[Samba] Problem samba db / pc - domain trust gone.
L.P.H. van Belle
belle at bazuin.nl
Mon May 15 10:13:18 UTC 2017
I forgot to mention it involves samba 4.5.8.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: maandag 15 mei 2017 11:40
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
>
> Hai,
>
> Environment, Debian Jessie.
>
>
> I got reports about pc's unable to login into the samba ad dc domain.
> The trust between this workstation and the primary domain failed.
> This happend on a win7 and win10 pc.
> Now, this is "normaly" easy fixed,by rejoining the pc to the
> domain with the domain wizzard in windows.
> I noticed this didnt work anymore.
>
> I was running without problem, so what lead to this problem.
>
> installed the needed security updates last friday. ( kernel,
> bind, no samba things. ) I was prepering to upgrade to 4.6.3
> and did the following.
>
> 1) samba-tool dbcheck and a samba-tool dbcheck --fix
>
> --- DC 1 ----
>
> That fixed 4 errors.
> i got some others back.
> Multple messages with :
> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System,DC=internal,DC=domain,DC=tld
> this part
> "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System" can be anything, multiple messages.
> users/computers.
>
> rebooted the server, resulting in these log messages.
> samba logs clean, no errors,
> running : samba-tool dbcheck and a samba-tool dbcheck --fix
> again, fixed simalar like above. ( 8 errors )
>
>
> running samba-tool ldapcmp:
> samba-tool ldapcmp --filter='whenChanged,dc,cn'
> ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
> Shows differenced in login timpstamps. Which can explain the
> message on the pc's : the trust between this workstation and
> the primary domain failed.
>
> Difference in attribute values:
> lastLogonTimestamp =>
> ['131390598670332960']
> ['131380923051230950']
> FAILED
>
> Difference in attribute values:
> pwdLastSet =>
> ['131389578099979510']
> ['131363450502014640']
> FAILED
>
>
> -------------------------
> Now i checked my DC2.
>
> samba-tool dbcheck:
> Please use --fix to fix these errors
> Checked 852 objects (626 errors)
>
> pff, 626 errors?
>
> mostly things like these below.
>
> STATUS=daemon 'samba' finished starting up and ready to
> serve connections
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor.
> [2017/05/15 09:17:32.208909, 0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>
> [2017/05/15 09:17:32.213955, 0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> [2017/05/15 09:22:32.210006, 0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>
> [2017/05/15 09:22:32.211300, 0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> [2017/05/15 09:27:32.222921, 0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>
> [2017/05/15 09:27:32.223286, 0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
>
> Not fixing replPropertyMetaData on
> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System,DC=internal,DC=domain,DC=tld
>
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
> ERROR: unsorted attributeID values in replPropertyMetaData on
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>
> Not fixing replPropertyMetaData on CN=Windows Authorization
> Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>
>
> What is the best action here, do a full resync from DC1 to
> DC2? Or did i forget something?
>
>
> Greetz,
>
> Louis
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list