[Samba] Log of DC replication error

Lars Hanke debian at lhanke.de
Mon Jan 4 22:20:10 UTC 2016 

Today I had another automatic restart of my secondary DC because 
samba-tool drs showrepl showed errors. The restart was completed at 
12:35. This is what I found in log.samba at log level 3:

[2016/01/04 12:33:47.201892,  3] 
../source4/rpc_server/drsuapi/getncchanges.c:2007(dcesrv_drsuapi_DsGetNCChanges)
   UpdateRefs on getncchanges for b19509be-c3ee-4a58-9fc9-afd61759a23f
[2016/01/04 12:33:47.202791,  2] 
../source4/rpc_server/drsuapi/getncchanges.c:2114(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 3651 flags 0x00000074 on 
<GUID=57840cd3-5b72-476b-9333-32d1c03d872c>;CN=Configuration,DC=ad,DC=microsult,DC=de 
gave 0 objects (done 0/0) 0 links (done 0/0 (as 
S-1-5-21-820921042-1573760902-1500171102-1000))
[2016/01/04 12:34:39.306100,  3] 
../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds)
   Credentials for VERDANDI$@AD.MICROSULT.DE will expire shortly (0 
sec), must refresh credentials cache
[2016/01/04 12:34:39.306295,  1] 
../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update)
   GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Matching credential 
(GC/samba.ad.microsult.de/ad.microsult.de at AD.MICROSULT.DE) not found
[2016/01/04 12:34:39.306318,  0] ../auth/gensec/gensec.c:247(gensec_update)
   Did not manage to negotiate mandetory feature SIGN for dcerpc 
auth_level 6
[2016/01/04 12:34:39.306370,  0] 
../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b19509be-c3ee-4a58-9fc9-afd61759a23f._msdcs.ad.microsult.de[1024,seal,krb5] 
NT_STATUS_ACCESS_DENIED
[2016/01/04 12:34:39.377246,  3] 
../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds)
   Credentials for VERDANDI$@AD.MICROSULT.DE will expire shortly (0 
sec), must refresh credentials cache
[ snip ]
[2016/01/04 12:34:39.508508,  3] 
../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds)
   Credentials for VERDANDI$@AD.MICROSULT.DE will expire shortly (0 
sec), must refresh credentials cache
[2016/01/04 12:34:39.508704,  1] 
../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update)
   GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Matching credential 
(GC/samba.ad.microsult.de/ad.microsult.de at AD.MICROSULT.DE) not found
[2016/01/04 12:34:39.508726,  0] ../auth/gensec/gensec.c:247(gensec_update)
   Did not manage to negotiate mandetory feature SIGN for dcerpc 
auth_level 6
[2016/01/04 12:34:39.508773,  0] 
../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b19509be-c3ee-4a58-9fc9-afd61759a23f._msdcs.ad.microsult.de[1024,seal,krb5] 
NT_STATUS_ACCESS_DENIED
[2016/01/04 12:34:39.563897,  3] 
../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds)
   Credentials for VERDANDI$@AD.MICROSULT.DE will expire shortly (0 
sec), must refresh credentials cache
[2016/01/04 12:34:39.564093,  1] 
../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update)
   GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Matching credential 
(GC/samba.ad.microsult.de/ad.microsult.de at AD.MICROSULT.DE) not found
[2016/01/04 12:34:39.564115,  0] ../auth/gensec/gensec.c:247(gensec_update)
   Did not manage to negotiate mandetory feature SIGN for dcerpc 
auth_level 6
[2016/01/04 12:34:39.564161,  0] 
../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b19509be-c3ee-4a58-9fc9-afd61759a23f._msdcs.ad.microsult.de[1024,seal,krb5] 
NT_STATUS_ACCESS_DENIED
[2016/01/04 12:34:47.459334,  3] 
../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
   Calling DNS name update script
[2016/01/04 12:34:47.462858,  3] 
../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
   Calling SPN name update script
[2016/01/04 12:34:47.773203,  3] 
../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
   Completed SPN update check OK
[2016/01/04 12:34:47.815691,  3] 
../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
   Completed DNS update check OK
[2016/01/04 12:35:01.607243,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/01/04 12:35:01.607326,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]

So to me it looks like it cannot refresh its TGT since it cannot find 
GC/samba.ad.microsult.de/ad.microsult.de at AD.MICROSULT.DE - for whatever 
this is. After restarting the DC everything works fine. Samba version is 
4.1.17-Debian. samba.ad.microsult.de is the primary DC.

Thanks for your help,
  - lars.

More information about the samba mailing list