Problem joining 2008 Domain as DC (zero GUID issue)
stephan at letzte-bankreihe.de
Thu Nov 14 02:43:12 MST 2013
Am 13.11.2013 08:57, schrieb Stephan Wolf:
> Am 12.11.2013 20:01, schrieb Andrew Bartlett:
>> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
>>> Hi all,
>>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
>>> following error
>>> Refusing replication of object containing invalid zero invocationID on
>>> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
>>> Failed to convert object CN=Deleted
>>> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
>>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
>>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
>>> process chunk: NT code 0xc0002128
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> line 609, in run
>>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>>> line 1172, in join_DC
>>> line 1077, in do_join
>>> line 813, in join_replicate
>>> line 256, in replicate
>>> schema=schema, req_level=req_level, req=req)
>>> the issue is caused by the following commit
>>> which breaks joining the 2008 domain as an DC.
>>> Is there a way to check for the function level of the domain in
>>> front of
>>> this GUID check?
>> As far as we are aware, this can only break if you ran a pre-release
>> version of Samba 4.1 against your server, and joining Windows 2008R2
>> will likewise break.
>> Is this the case? Can you test a trial copy of Windows 2008R2 to
>> confirm? If we differ from Windows in implementing this check then we
>> can re-consider, but currently we are trying very hard not to further
>> propagate a corrupted domain.
> I ran the latest version from git master so I think it is newer than
> samba 4.1 release.
> But my server is a Win 2008 not a Win 2008R2.
> I also tested it with a 2008R2 and joining the domain works fine. But
> the replication is not working.
> samba-tool drs showrepl shows an error WERR_BADFILE and the log file
> contains an entry like this:
> [2013/11/13 08:49:49.909760, 0]
> ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID
> allocation - WERR_BADFILE - extended_ret[0x0]
>> All that said, if you had for a time joined Samba 4.1 pre-releases (ie
>> git master around June to September this year) then clearly we need to
>> find a way to resolve this corruption for you. We have such tools for
>> Samba DCs once replicated, but our anti-corruption test is preventing
>> you getting into a state where we could run it!
>> Andrew Bartlett
I misunderstand you. I joined the domain with a 4.1 prelease in the
past. So this AD corruption was replicated to the WinDC. Later on I
removed the samba dc.
How I fixed it: comment out the zero GUID check than join the domain as
DC. and do a samba-tool dbcheck --fix. After that remove the comments
from the source and restart samba. Run samba-tool dbcheck to make sure
everthing is ok.
This issue is resolved.
More information about the samba-technical