Problem joining 2008 Domain as DC (zero GUID issue)
Stephan Wolf
stephan at letzte-bankreihe.de
Fri Dec 6 08:21:46 MST 2013
Hello Jörg,
I commented out the code change of the commit described bellow:
https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
which is
--- a/source4/dsdb/repl/replicated_objects.c
+++ b/source4/dsdb/repl/replicated_objects.c
@@ -427,6 +427,15 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
continue;
}
+ if (GUID_all_zero(&d->originating_invocation_id)) {
+ status = WERR_DS_SRC_GUID_MISMATCH;
+ DEBUG(0, ("Refusing replication of object
containing invalid zero invocationID on attribute %d of %s: %s\n",
+ a->attid,
+ ldb_dn_get_linearized(msg->dn),
+ win_errstr(status)));
+ return status;
+ }
+
if (a->attid == DRSUAPI_ATTID_instanceType) {
if (instanceType_e != NULL) {
return WERR_FOOBAR;
After that I did a dbcheck --fix and this entries are removed. But later
on I got the mystique schema mismatch error in the windows event log.
Regards,
Stephan
Am 06.12.2013 10:08, schrieb Jörg Markert:
> Hi Stefan,
>
> I'm facing the same problem, where do I have to comment out the
> zeroGUID check?
>
> Greeting
> Jörg
>
>
> 2013/11/14 Andrew Bartlett <abartlet at samba.org
> <mailto:abartlet at samba.org>>
>
> On Thu, 2013-11-14 at 10:43 +0100, Stephan Wolf wrote:
> > Am 13.11.2013 08:57, schrieb Stephan Wolf:
> > > Am 12.11.2013 20:01, schrieb Andrew Bartlett:
> > >> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
> > >>> Hi all,
> > >>>
> > >>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail
> with the
> > >>> following error
> > >>>
> > >>> Refusing replication of object containing invalid zero
> invocationID on
> > >>> attribute 13 of CN=Deleted
> Objects,CN=Configuration,DC=g75,DC=local:
> > >>> WERR_DS_SRC_GUID_MISMATCH
> > >>> Failed to convert object CN=Deleted
> > >>> Objects,CN=Configuration,DC=g75,DC=local:
> WERR_DS_SRC_GUID_MISMATCH
> > >>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
> > >>> ERROR(<type 'exceptions.TypeError'>): uncaught exception -
> Failed to
> > >>> process chunk: NT code 0xc0002128
> > >>> File
> > >>>
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > >>>
> > >>> line 175, in _run
> > >>> return self.run(*args, **kwargs)
> > >>> File
> > >>>
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> > >>>
> > >>> line 609, in run
> > >>> machinepass=machinepass, use_ntvfs=use_ntvfs,
> > >>> dns_backend=dns_backend)
> > >>> File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 1172, in join_DC
> > >>> ctx.do_join()
> > >>> File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 1077, in do_join
> > >>> ctx.join_replicate()
> > >>> File
> > >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > >>> line 813, in join_replicate
> > >>> replica_flags=ctx.replica_flags)
> > >>> File
> > >>>
> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> > >>> line 256, in replicate
> > >>> schema=schema, req_level=req_level, req=req)
> > >>>
> > >>> the issue is caused by the following commit
> > >>>
> https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
> > >>>
> > >>> which breaks joining the 2008 domain as an DC.
> > >>>
> > >>> Is there a way to check for the function level of the domain in
> > >>> front of
> > >>> this GUID check?
> > >> As far as we are aware, this can only break if you ran a
> pre-release
> > >> version of Samba 4.1 against your server, and joining Windows
> 2008R2
> > >> will likewise break.
> > >>
> > >> Is this the case? Can you test a trial copy of Windows 2008R2 to
> > >> confirm? If we differ from Windows in implementing this
> check then we
> > >> can re-consider, but currently we are trying very hard not to
> further
> > >> propagate a corrupted domain.
> > > I ran the latest version from git master so I think it is
> newer than
> > > samba 4.1 release.
> > > But my server is a Win 2008 not a Win 2008R2.
> > > I also tested it with a 2008R2 and joining the domain works
> fine. But
> > > the replication is not working.
> > > samba-tool drs showrepl shows an error WERR_BADFILE and the
> log file
> > > contains an entry like this:
> > >
> > > [2013/11/13 08:49:49.909760, 0]
> > >
> ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
> > > ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID
> > > allocation - WERR_BADFILE - extended_ret[0x0]
> > >
> > >>
> > >> All that said, if you had for a time joined Samba 4.1
> pre-releases (ie
> > >> git master around June to September this year) then clearly
> we need to
> > >> find a way to resolve this corruption for you. We have such
> tools for
> > >> Samba DCs once replicated, but our anti-corruption test is
> preventing
> > >> you getting into a state where we could run it!
> > >>
> > >> Andrew Bartlett
> > >>
> > >>
> > >
> > Hi Andrew,
> >
> > I misunderstand you. I joined the domain with a 4.1 prelease in the
> > past. So this AD corruption was replicated to the WinDC. Later on I
> > removed the samba dc.
> > How I fixed it: comment out the zero GUID check than join the
> domain as
> > DC. and do a samba-tool dbcheck --fix. After that remove the
> comments
> > from the source and restart samba. Run samba-tool dbcheck to
> make sure
> > everthing is ok.
> >
> > This issue is resolved.
>
> Great, this was essentially what I was going to recommend once I
> confirmed the domain history. Thanks for the feedback!
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/ <http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz
>
>
>
More information about the samba-technical
mailing list