[Samba] self compiled 4.10.3 replication failure.

me at tdiehl.org me at tdiehl.org
Mon May 20 19:32:59 UTC 2019


On Sat, 18 May 2019, Nico Kadel-Garcia wrote:

> On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
> <samba at lists.samba.org> wrote:
>>
>> Hi,
>>
>> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
>> existing samba AD domain that has 2 existing DCs. One of the existing DCs is
>> running 4.8.7 and the other is running 4.7.7. Everything looks OK except
>> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
>> following output:
>
> "self-compiled" can include a lot of sins, especially if trying to
> place it alongside *or* in place of the provided libraries for tevent,
> ldb, tdb, and talloc. Let me point you to my git repo,

Well OK maybe I should have said self compiled using the instructions 
@ https://wiki.samba.org/index.php/Build_Samba_from_Source#configure and
the package list from https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_7_.2F_CentOS_7_.2F_Scientific_Linux_7
substituting python36-devel for python-devel and adding python32-dns
to get the samba-tool dns module to work. 
None of the distro samba packages are installed.

TBH, I am guessng about the package list given the change from python2 to python3
as it does not look like the wiki has been updated for 4.10.x.

> https:/github.com/nkadel/samba4repo/, with submodules for samba
> itself, talloc, tevent, etc., etc. It's built to use the official
> upstream tarballs from www.samba.org, not tarballs from *me*, and that
> also will give you a good git repo you can use to manage any
> compilation options in the ".spec" file.

Is there a way to only build the Centos bits using your git repo? I have no
Fedora machines and so far I have not been successful in getting the above
to build on a Centos 7 VM using the version of Mock supplied by the Centos
project.

>
>> I see errors similar to below in the logs:
>> [2019/05/15 16:19:58.683401,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
>> [2019/05/15 16:19:58.695818,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
>>    DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279))
>> [2019/05/15 16:20:01.245656,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>>    Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:06.260687,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>>    Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:06.271512,  0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
>>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:08.692911,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)
>>
>> Given the above errors this looks like a permissions problem but so far I have not
>> been able to find it.
>
> Hmm. some classic questions include "is SELinux on", and "which
> Kerberos did you use, the supported internal Heimdal Kerberos or the
> experimental support for MIT kerberos?

SELinux is in permissive and my configure line is simply ./configure so no MIT
here. IMO no one in their right mind would try to use MIT in production.

Regards,

-- 
Tom			me at tdiehl.org



More information about the samba mailing list