[Samba] Samba4/AD Replication Issue

Nick Couchman Nick.Couchman at seakr.com
Thu Jan 9 11:41:51 MST 2014


I have a couple of Samba4 AD DCs replicating with Windows Server 2008 DCs.  This has been sort of finicky, but I've managed to get it to work (mostly) for several weeks.  However, I'm now having an issue where one of my Samba4 DCs will not replicate from any of the other DCs (Windows or Samba) in the domain (Error is WERR_BAD_NET_RESP).  Replication output is below.  If anyone has ideas of what to try, next, to get this going, again, I'd be happy to give it a shot.  Alternatively, if anyone knows of a way to easily remove the data from the Samba DC and re-replicate it (without having to actually de-join and re-join the DC and deal GUID changes and such), I'd like to give that a shot, too.  FWIW, running "repadmin /sync /force /full" on one of the Windows DCs didn't help.

Thanks,
Nick

adsvc1:~ # samba-tool drs replicate adsvc1 sei-ad1 dc=ad,dc=seakr,dc=com -d 9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:adsvc1[,seal,print]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 203
Received smb_krb5 packet of length 1304
Received smb_krb5 packet of length 1271
Received smb_krb5 packet of length 1210
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
     drsuapi_DsBind: struct drsuapi_DsBind
        in: struct drsuapi_DsBind
            bind_guid                : *
                bind_guid                : e24d201a-4fd6-11d1-a3da-0000f875ae0d
            bind_info                : *
                bind_info: struct drsuapi_DsBindInfoCtr
                    length                   : 0x0000001c (28)
                    info                     : union drsuapi_DsBindInfo(case 28)
                    info28: struct drsuapi_DsBindInfo28
                        supported_extensions     : 0x0fefff7f (267386751)
                               1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                               1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                               1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                               0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                               1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                               1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                               1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                               1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                               1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                               1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                               0: DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                        site_guid                : 00000000-0000-0000-0000-000000000000
                        pid                      : 0x00000000 (0)
                        repl_epoch               : 0x00000000 (0)
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
     drsuapi_DsBind: struct drsuapi_DsBind
        out: struct drsuapi_DsBind
            bind_info                : *
                bind_info: struct drsuapi_DsBindInfoCtr
                    length                   : 0x0000001c (28)
                    info                     : union drsuapi_DsBindInfo(case 28)
                    info28: struct drsuapi_DsBindInfo28
                        supported_extensions     : 0x2fffff6f (805306223)
                               1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                               1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                               1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                               0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                               1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                               1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                               1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                               1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                               1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                               1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                               0: DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                        site_guid                : 2f5e780c-6112-4fa5-a919-2c7ec9ff7eed
                        pid                      : 0x00000000 (0)
                        repl_epoch               : 0x00000000 (0)
            bind_handle              : *
                bind_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 306a510a-8997-44fc-8228-cbd0ad686b2e
            result                   : WERR_OK
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.20 bcast=192.168.100.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for ADSVC1$@AD.SEAKR.COM will expire in 36000 secs
Received smb_krb5 packet of length 1214
Received smb_krb5 packet of length 1287
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        in: struct drsuapi_DsReplicaSync
            bind_handle              : *
                bind_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 306a510a-8997-44fc-8228-cbd0ad686b2e
            level                    : 0x00000001 (1)
            req                      : *
                req                      : union drsuapi_DsReplicaSyncRequest(case 1)
                req1: struct drsuapi_DsReplicaSyncRequest1
                    naming_context           : *
                        naming_context: struct drsuapi_DsReplicaObjectIdentifier
                            __ndr_size               : 0x00000064 (100)
                            __ndr_size_sid           : 0x00000000 (0)
                            guid                     : 00000000-0000-0000-0000-000000000000
                            sid                      : S-0-0
                            __ndr_size_dn            : 0x00000015 (21)
                            dn                       : 'dc=ad,dc=seakr,dc=com'
                    source_dsa_guid          : c618fe1b-af23-4dbb-a0e8-5331e6cafff7
                    source_dsa_dns           : NULL
                    options                  : 0x00000010 (16)
                           0: DRSUAPI_DRS_ASYNC_OP     
                           0: DRSUAPI_DRS_GETCHG_CHECK 
                           0: DRSUAPI_DRS_UPDATE_NOTIFICATION
                           0: DRSUAPI_DRS_ADD_REF      
                           0: DRSUAPI_DRS_SYNC_ALL     
                           0: DRSUAPI_DRS_DEL_REF      
                           1: DRSUAPI_DRS_WRIT_REP     
                           0: DRSUAPI_DRS_INIT_SYNC    
                           0: DRSUAPI_DRS_PER_SYNC     
                           0: DRSUAPI_DRS_MAIL_REP     
                           0: DRSUAPI_DRS_ASYNC_REP    
                           0: DRSUAPI_DRS_IGNORE_ERROR 
                           0: DRSUAPI_DRS_TWOWAY_SYNC  
                           0: DRSUAPI_DRS_CRITICAL_ONLY
                           0: DRSUAPI_DRS_GET_ANC      
                           0: DRSUAPI_DRS_GET_NC_SIZE  
                           0: DRSUAPI_DRS_LOCAL_ONLY   
                           0: DRSUAPI_DRS_NONGC_RO_REP 
                           0: DRSUAPI_DRS_SYNC_BYNAME  
                           0: DRSUAPI_DRS_REF_OK       
                           0: DRSUAPI_DRS_FULL_SYNC_NOW
                           0: DRSUAPI_DRS_NO_SOURCE    
                           0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
                           0: DRSUAPI_DRS_FULL_SYNC_PACKET
                           0: DRSUAPI_DRS_SYNC_REQUEUE 
                           0: DRSUAPI_DRS_SYNC_URGENT  
                           0: DRSUAPI_DRS_REF_GCSPN    
                           0: DRSUAPI_DRS_NO_DISCARD   
                           0: DRSUAPI_DRS_NEVER_SYNCED 
                           0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
                           0: DRSUAPI_DRS_INIT_SYNC_NOW
                           0: DRSUAPI_DRS_PREEMPTED    
                           0: DRSUAPI_DRS_SYNC_FORCED  
                           0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
                           0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
                           0: DRSUAPI_DRS_USE_COMPRESSION
                           0: DRSUAPI_DRS_NEVER_NOTIFY 
                           0: DRSUAPI_DRS_SYNC_PAS     
                           0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        out: struct drsuapi_DsReplicaSync
            result                   : WERR_BAD_NET_RESP
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run
    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)



--------
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information.  If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way.  If you have received this message in error, please delete the message from your mailbox.  This e-mail may contain export-controlled material and should be handled accordingly.


More information about the samba mailing list