Problem joining 2008 Domain as DC (zero GUID issue)
Andrew Bartlett
abartlet at samba.org
Tue Nov 12 12:01:26 MST 2013
On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
> Hi all,
>
> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
> following error
>
> Refusing replication of object containing invalid zero invocationID on
> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
> WERR_DS_SRC_GUID_MISMATCH
> Failed to convert object CN=Deleted
> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
> process chunk: NT code 0xc0002128
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 609, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1172, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1077, in do_join
> ctx.join_replicate()
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 813, in join_replicate
> replica_flags=ctx.replica_flags)
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 256, in replicate
> schema=schema, req_level=req_level, req=req)
>
> the issue is caused by the following commit
> https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
>
> which breaks joining the 2008 domain as an DC.
>
> Is there a way to check for the function level of the domain in front of
> this GUID check?
As far as we are aware, this can only break if you ran a pre-release
version of Samba 4.1 against your server, and joining Windows 2008R2
will likewise break.
Is this the case? Can you test a trial copy of Windows 2008R2 to
confirm? If we differ from Windows in implementing this check then we
can re-consider, but currently we are trying very hard not to further
propagate a corrupted domain.
All that said, if you had for a time joined Samba 4.1 pre-releases (ie
git master around June to September this year) then clearly we need to
find a way to resolve this corruption for you. We have such tools for
Samba DCs once replicated, but our anti-corruption test is preventing
you getting into a state where we could run it!
Andrew Bartlett
More information about the samba-technical
mailing list