[Samba] drs replicate to Windows 2003 DC fails with WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT and WERR_DS_DRA_ACCESS_DENIED

David Koscinski david at thinkgecko.com
Wed Nov 5 15:08:29 MST 2014 

On 11/2/2014 8:04 AM, David Koscinski wrote:
> My samba4.11 server will only replicate one way: windows -> samba.   
> Replication from samba -> windows fails.   Details follow.
>
> I have a Samba 4.11 domain controller (fs1) that was added to an 
> existing domain that had a Windows Server 2003R2 domain controller 
> (fs) and Windows Small Business Server 2011 (sbs).
>
> fs1 is running on Debian 7.6
>
> My issues seems similar to 
> https://lists.samba.org/archive/samba/2014-September/185140.html 
> except that my domain is at 2003 functional level.  See more details 
> about this at the end of my post.
>
> Replication works successfully from fs to sbs and sbs to fs.
>
> Replication works successfully from sbs to fs1:
>
> fs1.pearl.local:~# samba-tool drs replicate fs1 sbs DC=pearl,DC=local
> Replicate from sbs to fs1 was successful.
>
> And from fs to fs1:
>
> fs1.pearl.local:~# samba-tool drs replicate fs1 fs DC=pearl,DC=local
> Replicate from fs to fs1 was successful.
>
> However, replication from fs1 to either of the other domain 
> controllers fails:
>
> fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
> drsException: DsReplicaSync failed (8606, 
> 'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 345, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> I've tried samba-tool dbcheck.  It found 2 errors.
>
> fs1.pearl.local:~# samba-tool dbcheck
> Checking 658 objects
> ERROR: orphaned backlink attribute 'authOrigBL' in 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
> link authOrig in CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Not removing orphaned backlink authOrig
> ERROR: missing GUID component for authOrig in object 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Not fixing missing GUID
> Please use --fix to fix these errors
> Checked 658 objects (2 errors)
>
> I used --fix --yes to fix the errors
>
> fs1.pearl.local:~# samba-tool dbcheck --fix --yes
> Checking 658 objects
> ERROR: orphaned backlink attribute 'authOrigBL' in 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
> link authOrig in CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Remove orphaned backlink authOrig [YES]
> Fixed orphaned backlink authOrig
> ERROR: missing GUID component for authOrig in object 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Change DN to 
> <GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
> Fixed missing GUID on attribute authOrig
> Checked 658 objects (2 errors)
>
> Replicating again gives a new error WERR_DS_DRA_ACCESS_DENIED the 
> first attempt, then the same old error 
> WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT each subsequent attempt.
>
> fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 345, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
> drsException: DsReplicaSync failed (8606, 
> 'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 345, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> I noticed that the database continues to have 2 errors.  I can run 
> this command repeatedly and it will always find and fix the same 2 
> errors.
>
> fs1.pearl.local:~# samba-tool dbcheck --fix --yes
> Checking 658 objects
> ERROR: orphaned backlink attribute 'authOrigBL' in 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
> link authOrig in CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Remove orphaned backlink authOrig [YES]
> Fixed orphaned backlink authOrig
> ERROR: missing GUID component for authOrig in object 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
> CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
> Change DN to 
> <GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox 
> {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
> Fixed missing GUID on attribute authOrig
> Checked 658 objects (2 errors)
>
> Suspecting that the issue might be that I have a Windows Small 
> Business Server 2011 in my network, I checked the domain functional 
> levels and confirmed that the domain and forest are at 2003 and so are 
> fs and fs1.  sbs is at level 4.  sbs also runs Exchange 2010 so that 
> exchange extensions are present in the ad.
>
> PS C:\Users\gecko> $dse = ([ADSI] "LDAP://RootDSE")
> PS C:\Users\gecko> $dse.dnsHostName
> SBS.pearl.local
> PS C:\Users\gecko> $dse.forestFunctionality
> 2
> PS C:\Users\gecko> $dse.domainFunctionality
> 2
> PS C:\Users\gecko> $dse.domainControllerFunctionality
> 4
>
> PS C:\Documents and Settings\gecko.PEARL> $dse = ([ADSI] 
> "LDAP://RootDSE")
> PS C:\Documents and Settings\gecko.PEARL> $dse.dnsHostName
> fs.pearl.local
> PS C:\Documents and Settings\gecko.PEARL> 
> $dse.domainControllerFunctionality
> 2
> PS C:\Documents and Settings\gecko.PEARL> $dse.domainFunctionality
> 2
> PS C:\Documents and Settings\gecko.PEARL> $dse.forestFunctionality
> 2
> PS C:\Documents and Settings\gecko.PEARL>
>
>
> fs1.pearl.local:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=pearl,DC=local'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2003
>
>
> Does anyone know how to get past this roadblock?
>
> Cheers,
>
> David.
I checked the changelog for samba4 since version 11 and there aren't any 
obvious fixes that address this.  Of course at this point I don't even 
know if it is a flaw in Samba.

More information about the samba mailing list