Error 8418: The replication operation failed because of a schema mismatch between the servers involved
Sinelnikov Evgeniy
Sinelnikov.E at digdes.com
Tue Mar 29 16:06:16 UTC 2016
Hello,
I found solution for this problem.
I it is not due DCERPC interconnection, like I think (https://bugzilla.samba.org/show_bug.cgi?id=11758).
But it is really due wrong attid in DsGetNCChanges response from Samba.
To localize this problem I logged all DCERPC packets into files (see DEBUG patches).
At next step I filtered all replicated objects expected one only. And found that is User or Computer with additional linked attributes from Microsoft Exchange extension like homeMDB, for example.
I got as result two GetNCChanges responses from Samba DC and Windows DC and compare them.
...
guid : eb8f5dd6-417a-45ec-8d9d-c52a60285aaf
- sid : S-1-5-21-8659820-343394492-589173015-1126
- __ndr_size_dn : 0x00000024 (36)
- dn : 'CN=User11,CN=Users,DC=company3,DC=dd'
- attid : UNKNOWN_ENUM_VALUE (0x200F4)
+ sid : S-0-0
+ __ndr_size_dn : 0x00000000 (0)
+ dn : ''
+ attid : UNKNOWN_ENUM_VALUE (0x88EC88B7)
value: struct drsuapi_DsAttributeValue
...
At next part I found simple solution, which works for me.
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -477,7 +477,7 @@ static WERROR get_nc_changes_add_la(TALLOC_CTX *mem_ctx,
return WERR_OK;
}
}
- la->attid = sa->attributeID_id;
+ la->attid = sa->msDS_IntId == 0 ? sa->attributeID_id : sa->msDS_IntId;
la->flags = active?DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE:0;
status = dsdb_get_extended_dn_uint32(dsdb_dn->dn, &la->meta_data.version, "RMD_VERSION");
Please, review my patch for rpc_server/drsuapi.
> -----Original Message-----
> From: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
> On Behalf Of Sinelnikov Evgeniy
> Sent: Saturday, February 20, 2016 9:43 PM
> To: Matthieu Patou <mat at matws.net>; Stefan Metzmacher
> <metze at samba.org>; samba-technical at lists.samba.org
> Cc: Shumay Konstantin <Shumay.K at digdes.com>
> Subject: RE: Error 8418: The replication operation failed because of a schema
> mismatch between the servers involved
>
> Hello,
>
> I tried to investigate SCHEMA_MISMATCH replication problem deeper using
> Wireshark and GDB. And will be glad to share current results:
> * test14: https://goo.gl/BSStsW (Problem with Samba DsGetNCChanges
> response on Windows request after DsReplicaSync)
> * test13: https://goo.gl/2cr8xj (Original work between Windows DC's)
>
> Original behavior between Windows DC's looks like:
> - DsReplicaSync request (call_id: 3)
> - DsGetNCChanges request (call_id: 4)
> - DsGetNCChanges response(call_id: 4)
> - DsReplicaSync response (call_id: 3)
> NC in response is same as in request.
>
> Samba behavior with Windows DC looks:
> - DsReplicaSync request (call_id: 3) - to Windows DC
> - DsGetNCChanges request (call_id: 31) - from Windows DC to Samba DC
> - DsGetNCChanges response(call_id: 29) - response from Samba DC looks like
> wrong
> - DsReplicaSync response (call_id: 3) - return 0x20e2 = 8418 -
> WERR_DS_DRA_SCHEMA_MISMATCH.
> NC in response may not the same as in request. One time I got strange
> answer with nca_s_fault_context_mismatch.
>
>
> This problem reproduced after join and replicate Samba DC to domain based
> on Windows 2003 R2 x64 Domain controller extended with Exchange
> 2003/2010 schema.
> All DC servers are 64bit. But not dedicated server with Exchange.
>
> # samba-tool drs replicate dc01 dc02 dc=company3,dc=dd Start replicating
> for source GUID 28c2a0c4-d9d0-46ff-b659-3f179b632355.
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8418,
> 'WERR_DS_DRA_SCHEMA_MISMATCH')
> File "/usr/local/samba/lib64/python2.7/site-
> packages/samba/netcmd/drs.py", line 349, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 83, in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
>
> Also I want to note that there are a difference in replica flags sets to Samba
> DC:
>
> - highest_usn : 0x000000000000cf51 (53073)
> - replica_flags : 0x00000070 (112)
> + highest_usn : 0x000000000000cfbc (53180)
> + replica_flags : 0x00201070 (2101360)
> 0: DRSUAPI_DRS_ASYNC_OP.....
> 0: DRSUAPI_DRS_GETCHG_CHECK.
> 0: DRSUAPI_DRS_UPDATE_NOTIFICATION @@ -55,8 +55,8
> @@
> 0: DRSUAPI_DRS_TWOWAY_SYNC
> 0: DRSUAPI_DRS_CRITICAL_ONLY
> 0: DRSUAPI_DRS_GET_ANC
> - 0: DRSUAPI_DRS_GET_NC_SIZE
> - 0: DRSUAPI_DRS_LOCAL_ONLY
> + 1: DRSUAPI_DRS_GET_NC_SIZE
> + 1: DRSUAPI_DRS_LOCAL_ONLY
> 0: DRSUAPI_DRS_NONGC_RO_REP
> 0: DRSUAPI_DRS_SYNC_BYNAME
> 0: DRSUAPI_DRS_REF_OK
> @@ -68,7 +68,7 @@
> 0: DRSUAPI_DRS_SYNC_URGENT
> 0: DRSUAPI_DRS_REF_GCSPN
> 0: DRSUAPI_DRS_NO_DISCARD
> - 0: DRSUAPI_DRS_NEVER_SYNCED
> + 1: DRSUAPI_DRS_NEVER_SYNCED
> 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
> 0: DRSUAPI_DRS_INIT_SYNC_NOW
> 0: DRSUAPI_DRS_PREEMPTED
>
>
>
> > -----Original Message-----
> > From: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
> > On Behalf Of Matthieu Patou
> > Sent: Monday, February 15, 2016 9:57 AM
> > To: Stefan Metzmacher <metze at samba.org>; samba-
> > technical at lists.samba.org
> > Subject: Re: Error 8418: The replication operation failed because of a
> > schema mismatch between the servers involved
> >
> > On 02/13/2016 12:21 AM, Stefan Metzmacher wrote:
> > > Hi Matthieu,
> > >
> > >>> Main strange in decrypted response is:
> > >>> attid: UNKNOWN_ENUM_VALUE (0x200F4)
> > >> My script showattid for a 2010 exchange schema seems to indicate
> > >> that it's homeMDB attribute:
> > >>
> > >> scripts/showattid.py -s
> ~/workspace/samba/exchange2010/etc/smb.conf
> > >> 0x200F4 Unknown parameter encountered: "dns recursive queries"
> > >> Ignoring unknown parameter "dns recursive queries"
> > >> CN=MSMQ-NT4-
> >
> FLAGS,CN=SCHEMA,CN=CONFIGURATION,DC=EXCHANGE,DC=HOME,DC=M
> > >> ATWS,DC=NET
> > >>
> > >> 1.2.840.113556.1.2.244
> > >> Attid 0x200F4(131316) is attribute homeMDB
> > >>
> > >> Can you check the definition of this attribute in the schema NC for
> > >> Windows and Samba DC ?
> > > Does this have the msDS-IntID attribute set?
> > Yes:
> > dn:
> > CN=ms-Exch-Home-
> >
> MDB,CN=Schema,CN=Configuration,DC=exchange,DC=home,DC=matws,DC
> > =net
> > cn: ms-Exch-Home-MDB
> > attributeID: 1.2.840.113556.1.2.244
> > msDS-IntId: -2096876625
> >
> > >
> > > If so it could be related to Andrew's fixes here:
> > > http://git.catalyst.net.nz/gw?p=samba.git;a=commitdiff;h=8007f1df75c
> > > fb
> > > cc44815a368f661317d8dbc0f3e
> > > http://git.catalyst.net.nz/gw?p=samba.git;a=commitdiff;h=5ae622c076c
> > > 56
> > > f7adaf8eeed0cfdaf657cb91beb
> > > in
> > > http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/re
> > > pl
> > > MetaData-attid
> > >
> > > An older version is available here:
> > > https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=ef3a
> > > 56
> > > 5a47d2dbc07208ca5239d83d367eb133b2
> > > https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=9fc9
> > > a3
> > > 123101977435b90d6778c7033c5d907d99
> > > in
> > > https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/h
> > > ea
> > > ds/replMetaData-attid
> > I think it's worth a try, obviously it should be tested on some non
> > critical environment to avoid any suprises !
> > > See
> > > https://lists.samba.org/archive/samba-technical/2016-January/thread.
> > > ht
> > > ml#111361
> > > for the discussion.
> > I'll have a closer look
> > >
> > > Checking the prefixMap attribute is good, but note that this is not
> > > a replicated attribute and the content may not have the same format
> > > on Windows vs. Samba.
> > Yes I agree, still despite a different representation we should insure
> > that we have the same data.
> > > It would be interesting to see the struct drsuapi_DsGetNCChanges
> > > messages in the other direction too, where we replicate from Windows.
> > > We need to compare the drsuapi_DsReplicaOIDMapping_Ctr arrays.
> > Would be much easier if my PIDL patches were accepted at the moment
> > where I was active at doing them :-)
> > >
> > > metze
> > >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-DEBUG-enable-dcesrv-stubs-for-all-packets.patch
Type: application/octet-stream
Size: 3234 bytes
Desc: 0001-DEBUG-enable-dcesrv-stubs-for-all-packets.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/0001-DEBUG-enable-dcesrv-stubs-for-all-packets-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-DEBUG-Add-global-dcerpc-packet-counter-for-saved-cal.patch
Type: application/octet-stream
Size: 2713 bytes
Desc: 0002-DEBUG-Add-global-dcerpc-packet-counter-for-saved-cal.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/0002-DEBUG-Add-global-dcerpc-packet-counter-for-saved-cal-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user6.dc01.exch.attrs.diff
Type: application/octet-stream
Size: 2893 bytes
Desc: user6.dc01.exch.attrs.diff
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/user6.dc01.exch.attrs-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DsGetNCChanges-from_SambaDC_and_WinDC-response.diff
Type: application/octet-stream
Size: 6009 bytes
Desc: DsGetNCChanges-from_SambaDC_and_WinDC-response.diff
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/DsGetNCChanges-from_SambaDC_and_WinDC-response-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: DsGetNCChanges-from_SambaDC-response-call_id_44.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/DsGetNCChanges-from_SambaDC-response-call_id_44-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: DsGetNCChanges-from_WinDC-response-call_id_27.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/DsGetNCChanges-from_WinDC-response-call_id_27-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: full_DsGetNCChanges-from_SambaDC-response-call_id_44.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/full_DsGetNCChanges-from_SambaDC-response-call_id_44-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: full_DsGetNCChanges-from_WinDC-response-call_id_27.txt
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/full_DsGetNCChanges-from_WinDC-response-call_id_27-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-rpc_server-drsuapi-Set-msDS_IntId-as-attid-for-linke.patch
Type: application/octet-stream
Size: 1147 bytes
Desc: 0001-rpc_server-drsuapi-Set-msDS_IntId-as-attid-for-linke.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160329/acb110fa/0001-rpc_server-drsuapi-Set-msDS_IntId-as-attid-for-linke-0001.obj>
More information about the samba-technical
mailing list