[Samba] Problems with W2K8R2 <-> S4 replication

Dmitry Khromov da3m0n at mail.ru
Sun May 23 03:55:16 MDT 2010 

Hello!

I'm trying to get Samba4 working as an additional AD DC. bin/net vampire 
reports no errors, but when I start sbin/samba I got the following in my 
var/samba.log:

--------------------
[Sun May 23 03:58:08 2010 MSD, 0 
../smbd/server.c:373:binary_smbd_main()] samba version 
4.0.0alpha12-GIT-UNKNOWN started. Copyright Andrew Tridgell and the 
Samba Team 1992-2010 [Sun May 23 03:58:08 2010 MSD, 0 
../smbd/server.c:463:binary_smbd_main()] samba: using 'standard' process 
model [Sun May 23 03:58:08 2010 MSD, 0 
../kdc/hdb-samba4.c:194:hdb_samba4_create_kdc()] FIXME: Using new system 
session for hdb [Sun May 23 03:58:13 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:13 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:13 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 
0xc0002105 : WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:18 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:18 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:18 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 
0xc0002105 : WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:23 2010 MSD, 0 
../dsdb/repl/drepl_ridalloc.c:106:drepl_new_rid_pool_callback()] 
../dsdb/repl/drepl_ridalloc.c:106: RID Manager failed RID allocation - 
WERR_DS_DRA_BAD_DN [Sun May 23 03:58:23 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:23 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:23 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 
0xc0002105 : WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:23 2010 MSD, 0 
../dsdb/kcc/kcc_topology.c:3479:kcctpl_test()] Testing 
kcctpl_create_intersite_connections [Sun May 23 03:58:28 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:28 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:28 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 
0xc0002105 : WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:33 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED [Sun May 23 03:58:33 2010 MSD, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()] 
dreplsrv_notify: Failed to send DsReplicaSync to 
63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for 
CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : 
WERR_DS_DRA_ACCESS_DENIED
--------------------

and so on.
Such messages floods for (approximately) an hour, however if I try to 
transfer some operation master roles to Samba, they appear again and 
ntdsutil.exe transfer reports errors.

Issuing bin/net drs showrepl dc0.klin.kifato-mk.com gives me the following:
--------------------
dc1 samba # bin/net drs showrepl dc0.klin.kifato-mk.com
Error while fetching CN=NTDS 
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com, 
Possible error: LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: 
DSID-0C0906DC, comment: In order to perform this operation a successful 
bind must be completed on the connection., data 0, v1db0> <>
return code = -1
--------------------

repadmin.exe /showrepl on the Windows side reports success.

Some comments regarding the environment:
1) Currently the AD consists of 1 DC - dc0.klin.kifato-mk.com, Windows 
Server 2008 R2 Enterpise
2) dc1.klin.kifato-mk.com (the Samba machine) is paravirtualized Gentoo 
Linux running in Xen.
3) This LDAP directory had been created with Windows Server 2003 R2 
Russian, so it's populated with Russian (probably CP-1251 encoded) 
sAMAccountNames, etc. (e.g. I don't have the "Domain administrators" 
group - but its Russian equivalent).

I'm interested in Samba4 AD DC functionality, so I'd like to try it out. 
Hope you'll help me.

Best regards,
Dmitry Khromov.

More information about the samba mailing list