samba4 syncpasswords

Venez ici partager vos astuces et aides autour de Samba4
julinux
Messages : 9
Inscription : 01 févr. 2018 - 12:26

20 août 2020 - 14:43

Hello,

I recently experienced an issue with password synchronization between samba4 and a remote LDAP.
I used your script syncpwd.py which did work for a while. Then one month ago someone join a new DC to the domain and it crashed the syncpasswords service with the following error:

Thu Aug 20 11:09:10 2020: pid[13433]: ldb.LdbError(12) => (LDAP error 12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION - <0000202C: Unable to unmarshall cookie as a ldapControlDirSyncCookie structure at ../source4/dsdb/samdb/ldb_modules/dirsync.c:1269> <>)
Thu Aug 20 11:09:10 2020: pid[13433]: Wait before connect - sleep(1)
Thu Aug 20 11:09:11 2020: pid[13433]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'

I tried to delete, re create the ldb cache, but it still crashes.
I recently posted on the samba list whitout success. I also tried to increase samba loglevel but had not much information.
So i was wondering if any of you ever experienced such a behavior?
Avatar de l’utilisateur
dcardon
Expert WAPT
Messages : 1369
Inscription : 18 juin 2014 - 09:58
Localisation : Saint Sébastien sur Loire
Contact :

25 août 2020 - 15:38

Hi julinux,
no I have not seen that issue yet.
what version of Samba? compiled or packages? If it is a packaged version, where are they coming from? If you downgrade is the issue still there? What does dbcheck --cross-ncs says?
Denis
Denis Cardon - Tranquil IT
Communiquez autour de vous sur WAPT! Envoyez nous vos url de blog et d'articles dans la catégorie votre avis du forum, nous les mettrons en avant sur le site WAPT
julinux
Messages : 9
Inscription : 01 févr. 2018 - 12:26

02 sept. 2020 - 11:57

Hi, we use a quite old packaged version of Samba (4.7.6) from ubuntu18 repositories.
The dbcheck have been allready done in fix mode.

Wwhat do you mean by downgrade? Nothing has changed, the new dc which was joined had same samba version.
I actually intend to make my own script and to bypass samba-tool sync password function to make it work as we are able to retrieve every password from samba4, encode it and send it to a remote LDAP.
Avatar de l’utilisateur
dcardon
Expert WAPT
Messages : 1369
Inscription : 18 juin 2014 - 09:58
Localisation : Saint Sébastien sur Loire
Contact :

02 sept. 2020 - 16:42

I thought that the issue came up after an upgrade... Actually you might want to test an upgrade, 4.7 is quite old in the Samba-AD world and there has been a ton of bufixes since then.
Like you said the sync password is there as a trigger but you can do without it. Python samdb is quite good for scripting, you should find everything that you want.
Denis
Denis Cardon - Tranquil IT
Communiquez autour de vous sur WAPT! Envoyez nous vos url de blog et d'articles dans la catégorie votre avis du forum, nous les mettrons en avant sur le site WAPT
julinux
Messages : 9
Inscription : 01 févr. 2018 - 12:26

03 sept. 2020 - 15:36

Indeed, we intend to upgrade to 4.11. I'll let you know what happens then.
What would you recommend to upgrade two active DCs?

As we are going to perfom an OS upgrade too (ubunu18 => ubuntu20), can we just stop samba services, upgrade packages and OS thene relaunch samba, or do we have to demote and rejoin one of them?

I've read something about this here:

https://wiki.samba.org/index.php/Upgrad ... pgraded_DC
Verrouillé