Page 1 sur 1

samba4 syncpasswords

Publié : 20 août 2020 - 14:43
par julinux
Hello,

I recently experienced an issue with password synchronization between samba4 and a remote LDAP.
I used your script syncpwd.py which did work for a while. Then one month ago someone join a new DC to the domain and it crashed the syncpasswords service with the following error:

Thu Aug 20 11:09:10 2020: pid[13433]: ldb.LdbError(12) => (LDAP error 12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION - <0000202C: Unable to unmarshall cookie as a ldapControlDirSyncCookie structure at ../source4/dsdb/samdb/ldb_modules/dirsync.c:1269> <>)
Thu Aug 20 11:09:10 2020: pid[13433]: Wait before connect - sleep(1)
Thu Aug 20 11:09:11 2020: pid[13433]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'

I tried to delete, re create the ldb cache, but it still crashes.
I recently posted on the samba list whitout success. I also tried to increase samba loglevel but had not much information.
So i was wondering if any of you ever experienced such a behavior?

Re: samba4 syncpasswords

Publié : 25 août 2020 - 15:38
par dcardon
Hi julinux,
no I have not seen that issue yet.
what version of Samba? compiled or packages? If it is a packaged version, where are they coming from? If you downgrade is the issue still there? What does dbcheck --cross-ncs says?
Denis

Re: samba4 syncpasswords

Publié : 02 sept. 2020 - 11:57
par julinux
Hi, we use a quite old packaged version of Samba (4.7.6) from ubuntu18 repositories.
The dbcheck have been allready done in fix mode.

Wwhat do you mean by downgrade? Nothing has changed, the new dc which was joined had same samba version.
I actually intend to make my own script and to bypass samba-tool sync password function to make it work as we are able to retrieve every password from samba4, encode it and send it to a remote LDAP.

Re: samba4 syncpasswords

Publié : 02 sept. 2020 - 16:42
par dcardon
I thought that the issue came up after an upgrade... Actually you might want to test an upgrade, 4.7 is quite old in the Samba-AD world and there has been a ton of bufixes since then.
Like you said the sync password is there as a trigger but you can do without it. Python samdb is quite good for scripting, you should find everything that you want.
Denis

Re: samba4 syncpasswords

Publié : 03 sept. 2020 - 15:36
par julinux
Indeed, we intend to upgrade to 4.11. I'll let you know what happens then.
What would you recommend to upgrade two active DCs?

As we are going to perfom an OS upgrade too (ubunu18 => ubuntu20), can we just stop samba services, upgrade packages and OS thene relaunch samba, or do we have to demote and rejoin one of them?

I've read something about this here:

https://wiki.samba.org/index.php/Upgrad ... pgraded_DC