[Samba] Replication issues after OS upgrade

L.P.H. van Belle belle at bazuin.nl
Mon Jul 13 13:21:02 UTC 2015


You did change :

the DLZ option from 9.8 to 9.9 ?  
check your bind options.

this .. 
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};



Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens George
>Verzonden: maandag 13 juli 2015 14:04
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Replication issues after OS upgrade
>
>Hi, I'm resending this to the list since I cannot see it on 
>the archive,
>for some reason...
>
>I recently upgraded two (running stable) systems from Debian Wheezy to
>Jessie. Samba version has not changed since on Wheezy I was 
>using the one
>from wheezy-backports (v4.1.17), same as on jessie.
>
>These are 2 basic DCs without any additional config. Since the upgrade,
>every day at either at 10 PM or 8 AM replication is broken (I can see
>WERR_ACCESS_DENIED errors by running samba-tool drs showrepl).
>Restarting Samba returns everything to normal, until the next day...
>
>By increasing the log level I can see this:
>
>--
>[2015/07/07 22:02:48.149819,  3]
>../auth/credentials/credentials_krb5.c:532(cli_credentials_get_
>client_gss_creds)
>  Credentials for DC2$@MYCOMPANY.COM will expire shortly (0 sec), must
>refresh credentials cache
>[2015/07/07 22:02:48.150486,  1]
>../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update)
>  GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see
>text): Matching credential 
>(GC/dc1.mycompany.com/mycompany.com at MYCOMPANY.COM)
>not found
>[2015/07/07 22:02:48.150615,  0] 
>../auth/gensec/gensec.c:247(gensec_update)
>  Did not manage to negotiate mandetory feature SIGN for 
>dcerpc auth_level 6
>[2015/07/07 22:02:48.150959,  0]
>../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp
>:74f6388c-a704-4bb1-857a-e7dc15c320cd._msdcs.mycompany.com[1024
>,seal,krb5]
>NT_STATUS_ACCESS_DENIED
>--
>
>After that the logs get heavily spammed by the same messages "Did not
>manage..." and "Failed to bind...", every minute or so.
>
>Any ideas? I'm tempted to rejoin the servers to the domain or 
>regenerate
>the keytabs, still I don't understand why everything gets fixed by just
>restarting samba.
>
>Any help is appreciated.
>
>Best regards.
>
>George
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list