcType
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    msDS-NcType
    serverState
ERROR: Compare failed: -1
  • And with the filter:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState
Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

* Result for [DOMAIN]: SUCCESS