[Samba-it] problemi di replica WERR_DS_DRA_ACCESS_DENIED

Giuseppe Arvati giuseppe.arvati at gmail.com
Fri Nov 23 09:25:25 UTC 2018


Il 22/11/2018 16:01, Marco Gaiarin ha scritto:
> Mandi! Giuseppe Arvati
>    In chel di` si favelave...
> 
>> piĆ¹ o meno gli stessi di ora: Gaiarin, Ravinetto e
>> pochi altri
> 
> ...si resiste... ;-)
> 
> 
>> Ho googlato un po' senza successo sul WERR_DS_DRA_ACCESS_DENIED
>> Qualche suggerimento ?	
> 
> No. A parte i ''soliti'': verificare eventuali firewall in mezzo...
> 
> 
> Ad gni modo il mio google-fu mi manda qui:
> 
> 	https://lists.samba.org/archive/samba/2017-December/212963.html
> 

Ciao e grazie del supporto

avevo visto quel posto che citi ma non mi ha aiutato molto

allego l'output del comando di replica che genera l'errore
sperando che qualcuno noti qualcosa di utili per la risuluzione

[root at dc1ucp ~]# samba-tool drs replicate dc1ucp apamfs2 
DC=apam-ad,DC=apam,DC=it -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
   tevent: 10
   auth_audit: 10
   auth_json_audit: 10
   kerberos: 10
   drs_repl: 10
   smb2: 10
   smb2_credits: 10
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[utenti]"
Processing section "[passa]"
pm_process() returned Yes
ldb: ldb_trace_request: SEARCH
  dn: @MODULES
  scope: base
  expr: (@LIST=*)
  attr: @LIST
  control: <NONE>

ldb: ldb_trace_request: (tdb)->read_lock
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0xfe2d50

ldb: Added timed event "ltdb_timeout": 0xfe2e10

ldb: Running timer event 0xfe2d50 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: @MODULES
@LIST: samba_secrets



ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: (tdb)->read_unlock
ldb: Destroying timer event 0xfe2e10 "ltdb_timeout"

ldb: Ending timer event 0xfe2d50 "ltdb_callback"

ldb: ldb_trace_request: REGISTER_CONTROL
1.2.840.113556.1.4.1413
  control: <NONE>

ldb: ldb_asprintf/set_errstring: unable to find module or backend to 
handle operation: request
ldb: ldb_trace_request: SEARCH
  dn: <rootDSE>
  scope: base
  expr: (objectClass=*)
  attr: rootDomainNamingContext
  attr: configurationNamingContext
  attr: schemaNamingContext
  attr: defaultNamingContext
  control: <NONE>

ldb: ldb_trace_request: (tdb)->read_lock
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0xfe1d40

ldb: Added timed event "ltdb_timeout": 0xfe3c60

ldb: Running timer event 0xfe1d40 "ltdb_callback"

ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb: ldb_trace_response: DONE
error: 34
msg: NULL Base DN invalid for a base search

ldb: ldb_trace_request: (tdb)->read_unlock
ldb: Destroying timer event 0xfe3c60 "ltdb_timeout"

ldb: Ending timer event 0xfe1d40 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: ldb_trace_request: SEARCH
  dn: cn=Primary Domains
  scope: sub
  expr: (&(flatname=APAM-AD)(objectclass=primaryDomain))
  attr: <ALL>
  control: <NONE>

ldb: ldb_trace_request: (tdb)->read_lock
ldb: ldb_trace_next_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0xfe4670

ldb: Added timed event "ltdb_timeout": 0xfe4730

ldb: Running timer event 0xfe4670 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: flatname=APAM-AD,cn=Primary Domains
msDS-KeyVersionNumber: 2
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-1853045328-2428526881-2616184179
privateKeytab: secrets.keytab
realm: apam-ad.apam.it
saltPrincipal: host/dc1ucp.apam-ad.apam.it at APAM-AD.APAM.IT
samAccountName: DC1UCP$
# secret::: REDACTED SECRET ATTRIBUTE
secureChannelType: 6
servicePrincipalName: HOST/dc1ucp
servicePrincipalName: HOST/dc1ucp.apam-ad.apam.it
objectGUID: 9bcf69ce-d005-469a-8a9b-c0fc9c1e09ff
whenCreated: 20181106092052.0Z
whenChanged: 20181106092052.0Z
uSNCreated: 7
uSNChanged: 7
name: APAM-AD
flatname: APAM-AD
distinguishedName: flatname=APAM-AD,cn=Primary Domains



ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: (tdb)->read_unlock
ldb: Destroying timer event 0xfe4730 "ltdb_timeout"

ldb: Ending timer event 0xfe4670 "ltdb_callback"

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1ucp[,seal,print]
Mapped to DCERPC endpoint 135
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1ucp<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. 
Error was No such file or directory
rpc request data:
[0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 02 00 00 00   4B 00 00 00 4B 00 00 00   ........ K...K...
[0020] 05 00 13 00 0D 35 42 51   E3 06 4B D1 11 AB 04 00   .....5BQ ..K.....
[0030] C0 4F C2 DC D2 04 00 02   00 00 00 13 00 0D 04 5D   .O...... .......]
[0040] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........ ..+.H`..
[0050] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........ ........
[0060] 00 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........ ........
[0070] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0080] 01 00 00 00                                        ....
rpc reply data:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 01 00 00 00   01 00 00 00 00 00 00 00   ........ ........
[0020] 01 00 00 00 03 00 00 00   4B 00 00 00 4B 00 00 00   ........ K...K...
[0030] 05 00 13 00 0D 35 42 51   E3 06 4B D1 11 AB 04 00   .....5BQ ..K.....
[0040] C0 4F C2 DC D2 04 00 02   00 00 00 13 00 0D 04 5D   .O...... .......]
[0050] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........ ..+.H`..
[0060] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........ ........
[0070] C0 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........ ........
Mapped to DCERPC endpoint 49152
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1ucp<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. 
Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 271
Received smb_krb5 packet of length 1373
kinit for DC1UCP$@APAM-AD.APAM.IT succeeded
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dcerpc_pull_auth_trailer: auth_pad_length 0
      drsuapi_DsBind: struct drsuapi_DsBind
         in: struct drsuapi_DsBind
             bind_guid                : *
                 bind_guid                : 
e24d201a-4fd6-11d1-a3da-0000f875ae0d
             bind_info                : *
                 bind_info: struct drsuapi_DsBindInfoCtr
                     length                   : 0x0000001c (28)
                     __ndr_length             : 0x0000001c (28)
                     info                     : union 
drsuapi_DsBindInfo(case 28)
                     info28: struct drsuapi_DsBindInfo28
                         supported_extensions     : 0x0fefff7f (267386751)
                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                                1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                                0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                                1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                                1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                                0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                         site_guid                : 
00000000-0000-0000-0000-000000000000
                         pid                      : 0x00000000 (0)
                         repl_epoch               : 0x00000000 (0)
rpc request data:
[0000] 00 00 02 00 1A 20 4D E2   D6 4F D1 11 A3 DA 00 00   ..... M. .O......
[0010] F8 75 AE 0D 04 00 02 00   1C 00 00 00 1C 00 00 00   .u...... ........
[0020] 7F FF EF 0F 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0030] 00 00 00 00 00 00 00 00   00 00 00 00               ........ ....
      t: struct dcerpc_sec_verification_trailer
         _pad                     : DATA_BLOB length=0
         magic                    : 0000000000000000
         count: struct dcerpc_sec_vt_count
             count                    : 0x0002 (2)
         commands: ARRAY(2)
             commands: struct dcerpc_sec_vt
                 command                  : 0x0001 (1)
                     0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
                        0: DCERPC_SEC_VT_COMMAND_END
                        0: DCERPC_SEC_VT_MUST_PROCESS
                 u                        : union 
dcerpc_sec_vt_union(case 0x1)
                 bitmask1                 : 0x00000001 (1)
                        1: DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
             commands: struct dcerpc_sec_vt
                 command                  : 0x4002 (16386)
