[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Martin Krämer
mk.maddin at gmail.com
Thu Dec 20 15:10:21 UTC 2018
Thanks for the fast reply.
Sorry - I was not aware that attachments are not forwarded.
(All information you requested was included there)
I think I have already tried resync via "samba-tool drs replicate" - but
better see below the printout of previous attachment "faiserver.log"
Thanks for help in advance :)
root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
(2018-11-11) x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled : TRUE
Server DNS name : location-000001.example.corp
Server DN name : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2
Samba AD DC info: = detected (command and where to look)
This server hostname = faiserver (hostname -s and /etc/hosts and
DNS server)
This server FQDN (hostname) = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.33.250 Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used = EXAMPLE.CORP (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC faiserver.example.corp = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
Collected config --- 2018-12-20-13:49 -----------
Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250
-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.33.250/24 brd 192.168.33.255 scope global ens3
inet6 fe80::5054:ff:fe87:4460/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
workgroup = EXAMPLE
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = No
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
-----------
No username map detected.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
acl internals {
127.0.0.1/8; 192.168.33.0/24;
};
-----------
Checking file: /etc/bind/named.conf.local
-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2 amd64
Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u4 amd64
Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u4 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u4 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u4 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.5.12+dfsg-2+deb9u4 amd64
command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3 amd64
System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3 amd64
System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.12+dfsg-2+deb9u4 amd64
service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#
Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:
> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > * File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> > in run*
> > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > * File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
> > sendDsReplicaSync*
> > * raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list