[Samba] DomainDnsZones inbound replication issue

lingpanda101 at gmail.com lingpanda101 at gmail.com
Thu Jul 28 15:18:24 UTC 2016 

On 7/28/2016 10:25 AM, Donaldson Jeff wrote:
>
> Here's my edited smb.conf and the output of the testparm. As you can 
> see I'm not setting that in my smb.conf and it appears to be turned on 
> by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4 
> as well, but haven't done that yet. It's currently on 4.2.3. Should I 
> upgrade that as well before changing anything else? Thanks!
>
>
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> jeff.donaldson at ncs.k12.de.us
> (302) 369-2001 ext: 625
>
>
> ------------------------------------------------------------------------
> *From:* samba <samba-bounces at lists.samba.org> on behalf of 
> lingpanda101 at gmail.com <lingpanda101 at gmail.com>
> *Sent:* Thursday, July 28, 2016 9:45 AM
> *To:* samba at lists.samba.org
> *Subject:* Re: [Samba] DomainDnsZones inbound replication issue
> On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> > Greetings,
> >
> >
> > I am having a problem with one of my DCs (DC3) replicating 
> DomainDnsZones. On DC3 replication is successful on both Inbound and 
> Outbound with both of my other DCs. On both of my other DCs (DC1 & 
> DC2) I only get a failure with Inbound replication for DomainDnsZones 
> from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
> >
> >
> > If I try to force replication to DC3 from DC1 using samba-tool drs 
> replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com 
> --full-sync, I get the following:
> >
> >
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:ncsauth3[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> > Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> > ERROR(ldb): LDAP connection to ncsauth3 failed - None
> >    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", 
> line 48, in samdb_connect
> >      credentials=ctx.creds, lp=ctx.lp)
> >    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 
> 56, in __init__
> >      options=options)
> >    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 
> 114, in __init__
> >      self.connect(url, flags, options)
> >    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 
> 71, in connect
> >      options=options)
> >
> >
> > I didn't have any replication issues prior to upgrading Samba to 
> 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran 
> samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to 
> resolve the issue. Would the best solution be to demote the affected 
> DC, wipe out all of private, then join as a DC again? Any help or 
> suggestions are greatly appreciated.
> >
> > Regards,
> > Jeff
> >
> > Jeff Donaldson
> > Technology Director
> > Newark Charter School
> > jeff.donaldson at ncs.k12.de.us
> > (302) 369-2001 ext: 625
>
> What is the value of
>
> "ldap server require strong auth =" in your smb.conf? You may need to
> run 'samba-tool testparm -v'
>
> -- 
> -James
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
> <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba>
> 	
> samba list: member options login page 
> <https://lists.samba.org/mailman/options/samba>
> lists.samba.org
> Unsubscribe: By clicking on the Unsubscribe button, a confirmation 
> message will be emailed to you. This message will have a link that you 
> should click on to ...
>
>
Yes, updating should fix the issue.  However I would strongly suggest 
you read the release notes of each version you may be skipping. The 
default behavior for

LDAP_STRONG_AUTH_REQUIRED was no.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112

Changing 'ldap server require strong auth = No' should fix the 
replication issue. Just understand what this means. I assume your other 
DC's were 4.2.3 before you upgraded to 4.4.4?


-- 
-James

More information about the samba mailing list