DRS replication fails with Windows 2003 R2

Dmitry Khromov icechrome at gmail.com
Tue Sep 25 15:10:53 MDT 2012 

Hello.
I'm trying to integrate Samba 4 as a DC in production. We aim to replace our only Windows 2003 Enterprise R2 Russian DC with 2 Samba DCs. I've got a replication problem, and I'm unshure if it is a bug or misconfiguration.
Windows and Samba DCs are amd64 VM, running under the control of Xen (so, the time is the same). Windows VM has GPLPV drivers. Xen's Domain 0 and Samba DC VM are Gentoo-based. 2k3 DC is dc1.klin.kifato-mk.com. Samba VM is dc0.klin.kifato-mk.com.

dc0 samba # uname -a
Linux dc0 3.5.1-genericvm-r1 #1 SMP Mon Aug 13 10:24:07 MSK 2012 x86_64 Intel(R) Xeon(R) CPU E5540 @ 2.53GHz GenuineIntel GNU/Linux
dc0 samba # sbin/samba --version
Version 4.0.0rc1

I join the Samba like this:
dc0 samba # bin/samba-tool domain join klin.kifato-mk.com DC -UMK_KLIN\\ice_eng --realm=klin.kifato-mk.com --dns-backend=SAMBA_INTERNAL --option=bind\ interfaces\ only=yes --option=interfaces=192.168.1.31,\ 127.0.0.1
Finding a writeable DC for domain 'klin.kifato-mk.com'
Found DC dc1.klin.kifato-mk.com
[output truncated]
Joined domain MK_KLIN (SID S-1-5-21-98486140-92642785-846719952) as a DC

Some of the Samba VM's interfaces are unroutable from Windows DC and domain workstations, so I use "bind interfaces only" and "interfaces" (I have tried without them and with --dns-backend=NONE, too).

Next, start Samba:
dc0 samba # sbin/samba -d 10 -i -M single 2> /tmp/smb_error.log | tee /tmp/smb_debug.lo

Samba registers in Windows DNS successfully.
After that, I try to run drs kcc for Windows DC:
dc0 samba # bin/samba-tool drs kcc dc1.klin.kifato-mk.com
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:dc1.klin.kifato-mk.com[1026,seal] NT_STATUS_UNSUCCESSFUL
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.klin.kifato-mk.com failed - drsException: DRS connection to dc1.klin.kifato-mk.com failed: (-1073741823, 'Undetermined error')
[output truncated]

It fails. So, I've done repadmin /kcc on Windows DC to make it know about Samba.
dc0 samba # bin/samba-tool drs showrepl
Default-First-Site-Name\DC0
DSA Options: 0x00000001
DSA object GUID: b4a1f1f7-a83b-4bad-9ab2-08b7c6c13fab
DSA invocationId: 381783a5-e86d-47f0-b820-e2c3fbb50cac
==== INBOUND NEIGHBORS ====
DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:27:59 2012 MSK failed, result 121 (WERR_SEM_TIMEOUT)
                5 consecutive failure(s).
                Last success @ NTTIME(0)

[output truncated]
So, the replication fails.
Log has the same lines as drs kcc above:

dc0 samba # grep 'Failed to bind' /tmp/smb_debug.log | uniq
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_IO_TIMEOUT
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL

Any suggestions?

Part of smb_debug.log.xz, full "domain join" and "drs showrepl" outputs are attached.
-- 
Best regards,
Dmitry Khromov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb_debug.log.xz
Type: application/octet-stream
Size: 49180 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120926/9f342a2b/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: domainjoin.log
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120926/9f342a2b/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: drsshowrepl.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120926/9f342a2b/attachment.txt>

More information about the samba-technical mailing list