[Samba] showrepl is showing a deleted connexion

Denis Cardon denis.cardon at tranquil-it-systems.fr
Fri Jan 22 15:05:10 UTC 2016 

Hi Jordi,

How is it going up there in Normandie?

> I have seen in an old post that you have tested new KCC from full mesh to bridge head at a french school.
> Is your "drs showrepl" correct on such DC's ?
>
> In my case, a drs showrepl is showing a full mesh on inbound and outbound (not good) but only 1 KCC connection objects (good)
> Where is a full description of my trouble: https://lists.samba.org/archive/samba/2015-December/196844.html

KCC does not remove existing outdated kcc objects by itself (or didn't, 
if it has been changed in more recent versions). I had a chat with 
Douglas about this a while back. However it should remove your 
repsfrom/repsto attribute, unless you messed up the thing (I did once). 
I also had in the past repsfrom/repsto pointing to deleted NTDSDSA 
entries with the \0ADEL string.

Before asking samba_kcc to buildup the connexions, you have to define 
the sites, put the DC in the correct site, remove the site from de 
default_ip_link, and set up a link for each remote site to main site. 
Actually the bridge head thing does not seem necessary to get the thing 
working. With such a configuration, samba_kcc does build only the 
necessary connexions, and by reading you post, it seems that you did it 
properly, so that sounds good.

If you still have spurious repsfrom/repsto, I don't know if there is 
another way to get rid it other than ldbedit'ing... By the way, did you 
check in the _msdcs DNS zone that you don't have leftover CNAME entries 
of your old servers?

In order to finish the setup, be sure to setup the subnet properly in 
order for all windows to contact their nearest DCs. After having created 
the sites, double check that all the _kerberos/_ldap entries under 
_sites  are properly created in the DNS server (sometime, they aren't). 
After, you can check on a windows desktop at different site that it 
knows on which site it is located in the windows registry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
, check the value DynamicSiteName, and on a cmd.exe check the env 
variable LOGONSERVER

Another hint: if you set up a star topology where remote sites cannot 
see each others (especially if you have DROP/no_ip_unreachable firewall 
rules), then you have also to be careful that during the process of 
joining a new DC, the join process reads /etc/krb5.conf file and tries 
to contact all the DC that are referenced, and thus if you use DNS SRV 
records to resolv kdc addresses, it will try to contact all the servers. 
In that case, you have to specify manually the kdc in that 
/etc/krb5.conf file and not rely on the automatic DNS discovery.

Another corner case is that when having more than 40-50 kdc in the 
domain, you may encounter another bug with /etc/krb5.conf file with 
automatic KDC discovery through DNS SRV records, it looks like it is 
just too much for libkrb5. In that case, you should also disable DNS 
automatic kerberos discovery and specify a few useful kdc addresses in 
the krb5.conf file by hand.

