[Samba] U/L case mismatch in SPN causing replication errors (WERR_DS_DRA_SCHEMA_MISMATCH)

Luc Lalonde luc.lalonde at polymtl.ca
Mon May 12 08:51:33 MDT 2014 

Hello Folks,

I finally found what was causing replication errors using this command:

samba-tool ldapcmp ldap://stilton ldap://roquefort domain

A computer account had part of an SPN in lowercase on one DC (Samba 4.1.7) and the other in uppercase (Windows2008R2-SP1):

TERMSRV/emmental.gigl.polymtl.ca

TERMSRV/EMMENTAL.gigl.polymtl.ca

The offending SPN entry was deleted with this command:

samba-tool spn delete TERMSRV/emmental.gigl.polymtl.ca emmental$

Now replication proceeds without any problems...

My question is:  How the heck did this happen in the first place?  Is this a bug?

Thank You!

----- Original Message -----
From: "Luc Lalonde" <Luc.Lalonde at polymtl.ca>
To: samba at lists.samba.org
Sent: Thursday, January 16, 2014 11:03:40 AM
Subject: Replication errors (WERR_DS_DRA_SCHEMA_MISMATCH)

Hello,

I'm getting replication errors of this type on the Samba (version 4.1.4) 
server (name=Roquefort):

##### #############################
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8418, 'WERR_DS_DRA_SCHEMA_MISMATCH')
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/drs.py", 
line 345, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py", 
line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
##################################

Here's what I see on one of the Windows 2008R2 DC's, name=Stilton:

##################################
C:\Users\Administrator>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\STILTON
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 24f13466-e54e-4e61-a533-4626b06c17ec
DSA invocationID: 24f13466-e54e-4e61-a533-4626b06c17ec

==== INBOUND NEIGHBORS ======================================

DC=gigl,DC=polymtl,DC=ca
     Default-First-Site-Name\ROQUEFORT via RPC
         DSA object GUID: e1a21c83-3c3f-4fbb-bc5e-e2dcd1f2c5ac
         Last attempt @ 2014-01-16 10:42:39 was delayed for a normal 
reason, result 8418 (0x20e2):
##################################

I seem to be able to replicate from Windows2008R2 servers to Samba4... 
but not the other way around.

Anyone have a clue?

Thanks!

-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

More information about the samba mailing list