[Samba] Made a join with a netbios name, which already existed, now replication errors

Rowland Penny rpenny at samba.org
Mon Jul 31 18:23:16 UTC 2017 

On Mon, 31 Jul 2017 20:06:34 +0200
gizmo via samba <samba at lists.samba.org> wrote:

> > When you joined samba4 named as samba3, you removed the account for
> > samba3. So the server that thought of itself as samba3 can't operate
> > any more, essentially it has been force-demoted. 
> > 
> > I guess you need to remove them both and start again from samba1 and
> > samba2.
> 
> 
> hello,
> 
> I let the samba1 and samba2 untouched. They are still working with
> SLES 11 and samba 4.3.11 from sernet. Since I broke samba3 with the
> installation of samba4, I installed a samba5 with SLES 12 and samba
> 4.6.6 (sernet), so that I could demote samba3/samba4 with "samba-tool
> domain demote --remove-other-dead-server=" executed on samba5. The
> first try with the name "samba3" or "samba4" didnt work, but with the
> GUID I could successfully demote.
> 
> samba1, samba2 and samba5 seem to work perfect. Then I made a new
> installation of samba3 (SLES 12 and samba 4.6.6) and also joined that
> one. Now there are replication-errors on samba3.
> 
> While samba1, samba2 and samba5 seem to replicate with each other,
> even with the samba3, so samba3 has the following error with samba2:
> 
>   Default-First-Site-Name\SAMBA2 via RPC
>                 DSA object GUID: 9455b34f-a395-449e-b7bb-9a900d59fdfe
>                 Last attempt @ Mon Jul 31 19:24:03 2017 CEST failed,
> result 8453 (WERR_DS_DRA_ACCESS_DENIED) 58 consecutive failure(s).
>                 Last success @ Mon Jul 31 19:24:03 2017 CEST
> 
> On samba3 all entries under "INBOUND NEIGHBORS" have this error
> (WERR_DS_DRA_ACCESS_DENIED) with samba2. The entries under "OUTBOUND
> NEIGHBORS" are all with success. Under "KCC CONNECTION OBJECTS"
> samba1 is missing.
> 
> samba2 has a lot of entries in the "log.samba" like that:
> 
>   [2017/07/31 19:59:02.987782,
> 0] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs) ../source4/rpc_server/drsuapi/updaterefs.c:276:
> Refusing DsReplicaUpdateRefs for sid
> S-1-5-21-492433167-3996512854-4160196905-8869 with GUID
> 8eea9ec6-3610-477b-8770-93b467508e57
> 
> This is the GUID from samba3.
> 
> Regards
> 

Get rid of samba3 by demoting it again as you did last time, search
through sam.ldb for any mention of samba3 and samba4 (you will
probably have to use '--cross-ncs' with ldbsearch or lbdedit), then
remove them.
Now start again with a new DC, but this time, call it anything but
samba3 or samba4.

Rowland

More information about the samba mailing list