[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'

Martin Krämer mk.maddin at gmail.com
Thu Dec 20 15:10:21 UTC 2018


Thanks for the fast reply.
Sorry - I was not aware that attachments are not forwarded.
(All information you requested was included there)

I think I have already tried resync via "samba-tool drs replicate" - but
better see below the printout of previous attachment "faiserver.log"

Thanks for help in advance :)

root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
(2018-11-11) x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in
run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)

DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled        : TRUE
Server DNS name : location-000001.example.corp
Server DN name  : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = faiserver (hostname -s and /etc/hosts and
DNS server)
This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses)   = 192.168.33.250  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC faiserver.example.corp        = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
Collected config  --- 2018-12-20-13:49 -----------

Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250

-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.33.250/24 brd 192.168.33.255 scope global ens3
    inet6 fe80::5054:ff:fe87:4460/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------
Checking file: /etc/resolv.conf

nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp

-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

-----------
Checking file: /etc/samba/smb.conf


[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
   workgroup = EXAMPLE
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = active directory domain controller
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = No

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol

-----------
No username map detected.

-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { none; };
};

acl internals {
127.0.0.1/8; 192.168.33.0/24;
};

-----------
Checking file: /etc/bind/named.conf.local



-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};


zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};



-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  krb5-config                       2.6                            all
      Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                  amd64
      basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.52-3+b1                    amd64
      Access control list shared library
ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1                  amd64
      MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2           amd64
      Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                   1.15-1+deb9u1                  amd64
      MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.15-1+deb9u1                  amd64
      MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64
      Samba nameservice integration plugins
ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64
      Windows domain authentication integration plugin
ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4         amd64
      shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4         amd64
      Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u4         amd64
      Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u4         amd64
      SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all
      common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4         amd64
      Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4         amd64
      Samba Directory Services Database
ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4         amd64
      Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4         amd64
      Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u4         amd64
      command-line SMB/CIFS clients for Unix
ii  sssd-krb5                         1.15.0-3                       amd64
      System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                  1.15.0-3                       amd64
      System Security Services Daemon -- Kerberos helpers
ii  winbind                           2:4.5.12+dfsg-2+deb9u4         amd64
      service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#

Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:

> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> > in run*
> > *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
> > sendDsReplicaSync*
> > *    raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list