[Samba] DomainDnsZones inbound replication issue
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Thu Jul 28 15:18:24 UTC 2016
On 7/28/2016 10:25 AM, Donaldson Jeff wrote:
>
> Here's my edited smb.conf and the output of the testparm. As you can
> see I'm not setting that in my smb.conf and it appears to be turned on
> by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4
> as well, but haven't done that yet. It's currently on 4.2.3. Should I
> upgrade that as well before changing anything else? Thanks!
>
>
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> jeff.donaldson at ncs.k12.de.us
> (302) 369-2001 ext: 625
>
>
> ------------------------------------------------------------------------
> *From:* samba <samba-bounces at lists.samba.org> on behalf of
> lingpanda101 at gmail.com <lingpanda101 at gmail.com>
> *Sent:* Thursday, July 28, 2016 9:45 AM
> *To:* samba at lists.samba.org
> *Subject:* Re: [Samba] DomainDnsZones inbound replication issue
> On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> > Greetings,
> >
> >
> > I am having a problem with one of my DCs (DC3) replicating
> DomainDnsZones. On DC3 replication is successful on both Inbound and
> Outbound with both of my other DCs. On both of my other DCs (DC1 &
> DC2) I only get a failure with Inbound replication for DomainDnsZones
> from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
> >
> >
> > If I try to force replication to DC3 from DC1 using samba-tool drs
> replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com
> --full-sync, I get the following:
> >
> >
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:ncsauth3[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> > Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> > ERROR(ldb): LDAP connection to ncsauth3 failed - None
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 48, in samdb_connect
> > credentials=ctx.creds, lp=ctx.lp)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 56, in __init__
> > options=options)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line
> 114, in __init__
> > self.connect(url, flags, options)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 71, in connect
> > options=options)
> >
> >
> > I didn't have any replication issues prior to upgrading Samba to
> 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran
> samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to
> resolve the issue. Would the best solution be to demote the affected
> DC, wipe out all of private, then join as a DC again? Any help or
> suggestions are greatly appreciated.
> >
> > Regards,
> > Jeff
> >
> > Jeff Donaldson
> > Technology Director
> > Newark Charter School
> > jeff.donaldson at ncs.k12.de.us
> > (302) 369-2001 ext: 625
>
> What is the value of
>
> "ldap server require strong auth =" in your smb.conf? You may need to
> run 'samba-tool testparm -v'
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba>
>
> samba list: member options login page
> <https://lists.samba.org/mailman/options/samba>
> lists.samba.org
> Unsubscribe: By clicking on the Unsubscribe button, a confirmation
> message will be emailed to you. This message will have a link that you
> should click on to ...
>
>
Yes, updating should fix the issue. However I would strongly suggest
you read the release notes of each version you may be skipping. The
default behavior for
LDAP_STRONG_AUTH_REQUIRED was no.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112
Changing 'ldap server require strong auth = No' should fix the
replication issue. Just understand what this means. I assume your other
DC's were 4.2.3 before you upgraded to 4.4.4?
--
-James
More information about the samba
mailing list