                     0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
                        1: DCERPC_SEC_VT_COMMAND_END
                        0: DCERPC_SEC_VT_MUST_PROCESS
                 u                        : union 
dcerpc_sec_vt_union(case 0x2)
                 pcontext: struct dcerpc_sec_vt_pcontext
                     abstract_syntax: struct ndr_syntax_id
                         uuid                     : 
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                         if_version               : 0x00000004 (4)
                     transfer_syntax: struct ndr_syntax_id
                         uuid                     : 
8a885d04-1ceb-11c9-9fe8-08002b104860
                         if_version               : 0x00000002 (2)
Sealed 128 bytes, and got 76 bytes header/signature.
dcerpc_pull_auth_trailer: auth_pad_length 0
Unsealed 64 bytes, with 76 bytes header/signature.
      drsuapi_DsBind: struct drsuapi_DsBind
         out: struct drsuapi_DsBind
             bind_info                : *
                 bind_info: struct drsuapi_DsBindInfoCtr
                     length                   : 0x0000001c (28)
                     __ndr_length             : 0x0000001c (28)
                     info                     : union 
drsuapi_DsBindInfo(case 28)
                     info28: struct drsuapi_DsBindInfo28
                         supported_extensions     : 0x2fffff6f (805306223)
                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                                1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                                1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                                1: 
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                                1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                                0: 
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                         site_guid                : 
1cfd3ded-1d59-4031-b2cd-535ecf593ff9
                         pid                      : 0x00000000 (0)
                         repl_epoch               : 0x00000000 (0)
             bind_handle              : *
                 bind_handle: struct policy_handle
                     handle_type              : 0x00000000 (0)
                     uuid                     : 
cd26bc77-240c-461f-a15b-3cf90b2702f9
             result                   : WERR_OK
rpc reply data:
[0000] 08 00 02 00 1C 00 00 00   1C 00 00 00 6F FF FF 2F   ........ ....o../
[0010] ED 3D FD 1C 59 1D 31 40   B2 CD 53 5E CF 59 3F F9   .=..Y.1@ ..S^.Y?.
[0020] 00 00 00 00 00 00 00 00   00 00 00 00 77 BC 26 CD   ........ ....w.&.
[0030] 0C 24 1F 46 A1 5B 3C F9   0B 27 02 F9 00 00 00 00   .$.F.[<. .'......
Security token SIDs (1):
   SID[  0]: S-1-5-18
  Privileges (0xFFFFFFFFFFFFFFFF):
   Privilege[  0]: SeMachineAccountPrivilege
   Privilege[  1]: SeTakeOwnershipPrivilege
   Privilege[  2]: SeBackupPrivilege
   Privilege[  3]: SeRestorePrivilege
   Privilege[  4]: SeRemoteShutdownPrivilege
   Privilege[  5]: SePrintOperatorPrivilege
   Privilege[  6]: SeAddUsersPrivilege
   Privilege[  7]: SeDiskOperatorPrivilege
   Privilege[  8]: SeSecurityPrivilege
   Privilege[  9]: SeSystemtimePrivilege
   Privilege[ 10]: SeShutdownPrivilege
   Privilege[ 11]: SeDebugPrivilege
   Privilege[ 12]: SeSystemEnvironmentPrivilege
   Privilege[ 13]: SeSystemProfilePrivilege
   Privilege[ 14]: SeProfileSingleProcessPrivilege
   Privilege[ 15]: SeIncreaseBasePriorityPrivilege
   Privilege[ 16]: SeLoadDriverPrivilege
   Privilege[ 17]: SeCreatePagefilePrivilege
   Privilege[ 18]: SeIncreaseQuotaPrivilege
   Privilege[ 19]: SeChangeNotifyPrivilege
   Privilege[ 20]: SeUndockPrivilege
   Privilege[ 21]: SeManageVolumePrivilege
   Privilege[ 22]: SeImpersonatePrivilege
   Privilege[ 23]: SeCreateGlobalPrivilege
   Privilege[ 24]: SeEnableDelegationPrivilege
  Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.2.2.12 bcast=10.2.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1ucp<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. 
Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for DC1UCP$@APAM-AD.APAM.IT will expire in 36000 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
         in: struct drsuapi_DsReplicaSync
             bind_handle              : *
                 bind_handle: struct policy_handle
                     handle_type              : 0x00000000 (0)
                     uuid                     : 
cd26bc77-240c-461f-a15b-3cf90b2702f9
             level                    : 0x00000001 (1)
             req                      : *
