Difference between revisions of "Samba-tool ldapcmp"
From SambaWiki
Mmuehlfeld (talk | contribs) (Refresh ldapcmp page. It's meanwhile integrated in samba-tool) |
(Added examples and an explanation how to filter about non-synced attribute) |
||
| Line 32: | Line 32: | ||
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain |
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain |
||
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest |
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest |
||
| + | |||
| + | = Filter non-synced attributes = |
||
| + | |||
| + | * Some attribute are [https://lists.samba.org/archive/samba/2012-September/169136.html known to be different between dc], you can filter them out with the "--filter" switch |
||
| + | |||
| + | * Example without any filter on a perfectly working replication: |
||
| + | |||
| + | '''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain''' |
||
| + | Password for [SAMDOM\administrator]: |
||
| + | |||
| + | * Comparing [DOMAIN] context... |
||
| + | |||
| + | * Objects to be compared: 308 |
||
| + | |||
| + | Comparing: |
||
| + | 'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1] |
||
| + | 'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2] |
||
| + | Attributes found only in ldap://DC1: |
||
| + | serverState |
||
| + | FAILED |
||
| + | |||
| + | Comparing: |
||
| + | 'DC=samdom,DC=example,DC=com' [ldap://DC1] |
||
| + | 'DC=samdom,DC=example,DC=com' [ldap://DC2] |
||
| + | Attributes found only in ldap://DC1: |
||
| + | serverState |
||
| + | msDS-NcType |
||
| + | FAILED |
||
| + | |||
| + | * Result for [DOMAIN]: FAILURE |
||
| + | |||
| + | SUMMARY |
||
| + | --------- |
||
| + | |||
| + | Attributes found only in ldap://DC1: |
||
| + | |||
| + | msDS-NcType |
||
| + | serverState |
||
| + | ERROR: Compare failed: -1 |
||
| + | |||
| + | * And with the filter: |
||
| + | |||
| + | '''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState''' |
||
| + | Password for [SAMDOM\administrator]: |
||
| + | |||
| + | * Comparing [DOMAIN] context... |
||
| + | |||
| + | * Objects to be compared: 308 |
||
| + | |||
| + | * Result for [DOMAIN]: SUCCESS |
||
Revision as of 21:21, 10 May 2015
Introduction
samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regarless if they are running Samba or Windows or mixed.
Restrictions
- The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
- It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
- There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs.
How to use?
- Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
- Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
Filter non-synced attributes
- Some attribute are known to be different between dc, you can filter them out with the "--filter" switch
- Example without any filter on a perfectly working replication:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
Password for [SAMDOM\administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 308
Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
Attributes found only in ldap://DC1:
serverState
FAILED
Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
Attributes found only in ldap://DC1:
serverState
msDS-NcType
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://DC1:
msDS-NcType
serverState
ERROR: Compare failed: -1
- And with the filter:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState Password for [SAMDOM\administrator]: * Comparing [DOMAIN] context... * Objects to be compared: 308 * Result for [DOMAIN]: SUCCESS