Problem joining 2008 Domain as DC (zero GUID issue)

Jörg Markert joerg.markert at googlemail.com
Fri Dec 6 02:08:24 MST 2013 

Hi Stefan,

I'm facing the same problem, where do I have to comment out the zero GUID
 check?

Greeting
Jörg


2013/11/14 Andrew Bartlett <abartlet at samba.org>

> On Thu, 2013-11-14 at 10:43 +0100, Stephan Wolf wrote:
> > Am 13.11.2013 08:57, schrieb Stephan Wolf:
> > > Am 12.11.2013 20:01, schrieb Andrew Bartlett:
> > >> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
> > >>> Hi all,
> > >>>
> > >>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
> > >>> following error
> > >>>
> > >>> Refusing replication of object containing invalid zero invocationID
> on
> > >>> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
> > >>> WERR_DS_SRC_GUID_MISMATCH
> > >>> Failed to convert object CN=Deleted
> > >>> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
> > >>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
> > >>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
> > >>> process chunk: NT code 0xc0002128
> > >>>     File
> > >>>
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > >>>
> > >>> line 175, in _run
> > >>>       return self.run(*args, **kwargs)
> > >>>     File
> > >>>
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> > >>>
> > >>> line 609, in run
> > >>>       machinepass=machinepass, use_ntvfs=use_ntvfs,
> > >>> dns_backend=dns_backend)
> > >>>     File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 1172, in join_DC
> > >>>       ctx.do_join()
> > >>>     File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 1077, in do_join
> > >>>       ctx.join_replicate()
> > >>>     File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 813, in join_replicate
> > >>>       replica_flags=ctx.replica_flags)
> > >>>     File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> > >>> line 256, in replicate
> > >>>       schema=schema, req_level=req_level, req=req)
> > >>>
> > >>> the issue is caused by the following commit
> > >>>
> https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
> > >>>
> > >>> which breaks joining the 2008 domain as an DC.
> > >>>
> > >>> Is there a way to check for the function level of the domain in
> > >>> front of
> > >>> this GUID check?
> > >> As far as we are aware, this can only break if you ran a pre-release
> > >> version of Samba 4.1 against your server, and joining Windows 2008R2
> > >> will likewise break.
> > >>
> > >> Is this the case?  Can you test a trial copy of Windows 2008R2 to
> > >> confirm?  If we differ from Windows in implementing this check then we
> > >> can re-consider, but currently we are trying very hard not to further
> > >> propagate a corrupted domain.
> > > I ran the latest version from git master so I think it is newer than
> > > samba 4.1 release.
> > > But my server is a Win 2008 not a Win 2008R2.
> > > I also tested it with a 2008R2 and joining the domain works fine. But
> > > the replication is not working.
> > > samba-tool drs showrepl shows an error WERR_BADFILE and the log file
> > > contains an entry like this:
> > >
> > > [2013/11/13 08:49:49.909760,  0]
> > > ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
> > >   ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID
> > > allocation - WERR_BADFILE - extended_ret[0x0]
> > >
> > >>
> > >> All that said, if you had for a time joined Samba 4.1 pre-releases (ie
> > >> git master around June to September this year) then clearly we need to
> > >> find a way to resolve this corruption for you.  We have such tools for
> > >> Samba DCs once replicated, but our anti-corruption test is preventing
> > >> you getting into a state where we could run it!
> > >>
> > >> Andrew Bartlett
> > >>
> > >>
> > >
> > Hi Andrew,
> >
> > I misunderstand you. I joined the domain with a 4.1 prelease in the
> > past. So this AD corruption was replicated to the WinDC. Later on I
> > removed the samba dc.
> > How I fixed it: comment out the zero GUID check than join the domain as
> > DC.  and do a samba-tool dbcheck --fix. After that remove the comments
> > from the source and restart samba. Run samba-tool dbcheck to make sure
> > everthing is ok.
> >
> > This issue is resolved.
>
> Great, this was essentially what I was going to recommend once I
> confirmed the domain history.  Thanks for the feedback!
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Catalyst IT                   http://catalyst.net.nz
>
>
>

More information about the samba-technical mailing list