Problem joining 2008 Domain as DC (zero GUID issue)

Andrew Bartlett abartlet at samba.org
Thu Nov 14 13:45:26 MST 2013 

On Thu, 2013-11-14 at 10:43 +0100, Stephan Wolf wrote:
> Am 13.11.2013 08:57, schrieb Stephan Wolf:
> > Am 12.11.2013 20:01, schrieb Andrew Bartlett:
> >> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
> >>> Hi all,
> >>>
> >>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
> >>> following error
> >>>
> >>> Refusing replication of object containing invalid zero invocationID on
> >>> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
> >>> WERR_DS_SRC_GUID_MISMATCH
> >>> Failed to convert object CN=Deleted
> >>> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
> >>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
> >>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
> >>> process chunk: NT code 0xc0002128
> >>>     File
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> >>>
> >>> line 175, in _run
> >>>       return self.run(*args, **kwargs)
> >>>     File
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", 
> >>>
> >>> line 609, in run
> >>>       machinepass=machinepass, use_ntvfs=use_ntvfs, 
> >>> dns_backend=dns_backend)
> >>>     File 
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> >>> line 1172, in join_DC
> >>>       ctx.do_join()
> >>>     File 
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> >>> line 1077, in do_join
> >>>       ctx.join_replicate()
> >>>     File 
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> >>> line 813, in join_replicate
> >>>       replica_flags=ctx.replica_flags)
> >>>     File
> >>> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> >>> line 256, in replicate
> >>>       schema=schema, req_level=req_level, req=req)
> >>>
> >>> the issue is caused by the following commit
> >>> https://git.samba.org/samba.git/?p=samba.git;a=commit;h=25d4bafca7245e3f8291e5f0f304b1b4f8ce5600
> >>>
> >>> which breaks joining the 2008 domain as an DC.
> >>>
> >>> Is there a way to check for the function level of the domain in 
> >>> front of
> >>> this GUID check?
> >> As far as we are aware, this can only break if you ran a pre-release
> >> version of Samba 4.1 against your server, and joining Windows 2008R2
> >> will likewise break.
> >>
> >> Is this the case?  Can you test a trial copy of Windows 2008R2 to
> >> confirm?  If we differ from Windows in implementing this check then we
> >> can re-consider, but currently we are trying very hard not to further
> >> propagate a corrupted domain.
> > I ran the latest version from git master so I think it is newer than 
> > samba 4.1 release.
> > But my server is a Win 2008 not a Win 2008R2.
> > I also tested it with a 2008R2 and joining the domain works fine. But 
> > the replication is not working.
> > samba-tool drs showrepl shows an error WERR_BADFILE and the log file 
> > contains an entry like this:
> >
> > [2013/11/13 08:49:49.909760,  0] 
> > ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
> >   ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID 
> > allocation - WERR_BADFILE - extended_ret[0x0]
> >
> >>
> >> All that said, if you had for a time joined Samba 4.1 pre-releases (ie
> >> git master around June to September this year) then clearly we need to
> >> find a way to resolve this corruption for you.  We have such tools for
> >> Samba DCs once replicated, but our anti-corruption test is preventing
> >> you getting into a state where we could run it!
> >>
> >> Andrew Bartlett
> >>
> >>
> >
> Hi Andrew,
> 
> I misunderstand you. I joined the domain with a 4.1 prelease in the 
> past. So this AD corruption was replicated to the WinDC. Later on I 
> removed the samba dc.
> How I fixed it: comment out the zero GUID check than join the domain as 
> DC.  and do a samba-tool dbcheck --fix. After that remove the comments 
> from the source and restart samba. Run samba-tool dbcheck to make sure 
> everthing is ok.
> 
> This issue is resolved.

Great, this was essentially what I was going to recommend once I
confirmed the domain history.  Thanks for the feedback!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba-technical mailing list