                 req                      : union 
drsuapi_DsReplicaSyncRequest(case 1)
                 req1: struct drsuapi_DsReplicaSyncRequest1
                     naming_context           : *
                         naming_context: struct 
drsuapi_DsReplicaObjectIdentifier
                             __ndr_size               : 0x0000006a (106)
                             __ndr_size_sid           : 0x00000000 (0)
                             guid                     : 
00000000-0000-0000-0000-000000000000
                             sid                      : S-0-0
                             __ndr_size_dn            : 0x00000018 (24)
                             dn                       : 
'DC=apam-ad,DC=apam,DC=it'
                     source_dsa_guid          : 
fa93022c-b204-4f74-bc44-176ab767cf54
                     source_dsa_dns           : NULL
                     options                  : 0x00000010 (16)
                            0: DRSUAPI_DRS_ASYNC_OP
                            0: DRSUAPI_DRS_GETCHG_CHECK
                            0: DRSUAPI_DRS_UPDATE_NOTIFICATION
                            0: DRSUAPI_DRS_ADD_REF
                            0: DRSUAPI_DRS_SYNC_ALL
                            0: DRSUAPI_DRS_DEL_REF
                            1: DRSUAPI_DRS_WRIT_REP
                            0: DRSUAPI_DRS_INIT_SYNC
                            0: DRSUAPI_DRS_PER_SYNC
                            0: DRSUAPI_DRS_MAIL_REP
                            0: DRSUAPI_DRS_ASYNC_REP
                            0: DRSUAPI_DRS_IGNORE_ERROR
                            0: DRSUAPI_DRS_TWOWAY_SYNC
                            0: DRSUAPI_DRS_CRITICAL_ONLY
                            0: DRSUAPI_DRS_GET_ANC
                            0: DRSUAPI_DRS_GET_NC_SIZE
                            0: DRSUAPI_DRS_LOCAL_ONLY
                            0: DRSUAPI_DRS_NONGC_RO_REP
                            0: DRSUAPI_DRS_SYNC_BYNAME
                            0: DRSUAPI_DRS_REF_OK
                            0: DRSUAPI_DRS_FULL_SYNC_NOW
                            0: DRSUAPI_DRS_NO_SOURCE
                            0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
                            0: DRSUAPI_DRS_FULL_SYNC_PACKET
                            0: DRSUAPI_DRS_SYNC_REQUEUE
                            0: DRSUAPI_DRS_SYNC_URGENT
                            0: DRSUAPI_DRS_REF_GCSPN
                            0: DRSUAPI_DRS_NO_DISCARD
                            0: DRSUAPI_DRS_NEVER_SYNCED
                            0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
                            0: DRSUAPI_DRS_INIT_SYNC_NOW
                            0: DRSUAPI_DRS_PREEMPTED
                            0: DRSUAPI_DRS_SYNC_FORCED
                            0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
                            0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
                            0: DRSUAPI_DRS_USE_COMPRESSION
                            0: DRSUAPI_DRS_NEVER_NOTIFY
                            0: DRSUAPI_DRS_SYNC_PAS
                            0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
rpc request data:
[0000] 00 00 00 00 77 BC 26 CD   0C 24 1F 46 A1 5B 3C F9   ....w.&. .$.F.[<.
[0010] 0B 27 02 F9 01 00 00 00   01 00 00 00 F1 AE F1 AE   .'...... ........
[0020] 2C 02 93 FA 04 B2 74 4F   BC 44 17 6A B7 67 CF 54   ,.....tO .D.j.g.T
[0030] 00 00 00 00 10 00 00 00   19 00 00 00 6A 00 00 00   ........ ....j...
[0040] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0050] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0060] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0070] 18 00 00 00 44 00 43 00   3D 00 61 00 70 00 61 00   ....D.C. =.a.p.a.
[0080] 6D 00 2D 00 61 00 64 00   2C 00 44 00 43 00 3D 00   m.-.a.d. ,.D.C.=.
[0090] 61 00 70 00 61 00 6D 00   2C 00 44 00 43 00 3D 00   a.p.a.m. ,.D.C.=.
[00A0] 69 00 74 00 00 00                                  i.t...
Sealed 176 bytes, and got 76 bytes header/signature.
dcerpc_pull_auth_trailer: auth_pad_length 12
Unsealed 16 bytes, with 76 bytes header/signature.
      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
         out: struct drsuapi_DsReplicaSync
             result                   : WERR_DS_DRA_ACCESS_DENIED
rpc reply data:
[0000] 05 21 00 00                                        .!..
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", 
line 386, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", 
line 85, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)


Giuseppe





More information about the samba-it mailing list