Cheers,

Denis

> Best  regards
>
>
> -----Message d'origine-----
> De : Denis Cardon [mailto:denis.cardon at tranquil-it-systems.fr]
> Envoyé : vendredi 22 janvier 2016 14:31
> À : MORILLO Jordi <J.Morillo at educationetformation.fr>; samba at lists.samba.org
> Objet : Re: [Samba] showrepl is showing a deleted connexion
>
> Hi Jordi,
>
>> Solved !
>> Thanks for the script.
>> In my case, it was just too late.
>> I have just found a ugly but working solution:
>>   From Configuration, Schema, Domaindnszones, forestdnszones and principal, I remove using ldbdel a "repsTo" binary object.
>> No more trouble with drs showrepl :-)
>
> Indeed, samba-tool drs showrepl show in fact the repsfrom/repsto attributes. They should be created / deleted by kcc. However I have seen lingering repsto attributes in the past too and had to ldbedit to cleanup the mess.
>
> Ldbdel'eting an entry in "CN=Deleted Object" should be done with care.
> In your case, you still had a repsto referencing the GUID of that object, hence among other things the crash of samba-tool drs showrepl on the OUTBOUND NEIGHBOR part of the listing. However, I guess the initial condition is a bug and it should be the job of the KCC (or integrity
> check) to delete a repsto pointing to an object in Deleted Objects.
> Should check with Douglas and the dev team...
>
> Cheers,
>
> Denis
>
>>
>> -----Message d'origine-----
>> De : samba [mailto:samba-bounces at lists.samba.org] De la part de Stefan
>> Kania Envoyé : vendredi 22 janvier 2016 09:35 À :
>> samba at lists.samba.org Objet : Re: [Samba] showrepl is showing a
>> deleted connexion
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You shoud remove alle DC-date with this script:
>> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-
>> 9f
>> 97-0e1cc4d577f3
>> Than you can ben sure that alle the metadate is removed. Then clean
>> only the DNS-entries by hand
>>
>> Am 21.01.2016 um 20:09 schrieb MORILLO Jordi:
>>> Hi everybody,
>>>
>>> One of my DC crash this afternoon (dead disk). I can't remove this DC
>>> server from windows GUI (computer object from < users and computers
>>>> ) and NTDS settings from < sites and services > because windows GUI
>>> error.
>>>
>>> So i manually remove this old server :
>>>
>>> -          Clean all DNS stuff (tpc, sites, kerberos, kpasswd, srv
>>> entries.....)
>>>
>>> -          With apache directory studio, i connect to ldap and
>>> remove NTDS settings under site's tree (configuration -> sites ->
>>> my_old_site) After that, windows GUI is good, no more DC's computer
>>> object or NTDS settings
>>>
>>> But A samba-tool drs showrepl gives :
>>>
>>> ==== OUTBOUND NEIGHBORS ==== ....
>>> DC=pr,DC=educationetformation,DC=fr NTDS DN: CN=NTDS
>>> Settings\0ADEL:1e23b3de-ae49-406d-bd33-e233b168945c,CN=DC540\0ADEL:ce
>>> e
>> b7300-2411-4e05-83e2-e4ebf521f145,CN=Servers\0ADEL:85d2165b-0a31-4f90-
>> be
>> 71-e2b73c8eb88a,CN=SaintSaens\0ADEL:f23842e5-e22b-4ad2-9cb3-a72fe0dd73
>> dd ,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
>>>
>>>
>> DSA object GUID: 1e23b3de-ae49-406d-bd33-e233b168945c
>>> Last attempt @ Thu Jan 21 19:44:00 2016 CET failed, result 87
>>> (WERR_INVALID_PARAM) 1932 consecutive failure(s). Last success @
>>> NTTIME(0) ....
>>>
>>> This object is not visible from ldap but is visible with ldbsearch on
>>> CONFIGURATION ldb If I ldbdel this object, samba-tool drs showrepl
>>> failed :
>>>
>>> ==== OUTBOUND NEIGHBORS ====
>>>
>>> ERROR(runtime): DsReplicaGetInfo of type 4294967294 failed - (8442,
>>> 'WERR_DS_DRA_INTERNAL_ERROR')
>>>
>>> So I ldbadd this object (previously backup up), no more
>>> ERROR(runtime) but i can see again wrong connexion from samba-tool
>>> drs showrepl.... Any idea to clean drs showrepl from this deleted object ?
>>> Thanks for all Samba 4.3.3
>>>
>>
>>
>> - --
>> Stefan Kania
>> Landweg 13
>> 25693 St. Michaelisdonn
>>
>>
>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>
>> Mein Schlüssel liegt auf
>>
>> hkp://subkeys.pgp.net
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAlah5CEACgkQ2JOGcNAHDTbmoQCfdKK0uNK5QUmqyN0B6ZW1Sqvr
>> 0jwAoKNnsFZmSNIXitYMmP8Wqr1CBXwj
>> =dZgV
>> -----END PGP SIGNATURE-----
>>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list