Samba-tool ldapcmp: Difference between revisions

From SambaWiki
(move ldapcmp description to it's own page)
 
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Introduction =
=ldapcmp=


samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.
Location: source4/scripting/devel/ldapcmp


= Restrictions =
==What is it?==


* The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
Latest improvements to the already committed in Samba4 LDAP comparison tool that is meant to be used for testing LDAP replicating DCs no matter if they are Samba4, Windows AD or mixed. However it had the capacity to compare attributed of objects in DCs which are in different domains.


* It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
==What are the restrictions?==


* Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.
1. It works only via LDAP (for now) so you must have LDAP servers that are up and accessible at port 389. This will be improved by having it connect to Ldb file or export/use LDIF file instead of live LDAP connection.


= How to use? =
2. It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.


* Compare the entire directory on Domain Controller DC1 and DC2:
3. There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs. This will be improved by additional switch for including all attributes no matter which they are and reporting excluded by default.


# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
* How to use?


* Compare single AD partitions on Domain Controller DC1 and DC2:
1. Compare all attributes for all objects in the Default Naming Context:


# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
<pre>
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# ./scripting/devel/ldapcmp --host=10.x.x.x --username=administrator@test.domain --password=secretXX \
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
--host2=10.x.x.x --username2=administrator@test1.domain --password2=XsecretXX DOMAIN
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
</pre>
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
A neat trick (working for now on Samba4) is that you can do searches anonymously so if DCs are Samba4 it looks like:

<pre>
= Filter non-synced attributes =
# ./scripting/devel/ldapcmp --host=10.x.x.x --host2=10.x.x.x DOMAIN

</pre>
* Some attribute are [https://lists.samba.org/archive/samba/2012-September/169136.html known to be different between dc], you can filter them out with the "--filter" switch

* Example without any filter on a perfectly working replication:

'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain'''
Password for [SAMDOM\administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 308
Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
Attributes found only in ldap://DC1:
serverState
FAILED
Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
Attributes found only in ldap://DC1:
serverState
msDS-NcType
FAILED
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes found only in ldap://DC1:
msDS-NcType
serverState
ERROR: Compare failed: -1

* And with the filter:

'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState'''
Password for [SAMDOM\administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 308
* Result for [DOMAIN]: SUCCESS

* An other attribute is not synced in the "CONFIGURATION" context: '''subrefs''', so the correct check with the filter for the whole setup is:

'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs'''

Latest revision as of 21:12, 29 July 2015

Introduction

samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.

Restrictions

  • The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  • It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  • Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.

How to use?

  • Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  • Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Filter non-synced attributes

  • Example without any filter on a perfectly working replication:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
 Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
    FAILED

Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
        msDS-NcType
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    msDS-NcType
    serverState
ERROR: Compare failed: -1
  • And with the filter:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState
Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

* Result for [DOMAIN]: SUCCESS
  • An other attribute is not synced in the "CONFIGURATION" context: subrefs, so the correct check with the filter for the whole setup is:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs