[Samba] No more replication for new DC

mathias dufresne infractory at gmail.com
Mon Nov 16 15:50:47 UTC 2015


Yep, I did.

SPN of newly added DC were missing on all DC except for the newly added DC.
I expect SPN are created on joined DC then replicated on others DCs.
Adding SPN for that newly added DC in DIT of FSMO owner does not helped
much.

Now the error is coming repetitively in newly added DC is:
[2015/11/16 16:49:42.529374,  0]
../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
  ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of
transaction: operations error at
../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
[2015/11/16 16:49:42.533140,  0]
../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE


2015-11-16 16:35 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 16/11/15 15:09, mathias dufresne wrote:
>
>> That did not work. I've added DNS entries mentioned in that wiki page. I
>> also forced creation of all entries mentioned by samba_dnsupdate
>> --all-names --verbose.
>> So I expect all needed DNS entries are present. If some are still missing
>> they are not mentioned by samba_dnsupdate. And as samba_dnsupdate job is
>> to
>> create missing DNS entries, I dare rely on it.
>>
>> I expect the issue comes from missing servicePrincipalName.
>>
>> I'm wondering why these LDAP fields are not filled...
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-11-16 15:39 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>>
>> On 16/11/15 14:33, mathias dufresne wrote:
>>>
>>> Another error coming often:
>>>> [2015/11/16 15:11:07.592598,  0]
>>>> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>>>>     Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>>
>>>>
>>>> ncacn_ip_tcp:10.156.248.219[1024,seal,krb5,target_hostname=231cc777-1ab8-4b15-be6c-dcd218df48e9._msdcs.samba.domain.tld,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.156.248.221]
>>>> NT_STATUS_INVALID_PARAMETER
>>>>
>>>> Digging a bit further there is no "servicePrincipalName" for last added
>>>> DC.
>>>> Using samba_spnupdate on FSMO owner or on newly added DC has no effect.
>>>>
>>>> I'm about to create these servicePrincipalName by hand to see if it
>>>> could
>>>> solve my little issue.
>>>>
>>>> Cheers,
>>>>
>>>> mathias
>>>>
>>>>
>>>> 2015-11-16 14:40 GMT+01:00 mathias dufresne <infractory at gmail.com>:
>>>>
>>>> Hi all,
>>>>
>>>>> I have 3 DCs running Samba 4.3.1 in the same domain. They seem to work
>>>>> quiet well with coherent databases on each of them.
>>>>>
>>>>> After rebuilding my RPM to include systemd units, I've joined a Samba
>>>>> 4.3.1 today, using --domain-critical-only. The join was successful, the
>>>>> replication was not. This DC has only 146 objects in the DB when it
>>>>> should
>>>>> have a bit less than 50000 objects.
>>>>>
>>>>> As I was suspecting the newly built RPMs, I set up another DC using
>>>>> same
>>>>> RPMs as the ones used to prepare first 3 DC. I joined that 5th DC to
>>>>> the
>>>>> domain, successfully, but replication does not work too.
>>>>>
>>>>> Finally I installed 4.2.5 sernet's version, join it to the domain and
>>>>> still replication does not work.
>>>>>
>>>>> In log.samba from newly added DC there are lines:
>>>>> [2015/11/16 14:25:05.966500,  0]
>>>>>
>>>>>
>>>>> ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
>>>>>     ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare
>>>>> commit
>>>>> of transaction: operations error at
>>>>> ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
>>>>> [2015/11/16 14:25:05.968151,  0]
>>>>>
>>>>>
>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:770(dreplsrv_op_pull_source_apply_changes_trigger)
>>>>>     Failed to commit objects:
>>>>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>>>>
>>>>> Coming repetitively.
>>>>>
>>>>> One important thing is I changed FSMO owner on that domain once I
>>>>> switched
>>>>> from 4.3.0 to 4.3.1.
>>>>> As already discussed seizing FSMO does not modify DNS entry for SOA so
>>>>> I'd
>>>>> modified that manually plus lot of others entries to remove traces of
>>>>> old
>>>>> DCs. There is no more LDAP entry for these old DCs.
>>>>>
>>>>> If someone has some idea to solve that, he would be welcomed :)
>>>>>
>>>>> Cheers,
>>>>>
>>>>> mathias
>>>>>
>>>>>
>>>>>
>>>>> Have a look here:
>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> Before you do anything else, have you tried rebooting the DC?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list