[Samba] Problem samba db / pc - domain trust gone.

L.P.H. van Belle belle at bazuin.nl
Mon May 15 09:40:15 UTC 2017 

Hai, 
 
Environment, Debian Jessie. 
 
 
I got reports about pc's unable to login into the samba ad dc domain. 
The trust between this workstation and the primary domain failed. 
This happend on a win7 and win10 pc. 
Now, this is "normaly" easy fixed,by rejoining the pc to the domain with the domain wizzard in windows.
I noticed this didnt work anymore. 
 
I was running without problem, so what lead to this problem.
 
installed the needed security updates last friday.  ( kernel, bind, no samba things. ) 
I was prepering to upgrade to 4.6.3 and did the following. 
 
1) samba-tool dbcheck  and a samba-tool dbcheck --fix 
 
--- DC 1  ---- 
 
That fixed 4 errors. 
i got some others back. 
Multple messages with : CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld 
this part "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System" can be anything, multiple messages.
users/computers. 
 
rebooted the server, resulting in these log messages. 
samba logs clean, no errors, 
running : samba-tool dbcheck  and a samba-tool dbcheck --fix   again, fixed simalar like above. ( 8 errors ) 
 
 
running samba-tool ldapcmp: 
samba-tool ldapcmp --filter='whenChanged,dc,cn' ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
Shows differenced in login timpstamps.  
Which can explain the message on the pc's : the trust between this workstation and the primary domain failed.  
 
   Difference in attribute values:
        lastLogonTimestamp =>
['131390598670332960']
['131380923051230950']
    FAILED

  Difference in attribute values:
        pwdLastSet =>
['131389578099979510']
['131363450502014640']
    FAILED

 
-------------------------
Now i checked my DC2. 
 
samba-tool dbcheck: 
Please use --fix to fix these errors
Checked 852 objects (626 errors)

pff, 626 errors? 
 
mostly things like these below. 
 
  STATUS=daemon 'samba' finished starting up and ready to serve connections
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2017/05/15 09:17:32.208909,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:17:32.213955,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:22:32.210006,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:22:32.211300,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:27:32.222921,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:27:32.223286,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
 
 
Not fixing replPropertyMetaData on CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
 
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
 
Not fixing replPropertyMetaData on CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
 
 
What is the best action here, do a full resync from DC1 to DC2?  
Or did i forget something? 
 
 
Greetz, 
 
Louis
 
 
 

More information about the samba mailing list