[Samba] Replication problems bdc to pdc

Rowland Penny rpenny at samba.org
Mon Dec 11 14:48:55 UTC 2017


On Mon, 11 Dec 2017 14:33:48 +0100
Jiří Knotek via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> Replication from backup Active Directory Domain Controler to primary 
> Active Directory Domain Controler does not work, reporting error ' 
> WERR_BADFILE '. The reverse works.

You do not have a backup AD DC, or a primary AD DC, you just have two
AD DCs

> 
>   * Linux: Raspbian, debian stretch lite
>   * Samba version 4.5.12-Debian
>   * DNS: BIND9_DLZ 9.10.x
>   * Installed packages: ntp ntpdate samba smbclient winbind libcups2
>     samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user
> 
> root at ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc 
> dc=ry11cit,dc=local
> Replicate from ry11citdc to ry11citsdc was successful.
> 
> 
> root at ry11citdc:~# samba-tool drs replicate
> ry11citsdc ry11citdc dc=ry11cit,dc=local
> -bash: root at ry11citdc:~#: command not found
> root at ry11citdc:~# samba-tool drs replicate ry11citdc ry11citsdc 
> dc=ry11cit,dc=local
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
> - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')**
> **  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 368, in run**
> **    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
> source_dsa_guid, NC, req_options)**
> **  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> 83, in sendDsReplicaSync**
> **    raise drsException("DsReplicaSync failed %s" % estr)*
> 

There is something strange here, you seem to be running the commands on
the same DC, the first time it works, then it cannot find the command,
then after you switched the order of the DCs to replicate to & from,
it throws an error 

> First Active Directory Domain Controler:
> 
> krb5.conf:
> 
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 

You only need the above

> named.conf:------------------------
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };

You haven't set any forwarders.

> 
> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITDC
>      realm = RY11CIT.LOCAL
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 

Why haven't you got a 'server services' line ?
you should have if you are using Bind9


 
> 
> Another (Standby) Active Directory Domain Controler:

What do mean by 'standby' ?

> 
> krb5.conf:
> 
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 

You only need the above


> [realms]

 named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 

Still no forwarders

> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITSDC
>      realm = RY11CIT.LOCAL
>      workgroup = RY11CIT
> 
>      server role = active directory domain controller
> 

Again there is no 'server services' line

Finally, I see that you are not aware that using '.local' is a bad
idea.

Rowland
 



More information about the samba mailing list