Difference between revisions of "Samba-tool ldapcmp"

m (Mmuehlfeld moved page Samba4/ldapcmp to Samba-tool ldapcmp: ldapcmp is meanwhile integrated iin samba-tool)
m (Filter non-synced attributes)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=ldapcmp=
+
= Introduction =
  
  Location: source4/scripting/devel/ldapcmp
+
samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.
  
==What is it?==
+
= Restrictions =
  
Latest improvements to the already committed in Samba4 LDAP comparison tool that is meant to be used for testing LDAP replicating DCs no matter if they are Samba4, Windows AD or mixed. However it had the capacity to compare attributed of objects in DCs which are in different domains.
+
* The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  
==What are the restrictions?==
+
* It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  
1. It works only via LDAP (for now) so you must have LDAP servers that are up and accessible at port 389. This will be improved by having it connect to Ldb file or export/use LDIF file instead of live LDAP connection.
+
* Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.
  
2. It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
+
= How to use? =
  
3. There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs. This will be improved by additional switch for including all attributes no matter which they are and reporting excluded by default.
+
* Compare the entire directory on Domain Controller DC1 and DC2:
  
* How to use?
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  
1. Compare all attributes for all objects in the Default Naming Context:
+
* Compare single AD partitions on Domain Controller DC1 and DC2:
  
<pre>
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# ./scripting/devel/ldapcmp --host=10.x.x.x --username=administrator@test.domain --password=secretXX \
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
                            --host2=10.x.x.x --username2=administrator@test1.domain --password2=XsecretXX DOMAIN
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
</pre>
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
A neat trick (working for now on Samba4) is that you can do searches anonymously so if DCs are Samba4 it looks like:
+
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
<pre>
+
 
# ./scripting/devel/ldapcmp --host=10.x.x.x --host2=10.x.x.x DOMAIN
+
= Filter non-synced attributes =
</pre>
+
 
 +
* Some attribute are [https://lists.samba.org/archive/samba/2012-September/169136.html known to be different between dc], you can filter them out with the "--filter" switch
 +
 
 +
* Example without any filter on a perfectly working replication:
 +
 
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain'''
 +
  Password for [SAMDOM\administrator]:
 +
 +
* Comparing [DOMAIN] context...
 +
 +
* Objects to be compared: 308
 +
 +
Comparing:
 +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
 +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
 +
    Attributes found only in ldap://DC1:
 +
        serverState
 +
    FAILED
 +
 +
Comparing:
 +
'DC=samdom,DC=example,DC=com' [ldap://DC1]
 +
'DC=samdom,DC=example,DC=com' [ldap://DC2]
 +
    Attributes found only in ldap://DC1:
 +
        serverState
 +
        msDS-NcType
 +
    FAILED
 +
 +
* Result for [DOMAIN]: FAILURE
 +
 +
SUMMARY
 +
---------
 +
 +
Attributes found only in ldap://DC1:
 +
 +
    msDS-NcType
 +
    serverState
 +
ERROR: Compare failed: -1
 +
 
 +
* And with the filter:
 +
 
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState'''
 +
Password for [SAMDOM\administrator]:
 +
 +
* Comparing [DOMAIN] context...
 +
 +
* Objects to be compared: 308
 +
 +
* Result for [DOMAIN]: SUCCESS
 +
 
 +
* An other attribute is not synced in the "CONFIGURATION" context: '''subrefs''', so the correct check with the filter for the whole setup is:
 +
 
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs'''

Latest revision as of 21:12, 29 July 2015

Introduction

samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.

Restrictions

  • The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  • It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  • Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.

How to use?

  • Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  • Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Filter non-synced attributes

  • Example without any filter on a perfectly working replication:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
 Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
    FAILED

Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
        msDS-NcType
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    msDS-NcType
    serverState
ERROR: Compare failed: -1
  • And with the filter:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState
Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

* Result for [DOMAIN]: SUCCESS
  • An other attribute is not synced in the "CONFIGURATION" context: subrefs, so the correct check with the filter for the whole setup is:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs