Failed to prepare commit of transaction: DRS linked attribute for GUID

Tim Beale timbeale at catalyst.net.nz
Tue Feb 6 21:48:13 UTC 2018 

Hi Andrej,

OK, that's unfortunate that Samba 4.8 doesn't help.

>From memory, I think the patches I added take effect slightly earlier,
before the prepare_commit, i.e. the intention is to detect the problem
in the following call-chain:

dsdb_replicated_objects_commit --> replmd_extended -->
replmd_extended_replicated_objects --> replmd_replicated_apply_next -->
replmd_store_linked_attributes --> replmd_verify_linked_attribute -->
replmd_extract_la_entry_details. (This should return
WERR_DS_DRA_MISSING_PARENT and retry with GET_ANC)

So when the DC first receives the replication chunk, it should call
replmd_extract_la_entry_details() and look-up the source GUID before
continuing with the rest of the replication. So it's strange that it's
failing to find the source GUID later on in the prepare_commit. I'm not
really sure how this would happen. Is there any more debug you could
provide?

Cheers,
Tim


On 07/02/18 03:07, Andrej Gessel via samba-technical wrote:
> Hello Tim,
>
> I looked a bit deeper into this and you patch do not help here.
> We have following call tree:
>
> ldb_transaction_prepare -> replmd_prepare_commit ->
> replmd_process_linked_attribute -> replmd_extract_la_entry_details
>
> last function returns LDB_ERR_NO_SUCH_OBJECT, this error will be
> returned to caller (ldb_transaction_prepare), so the status
> WERR_DS_DRA_MISSING_PARENT will not be set and request will not be
> repeated with GET_ANC.
>
> The problem still exists in Samba 4.8.0rc2.
>
> samba-tool drs replicate with --local and with --full-sync ends up
> with the same error.
>
>
> Andrej
>
>
> Am 05.09.2017 um 00:11 schrieb Tim Beale via samba-technical:
>> Hi,
>>
>> We've seen this problem before when inter-operating with Microsoft. See:
>> https://lists.samba.org/archive/samba/2017-June/209020.html
>>
>> The patch that should fix this has been delivered to master. However,
>> unless we backport the related patches, it won't be in a Samba release
>> until 4.8.
>> https://git.samba.org/?p=samba.git;a=commit;h=f87332eb35638cc38f83c580d4623ab978088601
>>
>>
>> In the meantime you could try running 'samba-tool drs replicate
>> --local'. This should set the GET_ANC flag in the request, which should
>> hopefully avoid this problem.
>>
>> However, note that when inter-operating between Windows and Samba you
>> could still potentially get cases where replication succeeds, but linked
>> attributes are dropped (because Samba doesn't know how about the target
>> object yet). This should be fixed now in the latest master branch.
>>
>> Cheers,
>> Tim
>>
>> On 04/09/17 23:45, denis.shigapov via samba-technical wrote:
>>> There is a domain controller on windows 2008R2, DC samba Version 4.6.5
>>> is connected to it. After renaming the user to make mistakes:
>>>
>>> [2017/09/04 10:04:54.528818,  2]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271(replmd_process_
>>> linked_attribute)
>>>    ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271: WARNING:
>>> Failed to re-resolve GUID f5d7a9b2-981c-49c9-a262-f3ca4c90272a - using
>>> CN=Пользовтаель Пользоватеть,OU=Users Shop M,DC=euro,DC=ru
>>> [2017/09/04 10:04:54.547960,  2]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271(replmd_process_
>>> linked_attribute)
>>>    ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271: WARNING:
>>> Failed to re-resolve GUID bf04e179-4c7c-4cf9-b7a3-d37b287b1f3e - using
>>> CN=Пользоватеть2 Пользователь2,OU=продажи,OU=магазин,OU=Users
>>> Office,DC=euro,DC=ru
>>> [2017/09/04 10:04:54.615598,  2]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271(replmd_process_
>>> linked_attribute)
>>>    ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6271: WARNING:
>>> Failed to re-resolve GUID bf04e179-4c7c-4cf9-b7a3-d37b287b1f3e - using
>>> CN=Пользоватеть2 Пользователь2,OU=продажи,OU=магазин,OU=Users
>>> Office,DC=euro,DC=ru
>>> [2017/09/04 10:04:54.622398,  0]
>>> ../source4/dsdb/repl/replicated_objects.c:933(dsdb_replicated_objects_c
>>> ommit)
>>>    ../source4/dsdb/repl/replicated_objects.c:933 Failed to prepare
>>> commit of transaction: DRS linked attribute for GUID bf04e179-4c7c-
>>> 4cf9-b7a3-d37b287b1f3e - DN not found
>>> [2017/09/04 10:04:54.629436,  0]
>>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_ap
>>> ply_changes_trigger)
>>>    Failed to commit objects:
>>> WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>>
>>>
>>>
>>> I tried to start synchronization and got:
>>>
>>> samba-tool drs replicate srv-m-dc.euro.ru srv-o.euro.ru OU=Users\ Shop\
>>> M,DC=euro,DC=ru
>>> ERROR(<class 'samba.drs_utils.drsException'>):
>>> DsReplicaSync failed - drsException: DsReplicaSync failed (8440,
>>> 'WERR_DS_DRA_BAD_NC')
>>>    File "/usr/lib64/python2.7/site-
>>> packages/samba/netcmd/drs.py", line 368, in run
>>>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>>> source_dsa_guid, NC, req_options)
>>>    File "/usr/lib64/python2.7/site-
>>> packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
>>>      raise
>>> drsException("DsReplicaSync failed %s" % estr)
>>>
>
>

More information about the samba-technical mailing list