[Samba] Replication problems bdc to pdc

Jiří Knotek jiri.knotek at gemapce.cz
Mon Dec 11 20:59:58 UTC 2017


Hello Rowland,
     thank You for a quick response.


On 11. 12. 2017 15:48, Rowland Penny via samba wrote:
> On Mon, 11 Dec 2017 14:33:48 +0100
> Jiří Knotek via samba<samba at lists.samba.org>  wrote:
>
>> Hello,
>>
>> Replication from backup Active Directory Domain Controler to primary
>> Active Directory Domain Controler does not work, reporting error '
>> WERR_BADFILE '. The reverse works.
> You do not have a backup AD DC, or a primary AD DC, you just have two
> AD DCs

OK, thank you for correcting the nomenclature

>>    * Linux: Raspbian, debian stretch lite
>>    * Samba version 4.5.12-Debian
>>    * DNS: BIND9_DLZ 9.10.x
>>    * Installed packages: ntp ntpdate samba smbclient winbind libcups2
>>      samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user
>>
>> root at ry11citdc:~# samba-tool drs replicate_ry11citsdc_  ry11citdc dc=ry11cit,dc=local
>> Replicate from ry11citdc to ry11citsdc was successful.
>> root at ry11citdc:~# samba-tool drs replicate ry11citdc_ry11citsdc_  dc=ry11cit,dc=local
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
>>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
>>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
>>      raise drsException("DsReplicaSync failed %s" % estr)
>>
>>
> There is something strange here, you seem to be running the commands on
> the same DC, the first time it works, then it cannot find the command,
> then after you switched the order of the DCs to replicate to & from,
> it throws an error

I copied it badly, I corrected it. The second command demonstrates 
malfunctioning replication.

>   
>
>> First Active Directory Domain Controler:
>>
>> krb5.conf:
>>
>> [libdefaults]
>>       default_realm = RY11CIT.LOCAL
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>>
> You only need the above
OK, i corrected it.

>> named.conf:------------------------
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> named.conf.options:-----------------------
>>
>> options {
>>       directory "/var/cache/bind";
>>
>>       dnssec-validation auto;
>>
>>       auth-nxdomain no;    # conform to RFC1035
>>       listen-on-v6 { none; };
>>       tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
> You haven't set any forwarders.

My network has only 10 stations and can not access the Internet. I just 
need Windows domain users. Bind9 I chose for future use.
>> smb.conf:------------------------------
>>
>> # Global parameters
>> [global]
>>       netbios name = RY11CITDC
>>       realm = RY11CIT.LOCAL
>>       workgroup = RY11CIT
>>       server role = active directory domain controller
>>
> Why haven't you got a 'server services' line ?
> you should have if you are using Bind9

Because of 
"https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html" they 
write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap 
cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to 
"https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC" 
here I will add "server services = -dns". It is correct?
>
>   
>> Another (Standby) Active Directory Domain Controler:
> What do mean by 'standby' ?
Standby server is an expression using SCADA / HMI SW CitectSCADA. It's a 
DC backup, here one DC.
>> krb5.conf:
>>
>> [libdefaults]
>>       default_realm = RY11CIT.LOCAL
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>>
> You only need the above
OK, i corrected it.
>
>
>> [realms]
>   named.conf.options:-----------------------
>> options {
>>       directory "/var/cache/bind";
>>
>>       dnssec-validation auto;
>>
>>       auth-nxdomain no;    # conform to RFC1035
>>       listen-on-v6 { none; };
>>       tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
> Still no forwarders
My network has only 10 stations and can not access the Internet. I just 
need Windows domain users. Bind9 I chose for future use.
>
>> smb.conf:------------------------------
>>
>> # Global parameters
>> [global]
>>       netbios name = RY11CITSDC
>>       realm = RY11CIT.LOCAL
>>       workgroup = RY11CIT
>>
>>       server role = active directory domain controller
>>
> Again there is no 'server services' line
Because of 
"https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html" they 
write that "Default: //|server services|/ = |s3fs rpc nbt wrepl ldap 
cldap kdc drepl winbind ntp_signd kcc dnsupdate dns| /".

But according to 
"https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC" 
here I will add "server services = -dns". It is correct?
>   
>
> Finally, I see that you are not aware that using '.local' is a bad
> idea.
My network has only 10 stations and can not access the Internet. I 
thought that .local is just a name. Do you recommend a different name?
>
> Rowland
>   
>

Unfortunately, the changes made did not correct replication from 
ry11citsdc to ry11citdc. Do you have any other advice or do you need 
more information?

Thanks J.Knotek

-- 

*Ing. Jiří Knotek*
programátor

*GEMA s.r.o. Automatizace technologických procesů*

Doubravice 13, Pardubice 19, 53353
Tel: +420604570127
E-mail: jiri.knotek at gemapce.cz <mailto:jiri.knotek at gemapce.cz>
Web:www.gemapce.cz <http://www.gemapce.cz/>




More information about the samba mailing list