[Samba] drs replicate to Windows 2003 DC fails with WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT and WERR_DS_DRA_ACCESS_DENIED

David Koscinski david at thinkgecko.com
Sun Nov 2 07:04:29 MST 2014 

My samba4.11 server will only replicate one way: windows -> samba.   
Replication from samba -> windows fails.   Details follow.

I have a Samba 4.11 domain controller (fs1) that was added to an 
existing domain that had a Windows Server 2003R2 domain controller (fs) 
and Windows Small Business Server 2011 (sbs).

fs1 is running on Debian 7.6

My issues seems similar to 
https://lists.samba.org/archive/samba/2014-September/185140.html except 
that my domain is at 2003 functional level.  See more details about this 
at the end of my post.

Replication works successfully from fs to sbs and sbs to fs.

Replication works successfully from sbs to fs1:

fs1.pearl.local:~# samba-tool drs replicate fs1 sbs DC=pearl,DC=local
Replicate from sbs to fs1 was successful.

And from fs to fs1:

fs1.pearl.local:~# samba-tool drs replicate fs1 fs DC=pearl,DC=local
Replicate from fs to fs1 was successful.

However, replication from fs1 to either of the other domain controllers 
fails:

fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8606, 
'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
345, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

I've tried samba-tool dbcheck.  It found 2 errors.

fs1.pearl.local:~# samba-tool dbcheck
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
link authOrig in CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Not removing orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Not fixing missing GUID
Please use --fix to fix these errors
Checked 658 objects (2 errors)

I used --fix --yes to fix the errors

fs1.pearl.local:~# samba-tool dbcheck --fix --yes
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
link authOrig in CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Remove orphaned backlink authOrig [YES]
Fixed orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Change DN to 
<GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
Fixed missing GUID on attribute authOrig
Checked 658 objects (2 errors)

Replicating again gives a new error WERR_DS_DRA_ACCESS_DENIED the first 
attempt, then the same old error 
WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT each subsequent attempt.

fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
345, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8606, 
'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
345, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

I noticed that the database continues to have 2 errors.  I can run this 
command repeatedly and it will always find and fix the same 2 errors.

fs1.pearl.local:~# samba-tool dbcheck --fix --yes
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for 
link authOrig in CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Remove orphaned backlink authOrig [YES]
Fixed orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - 
CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Change DN to 
<GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox 
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
Fixed missing GUID on attribute authOrig
Checked 658 objects (2 errors)

Suspecting that the issue might be that I have a Windows Small Business 
Server 2011 in my network, I checked the domain functional levels and 
confirmed that the domain and forest are at 2003 and so are fs and fs1.  
sbs is at level 4.  sbs also runs Exchange 2010 so that exchange 
extensions are present in the ad.

PS C:\Users\gecko> $dse = ([ADSI] "LDAP://RootDSE")
PS C:\Users\gecko> $dse.dnsHostName
SBS.pearl.local
PS C:\Users\gecko> $dse.forestFunctionality
2
PS C:\Users\gecko> $dse.domainFunctionality
2
PS C:\Users\gecko> $dse.domainControllerFunctionality
4

PS C:\Documents and Settings\gecko.PEARL> $dse = ([ADSI] "LDAP://RootDSE")
PS C:\Documents and Settings\gecko.PEARL> $dse.dnsHostName
fs.pearl.local
PS C:\Documents and Settings\gecko.PEARL> $dse.domainControllerFunctionality
2
PS C:\Documents and Settings\gecko.PEARL> $dse.domainFunctionality
2
PS C:\Documents and Settings\gecko.PEARL> $dse.forestFunctionality
2
PS C:\Documents and Settings\gecko.PEARL>


fs1.pearl.local:~# samba-tool domain level show
Domain and forest function level for domain 'DC=pearl,DC=local'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003


Does anyone know how to get past this roadblock?

Cheers,

David.

More information about the samba mailing list