Problem joining 2008 Domain as DC (zero GUID issue) and replication issue
Stephan Wolf
stephan at letzte-bankreihe.de
Wed Nov 13 08:15:23 MST 2013
Am 13.11.2013 15:19, schrieb Stephan Wolf:
> Am 13.11.2013 08:57, schrieb Stephan Wolf:
>> Am 12.11.2013 20:01, schrieb Andrew Bartlett:
>>> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
>>>> Hi all,
>>>>
>>>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
>>>> following error
>>>>
>>>> Refusing replication of object containing invalid zero invocationID on
>>>> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
>>>> WERR_DS_SRC_GUID_MISMATCH
>>>> Failed to convert object CN=Deleted
>>>> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
>>>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
>>>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
>>>> process chunk: NT code 0xc0002128
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>
>>>> line 175, in _run
>>>> return self.run(*args, **kwargs)
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
>>>>
>>>> line 609, in run
>>>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>>>> dns_backend=dns_backend)
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
>>>> line 1172, in join_DC
>>>> ctx.do_join()
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
>>>> line 1077, in do_join
>>>> ctx.join_replicate()
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
>>>> line 813, in join_replicate
>>>> replica_flags=ctx.replica_flags)
>>>> File
>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>>>> line 256, in replicate
>>>> schema=schema, req_level=req_level, req=req)
>>>>
>>>> the issue is caused by the following commit
>>>> https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
>>>>
>>>>
>>>> which breaks joining the 2008 domain as an DC.
>>>>
>>>> Is there a way to check for the function level of the domain in
>>>> front of
>>>> this GUID check?
>>> As far as we are aware, this can only break if you ran a pre-release
>>> version of Samba 4.1 against your server, and joining Windows 2008R2
>>> will likewise break.
>>>
>>> Is this the case? Can you test a trial copy of Windows 2008R2 to
>>> confirm? If we differ from Windows in implementing this check then we
>>> can re-consider, but currently we are trying very hard not to further
>>> propagate a corrupted domain.
>> I ran the latest version from git master so I think it is newer than
>> samba 4.1 release.
>> But my server is a Win 2008 not a Win 2008R2.
>> I also tested it with a 2008R2 and joining the domain works fine. But
>> the replication is not working.
>> samba-tool drs showrepl shows an error WERR_BADFILE and the log file
>> contains an entry like this:
>>
>> [2013/11/13 08:49:49.909760, 0]
>> ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
>> ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID
>> allocation - WERR_BADFILE - extended_ret[0x0]
> I found the solution for the RID Manager problem described here:
> http://wiki.indie-it.com/index.php?title=Samba#SAMBA4_HOWTO:_Fix_Error_In_DC_Replication
> The reason is a bug in the dns resolver of glibc 2.17.
reading the RFC http://www.ietf.org/rfc/rfc1035.txt for DNS naming
convention I think glibc people will not fix this issue.
So I think samba have to use its own dns resolver.
>>
>>>
>>> All that said, if you had for a time joined Samba 4.1 pre-releases (ie
>>> git master around June to September this year) then clearly we need to
>>> find a way to resolve this corruption for you. We have such tools for
>>> Samba DCs once replicated, but our anti-corruption test is preventing
>>> you getting into a state where we could run it!
>>>
>>> Andrew Bartlett
>>>
>>>
>>
>
More information about the samba-technical
mailing list