[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Martin Krämer
mk.maddin at gmail.com
Thu Dec 20 15:49:07 UTC 2018
Hi,
thanks for reply.
Bind9 was installed by debian package and then simply used
--dnsbackend="BIND9_DLZ" parameter from samba-tool command.
"faiserver" information printout I provided in other mail - see:
https://lists.samba.org/archive/samba/2018-December/220081.html
See the printout information about "location-000001" below.
root at location-000001:~# hostname -f
location-000001.example.corp
root at location-000001:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at location-000001:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at location-000001:~# host 192.168.34.250
250.34.168.192.in-addr.arpa domain name pointer
location-000001.example.corp.
root at location-000001:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at location-000001:~# samba -V
Version 4.5.12-Debian
root at location-000001:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:faiserver.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root at location-000001:~# samba-tool drs replicate
location-000001.example.corp faiserver.example.corp DC=example,DC=corp
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:location-000001.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at location-000001:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:location-000001.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Default-First-Site-Name\LOCATION-000001
DSA Options: 0x00000001
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
DSA invocationId: a0493168-f680-400e-a5f4-c2ce0d501302
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:32 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:32 2018 UTC
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: f70c4744-7864-410c-ba9f-1635def8689c
Enabled : TRUE
Server DNS name : faiserver.example.corp
Server DN name : CN=NTDS
Settings,CN=FAISERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at location-000001:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.34.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver3: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
ldb_wrap open of secrets.ldb
ldb_wrap open of secrets.ldb
ldb_wrap open of secrets.ldb
DCS location-000001.example.corp
faiserver.example.corp
DC1 location-000001.example.corp
DC2 faiserver.example.corp
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Samba AD DC info: = detected (command and where to look)
This server hostname = location-000001 (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname) = location-000001.example.corp (hostname -f
and /etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.34.250 Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used = EXAMPLE.CORP (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC location-000001.example.corp = 192.168.34.250
The Ipadres of DC faiserver.example.corp = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at location-000001:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
Collected config --- 2018-12-20-13:52 -----------
Hostname: location-000001
DNS Domain: example.corp
FQDN: location-000001.example.corp
ipaddress: 192.168.34.250
-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 52:54:00:55:3c:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.34.250/24 brd 192.168.34.255 scope global ens3
inet6 fe80::5054:ff:fe55:3c32/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.33.250 faiserver.example.corp faiserver
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.33.250
nameserver 8.8.4.4
domain example.corp
search example.corp
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
[global]
usershare allow guests = No
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
netbios name = LOCATION-000001
realm = EXAMPLE.CORP
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
log level = 3
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/example.corp/Scripts
read only = no
[sysvol]
path = /var/lib/samba/sysvol
read only = no
-----------
No username map detected.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 192.168.33.250; 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
acl internals {
127.0.0.1/8; 192.168.34.0/24;
};
-----------
Checking file: /etc/bind/named.conf.local
-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u4
amd64 Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u4
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u4
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u4
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u4
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u4
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.5.12+dfsg-2+deb9u4
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3
amd64 System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.12+dfsg-2+deb9u4
amd64 service to resolve user and group information from Windows NT
servers
-----------
root at location-000001:~#
Am Do., 20. Dez. 2018 um 15:20 Uhr schrieb Rowland Penny via samba <
samba at lists.samba.org>:
> On Thu, 20 Dec 2018 14:59:52 +0100
> Martin Krämer via samba <samba at lists.samba.org> wrote:
>
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > * File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> > 368, in run*
> > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > * File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> > 83, in sendDsReplicaSync*
> > * raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
>
> > Attached you can find two files (one for each DC) with all
> > information that I found could be relevant. If further information is
> > required please let me know.
>
> This mailing list strips all attachments, so you are going to have to
> post any info a post
>
> How have set up bind9 ?
> What OS ?
> What Samba version(s) ?
>
> post the contents of these files (from both DC's)
> /etc/hostname
> /etc/hosts/
> /etc/resolv.conf
> /etc/krb5.conf
> your named.conf file(s)
> smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list