[Samba] joined DC but replication fails

steve steve at steve-ss.com
Thu Jun 19 03:32:53 MDT 2014 

On Wed, 2014-06-18 at 17:47 +0200, Günter Kukkukk wrote:
> Am 18.06.2014 10:09, schrieb steve:
> > On Wed, 2014-06-18 at 02:36 +0200, Günter Kukkukk wrote:
> >> Am 17.06.2014 19:35, schrieb steve:
> >>> On Tue, 2014-06-17 at 19:01 +0200, steve wrote:
> >>>> ubuntu 14.04 DCs
> >>>>
> >>>> DC1 with fsmo
> >>>> resolve_lmhosts: Attempting lmhosts lookup for name
> >>>> 51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site<0x20>
> >>>> dns child failed to find name
> >>>> '51755e44-0a78-4ab8-8206-b4ae8a09c172._msdcs.altea.site' of type A
> >>>>
> >>>> DC2
> >>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> >>>> resolve_lmhosts: Attempting lmhosts lookup for name
> >>>> 37cb1209-7eef-4671-b38b-2a71c231a40b._msdcs.altea.site<0x20>
> >>>>
> >>>> What's missing?
> >>>> Thanks,
> >>>> Steve
> >>>>
> >>>>
> >>>
> >>> Left it for a bit and now that's working. However, still no replication.
> >>> I add a user on DC2 and nothing appears on DC1
> >>>
> >>> DC1
> >>> ./samba-tool drs showrepl
> >>> Default-First-Site-Name\PALMERA
> >>> DSA Options: 0x00000001
> >>> DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> DSA invocationId: 93fa0553-a972-4107-ab83-4b60790660f9
> >>>
> >>> ==== INBOUND NEIGHBORS ====
> >>>
> >>> ==== OUTBOUND NEIGHBORS ====
> >>>
> >>> DC=ForestDnsZones,DC=altea,DC=site
> >>> 	Default-First-Site-Name\GERANIO via RPC
> >>> 		DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> 		Last attempt @ NTTIME(0) was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ NTTIME(0)
> >>>
> >>> DC=DomainDnsZones,DC=altea,DC=site
> >>> 	Default-First-Site-Name\GERANIO via RPC
> >>> 		DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> 		Last attempt @ NTTIME(0) was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ NTTIME(0)
> >>>
> >>> DC=altea,DC=site
> >>> 	Default-First-Site-Name\GERANIO via RPC
> >>> 		DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> 		Last attempt @ NTTIME(0) was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ NTTIME(0)
> >>>
> >>> CN=Schema,CN=Configuration,DC=altea,DC=site
> >>> 	Default-First-Site-Name\GERANIO via RPC
> >>> 		DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> 		Last attempt @ NTTIME(0) was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ NTTIME(0)
> >>>
> >>> CN=Configuration,DC=altea,DC=site
> >>> 	Default-First-Site-Name\GERANIO via RPC
> >>> 		DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> 		Last attempt @ NTTIME(0) was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ NTTIME(0)
> >>>
> >>> ==== KCC CONNECTION OBJECTS ====
> >>>
> >>>
> >>> DC2
> >>>  sudo samba-tool drs showrepl
> >>> Default-First-Site-Name\GERANIO
> >>> DSA Options: 0x00000001
> >>> DSA object GUID: 51755e44-0a78-4ab8-8206-b4ae8a09c172
> >>> DSA invocationId: 0b9244b1-2821-4f78-8643-0ad08d4ddced
> >>>
> >>> ==== INBOUND NEIGHBORS ====
> >>>
> >>> DC=altea,DC=site
> >>> 	Default-First-Site-Name\PALMERA via RPC
> >>> 		DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> 		Last attempt @ Tue Jun 17 19:19:24 2014 CEST was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ Tue Jun 17 19:19:24 2014 CEST
> >>>
> >>> CN=Schema,CN=Configuration,DC=altea,DC=site
> >>> 	Default-First-Site-Name\PALMERA via RPC
> >>> 		DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> 		Last attempt @ Tue Jun 17 19:19:26 2014 CEST was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ Tue Jun 17 19:19:26 2014 CEST
> >>>
> >>> CN=Configuration,DC=altea,DC=site
> >>> 	Default-First-Site-Name\PALMERA via RPC
> >>> 		DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> 		Last attempt @ Tue Jun 17 19:19:27 2014 CEST was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ Tue Jun 17 19:19:27 2014 CEST
> >>>
> >>> DC=ForestDnsZones,DC=altea,DC=site
> >>> 	Default-First-Site-Name\PALMERA via RPC
> >>> 		DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> 		Last attempt @ Tue Jun 17 19:19:23 2014 CEST was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ Tue Jun 17 19:19:23 2014 CEST
> >>>
> >>> DC=DomainDnsZones,DC=altea,DC=site
> >>> 	Default-First-Site-Name\PALMERA via RPC
> >>> 		DSA object GUID: 37cb1209-7eef-4671-b38b-2a71c231a40b
> >>> 		Last attempt @ Tue Jun 17 19:19:23 2014 CEST was successful
> >>> 		0 consecutive failure(s).
> >>> 		Last success @ Tue Jun 17 19:19:23 2014 CEST
> >>>
> >>> ==== OUTBOUND NEIGHBORS ====
> >>>
> >>> ==== KCC CONNECTION OBJECTS ====
> >>>
> >>> Nothing created on the new dc is replicated.
> >>> Anything to check?
> >>> Thanks.
> >>> Steve
> >>>
> >>>
> >>
> >> which samba version(s) are you running on your DCs - and are you
> >> using a released version or did you build yourself (e.g. from git ...)?
> > 
> > We are investigating a move to Ubuntu when sysvol is working:
> >  samba --version
> > Version 4.2.0pre1-GIT-7f36828
> > on Ubuntu 14.04
> >>
> >> Btw - what do you get with:
> >>     samba-tool testparm -v --suppress-prompt | grep kccsrv:samba_kcc
> >> on your DCs?
> >>
> >> Cheers, Günter
> >>
> > 
> > On both DCs:
> > sudo samba-tool testparm -v --suppress-prompt | grep kccsrv:samba_kcc
> > 	kccsrv:samba_kcc = true
> 
> In the *release* versions the internal samba default is
>         kccsrv:samba_kcc = false
> *but* in current git master this setting defaults to *true*!
> 
> The external python KCC "samba_kcc" is atm *not* fully implemented and to
> my knowledge has never been really tested.
> KCC related info. e.g.: http://technet.microsoft.com/en-us/library/cc961781.aspx
> 
> So i strongly recommend to add the following to the [global] section of smb.conf:
>        kccsrv:samba_kcc = false
> to all your DCs which you built from git.
OK, we'll do that. What does kccsrv:samba_kcc do? Is this a security
issue?

> 
> The current python samba_kcc is buggy, so it should not be used until it is fixed.
> 
> Btw - you can also force an initial replication between DCs in both directions with
>     samba-tool drs replicate ......
> Once a first replication has been done successfully, it usually sticks.
> Take care to use the right syntax, but there should already be samples on the net.
> 

Hi Günter
We had to kick-start it like this:
samba-tool drs replicate palmera geranio dc=altea,dc=site
repeated for the remaining partitions:
Configuration
Schema
ForestDnsZones
DomainDnsZones
We did this on the DC we joined. Is this correct? Is this what you are
referring to? The replication now works both ways and has survived a
restart.
Cheers and thanks for your time,
Steve

More information about the samba mailing list