[Samba] DRS replication fails with Windows 2003 R2

Dmitry Khromov techgroup at kifato-mk.com
Tue Sep 25 10:54:20 MDT 2012 

Hello.
We're trying to integrate Samba 4 as a DC in production. We aim to replace our only Windows 2003 Enterprise R2 Russian DC with 2 Samba DCs. However, we've got a replication problem, we aren't shure is it a bug or misconfiguration.

Both Windows and Samba DCs are virtual amd64 machines, running under the control of Xen (so, at least the time is the same). Windows VM has GPLPV drivers. Both Xen's Domain 0 and Samba DC VM are Gentoo-based. Domain DNS name is klin.kifato-mk.com. 2k3 DC is dc1.klin.kifato-mk.com. Samba VM is dc0.klin.kifato-mk.com.

dc0 samba # hostname -f
dc0.klin.kifato-mk.com
dc0 samba # uname -a
Linux dc0 3.5.1-genericvm-r1 #1 SMP Mon Aug 13 10:24:07 MSK 2012 x86_64 Intel(R) Xeon(R) CPU E5540 @ 2.53GHz GenuineIntel GNU/Linux
dc0 samba # sbin/samba --version
Version 4.0.0rc1

We join the Samba like this:
dc0 samba # bin/samba-tool domain join klin.kifato-mk.com DC -UMK_KLIN\\ice_eng --realm=klin.kifato-mk.com --dns-backend=SAMBA_INTERNAL --option=bind\ interfaces\ only=yes --option=interfaces=192.168.1.31,\ 127.0.0.1
Finding a writeable DC for domain 'klin.kifato-mk.com'
Found DC dc1.klin.kifato-mk.com
Password for [MK_KLIN\ice_eng]:
workgroup is MK_KLIN
realm is klin.kifato-mk.com
checking sAMAccountName
Adding CN=DC0,OU=Domain Controllers,DC=klin,DC=kifato-mk,DC=com
Adding CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
Adding CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
Adding SPNs to CN=DC0,OU=Domain Controllers,DC=klin,DC=kifato-mk,DC=com
Setting account password for DC0$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=klin,DC=kifato-mk,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[402] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[804] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[1206] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[1596] linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[402] linked_values[0]
Partition[CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[804] linked_values[0]
Partition[CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[1206] linked_values[0]
Partition[CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[1575] linked_values[17]
Partition[CN=Configuration,DC=klin,DC=kifato-mk,DC=com] objects[1673] linked_values[10]
Replicating critical objects from the base DN of the domain
Partition[DC=klin,DC=kifato-mk,DC=com] objects[102] linked_values[3]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[434] linked_values[100]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[688] linked_values[23]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[923] linked_values[15]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[1161] linked_values[9]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[1399] linked_values[159]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[1570] linked_values[10]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[1720] linked_values[5]
Partition[DC=klin,DC=kifato-mk,DC=com] objects[1750] linked_values[6]
Partition[DC=DomainDnsZones,DC=klin,DC=kifato-mk,DC=com] objects[231] linked_values[0]
Partition[DC=ForestDnsZones,DC=klin,DC=kifato-mk,DC=com] objects[8] linked_values[0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain MK_KLIN (SID S-1-5-21-98486140-92642785-846719952) as a DC

Some of the VM's interfaces are unroutable from Windows DC and domain workstations, so we use "bind interfaces only" and "interfaces" (we have tried without them and with --dns-backend=NONE, too).

Next, we start Samba:
dc0 samba # sbin/samba -d 10 -i -M single 2> /tmp/smb_error.log | tee /tmp/smb_debug.lo

Samba registers in Windows DNS successfully.
After that, we try to run drs kcc for Windows DC:
dc0 samba # bin/samba-tool drs kcc dc1.klin.kifato-mk.com
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:dc1.klin.kifato-mk.com[1026,seal] NT_STATUS_UNSUCCESSFUL
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.klin.kifato-mk.com failed - drsException: DRS connection to dc1.klin.kifato-mk.com failed: (-1073741823, 'Undetermined error')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

It fails. So, we've done repadmin /kcc on Windows DC to make it know about Samba.
dc0 samba # bin/samba-tool drs showrepl
Default-First-Site-Name\DC0
DSA Options: 0x00000001
DSA object GUID: b4a1f1f7-a83b-4bad-9ab2-08b7c6c13fab
DSA invocationId: 381783a5-e86d-47f0-b820-e2c3fbb50cac

==== INBOUND NEIGHBORS ====

DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:27:59 2012 MSK failed, result 121 (WERR_SEM_TIMEOUT)
                5 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:24:52 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                3 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                4 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                3 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                3 consecutive failure(s).
                Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:28:00 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                1 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:26:45 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE)
                2 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca
                Last attempt @ Tue Sep 25 20:27:59 2012 MSK failed, result 121 (WERR_SEM_TIMEOUT)
                1 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 4740dbe8-cbb3-4717-9ceb-a6480f30e91b
        Enabled        : TRUE
        Server DNS name : dc1.klin.kifato-mk.com
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

So, the replication fails.
Log has the same lines as drs kcc above:
dc0 samba # grep 'Failed to bind' /tmp/smb_debug.log | uniq
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_IO_TIMEOUT
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL

Any suggestions?

smb_debug.log.xz is attached (sorry for xz, but it's sowemhat long).
-- 
Best regards,
Dmitry Khromov

More information about the samba mailing list