[Samba] drs showrepl - Failed to bind to UUID - Undetermined error

Jonathan Hunter jmhunter1 at gmail.com
Sat Sep 10 22:27:52 UTC 2016

Thank you Andrew, you pointed me in exactly the right direction, and I now
have 'samba-tool drs showrepl' working fine on this DC. I unfortunately now
don't know if this worked before I upgraded to 4.5, or not - but it does
work again now.

I am once again ashamed to say that there was a config error on this
machine; I can only assume that when I was rebuilding it after the disk
problems, I rebuilt it in a rush. The /etc/hosts file contained the wrong
IP for the local machine (in fact, it had the IP of another DC where I had
perhaps copied the format of the file from!). I have no idea why this
hadn't caused any more issues than just this - DNS was still correct so
perhaps enough programs consulted DNS before /etc/hosts. I'm kind of
impressed that samba seemed to otherwise run just fine on this machine!

Sorry for the false alarm; I think that with the KCC changes in 4.5, I
decided now would be a good time to check 'samba-tool drs showrepl' and
that finally highlighted the typo I made a couple of months back when I
rebuilt the DC..

Thanks all :-)


On 10 September 2016 at 20:43, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2016-09-10 at 16:28 +0100, Jonathan Hunter via samba wrote:
> > Thanks Andrew.
> >
> > No - it was my fault for including an easily-solved side query in the
> > same
> > email as the main query.. :) I haven't solved the original issue,
> > which is
> > that 'samba-tool drs showrepl' runs on two of my DCs but not on the
> > third.
> >
> > I don't know if anything else also doesn't work, e.g. some aspect of
> > replication I haven't observed yet - but the only problem I can
> > actually
> > see is that 'samba-tool drs showrepl' doesn't run on this one DC.
> >
> > You ask a good question in terms of removing the DC that died. I
> > think I
> > probably did not do this step correctly. I had two DCs die within a
> > short
> > time of each other (disk issues) and I built new machines and simply
> > joined
> > them to the domain 'over the top', using the same name and IP address
> > as
> > previously. I now realise that this might not have been the best
> > idea, as
> > they would now have new UUIDs and I have done nothing much to remove
> > the
> > old UUIDs, apart from removing them from DNS/LDAP where I found them.
> > Perhaps I should have explicitly removed the DCs, before re-adding
> > them? I
> > may well not have removed them fully myself.
> >
> > Is there an easy place in AD where these UUIDs are stored - I'm happy
> > to go
> > through and remove stale entries myself using ADSIEdit or similar? Or
> > would
> > you recommend I temporarily remove each DC in turn using the demote
> > tool,
> > then re-add? (Would the demote tool remove *all* UUIDs from the DCs,
> > or
> > only the first one?)
> >
> > Is there some form of AD-checker tool, perhaps (either MS or Samba)
> > that
> > would check all the various LDAP entries, DNS entries (_msdcs,
> > _sites,
> > _tcp, _kerberos etc.) and point out what I have wrong? :-)
> >
> > At the moment I guess there might be multiple UUIDs somewhere in the
> > directory for this one DC, which might be why 'samba-tool drs
> > showrepl'
> > chokes. There may well be multiple UUIDs for my other server that
> > died,
> > too, but perhaps the first one that is returned from LDAP for that
> > other
> > server is the current one, which is why 'samba-tool drs showrepl'
> > works on
> > that?
> If you re-joined over the top, then it would have cleaned up most of
> what it needed to.  It probably left some junk in DNS, but that is
> mostly harmless.
> Where the UUID may be is in the repsFrom and repsTo, but this should be
> cleaned up by the new KCC.
> There isn't currently a 'is this all correct' tool beyond dbcheck.
> For the failure to connect, it is trying to connect to the local server
> to perform the query, have you confirmed DNS is set resolving for the
> name given and that the server is running, and listening?  Wireshark
> may help, as might turning up the log level on the command eg -d10 and
> the server.
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list