[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'

Martin Krämer mk.maddin at gmail.com
Thu Dec 20 16:41:17 UTC 2018


Hi,
thanks for the detailed instruction.

I have edited using "systemctl edit --full bind9.service" and "systemctl
edit --full samba-ad-dc.service".
Unfortunately it does not seem to resolve - after restart samba-ad-dc
service still fails with previous error.

This is how service files look like:

root at location-000001:~# cat /etc/systemd/system/bind9.service
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReload=
ExecStop=/usr/sbin/rndc stop

[Install]
WantedBy=multi-user.target
root at location-000001:~# cat /etc/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
After=network.target bind9.service

[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
root at location-000001:~#

Am Do., 20. Dez. 2018 um 17:19 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:

> Hai,
>
>
> > When running second command I recieve error:
> > root at location-000001:~# systemctl start bind9 samba
> > Failed to start samba.service: Unit samba.service is masked.
>
> ah yes, sorry, that is offcourse samba-ad-dc
>
> >and yep - replication is working then!! :)
> what i expected the old bug. ;-)
>
> About the other start up for both DC's do the following.  type :
>
> systemctl edit --full samba-ad-dc
> This copies the original and creates a file in /etc/systemd/system
>
>
> Add this:  ( i changed : After=network.target bind9.service added
> bind9.service, now samba starts always after bind9 )
>
> # /etc/systemd/system/samba-ad-dc.service
> [Unit]
> Description=Samba AD Daemon
> Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
> After=network.target bind9.service
>
> [Service]
> Type=notify
> NotifyAccess=all
> PIDFile=/var/run/samba/samba.pid
> LimitNOFILE=16384
> EnvironmentFile=-/etc/default/samba
> ExecStart=/usr/sbin/samba $SAMBAOPTIONS
> ExecReload=/bin/kill -HUP $MAINPID
>
> [Install]
> WantedBy=multi-user.target
>
> that should fix it.
>
> >> fix it with :  systemctl edit bind9
> >> add:
> >> [Service]
> >> ExecReload=
>
> >when executing "systemctl edit bind9" an empty file within folder
> "/etc/systemd/system/bind9.service.d" is opened in my editor.
> >Should I just but the content mentioned by you there?
>
> Yes,
> just add :
> # /etc/systemd/system/bind9.service.d/override.conf
> [Service]
> ExecReload=
>
> Or like the samba-ad-dc edit --full
>
> then its systemctl edit --full bind9.service
>
> # /lib/systemd/system/bind9.service
> [Unit]
> Description=BIND Domain Name Server
> Documentation=man:named(8)
> After=network.target
> Wants=nss-lookup.target
> Before=nss-lookup.target
>
> [Service]
> EnvironmentFile=/etc/default/bind9
> ExecStart=/usr/sbin/named -f $OPTIONS
> ExecReload=
> ExecStop=/usr/sbin/rndc stop
>
> [Install]
> WantedBy=multi-user.target
>
> What you want. ;-)
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Martin Krämer [mailto:mk.maddin at gmail.com]
> Verzonden: donderdag 20 december 2018 17:04
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
>
>
>
> Hi,
>
> >> map to guest = bad user         < remove it.
> thanks - must have missed it on "faiserver" - on other DC
> (location-000001) this entry did not exist.
> (I have sent whole config information about location-000001 server to:
> https://lists.samba.org/archive/samba/2018-December/220084.html)
>
>
> >> About your config, dc2 is just new installed ? the reboot the server
> and check again.
> My second dc (location-000001) was just installed.
> I have restarted whole server but not single services.
>
> >> You can try also first
> >> systemctl stop samba bind9
> >> systemctl start bind9 samba
>
>
> When running second command I recieve error:
> root at location-000001:~# systemctl start bind9 samba
> Failed to start samba.service: Unit samba.service is masked.
>
> So I ran:
> systemctl start bind9 samba-ad-dc
>
> and yep - replication is working then!! :)
>
>
> As soon as I restart the full server (location-000001) once again
> "samba-ad-dc" runs into an error and does not start up correclty:
> Dec 20 15:57:44 location-000001.example.corp systemd[1]: Starting Samba AD
> Daemon...
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Supervising process 472 which is not our child. We'll
> most likely not notice when it exits.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]: Stopped Samba AD
> Daemon.
>
>
> Rerunning "systemctl stop bind9 samba-ad-dc && systemctl start bind9
> samba-ad-dc" resolves the issue again.
>
>
> >> fix it with :  systemctl edit bind9
> >> add:
> >> [Service]
> >> ExecReload=
>
> when executing "systemctl edit bind9" an empty file within folder
> "/etc/systemd/system/bind9.service.d" is opened in my editor.
> Should I just but the content mentioned by you there?
>
>
> Thanks for the workaround already :)
>
>
>
>
>
>
> Am Do., 20. Dez. 2018 um 16:31 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
> Hai,
>
> As extra on Rowland comment..
> Your config looks ok as said, i did see..
>
> smb.conf
>  map to guest = bad user         < remove it.
>
> Bad User - Means user logins with an invalid password are rejected, unless
> the username does not exist, in
>                       which case it is treated as a guest login and
> mapped into the guest account.
> and you want that for a AD DC setup?  you might result in all users are
> guests..
>
>
> About your config, dc2 is just new installed ? the reboot the server and
> check again.
> You might have hit an old bug as i can remember.
>
> You can try also first
> systemctl stop samba bind9
> systemctl start bind9 samba
>
> samba and bind9 wil bind9 is reloading zones is buggy..
> fix it with :  systemctl edit bind9
> add:
> [Service]
> ExecReload=
>
> sss in nsswitch while this is an AD DC, thats not supported, but if it
> works for you, im not here to judge you..
> Just saying winbind works fine on the DC's.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>
> Van: Martin Krämer [mailto:mk.maddin at gmail.com]
> Verzonden: donderdag 20 december 2018 16:10
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
>
>
>
> Thanks for the fast reply. Sorry - I was not aware that attachments are
> not forwarded.
> (All information you requested was included there)
>
>
> I think I have already tried resync via "samba-tool drs replicate" - but
> better see below the printout of previous attachment "faiserver.log"
>
> Thanks for help in advance :)
>
>
> root at faiserver:~# uname -a
> Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
> (2018-11-11) x86_64 GNU/Linux
> root at faiserver:~# hostname -f
> faiserver.example.corp
> root at faiserver:~# host 192.168.33.250
> 250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
> root at faiserver:~# host faiserver.example.corp
> faiserver.example.corp has address 192.168.33.250
> root at faiserver:~# host 192.168.34.250
> Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> root at faiserver:~# host location-000001.example.corp
> location-000001.example.corp has address 192.168.34.250
> root at faiserver:~# samba -V
> Version 4.5.12-Debian
> root at faiserver:~# samba-tool drs replicate faiserver.example.corp
> location-000001.example.corp DC=example,DC=corp
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
> sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> root at faiserver:~# samba-tool drs replicate location-000001.example.corp
> faiserver.example.corp DC=example,DC=corp
> Replicate from faiserver.example.corp to location-000001.example.corp was
> successful.
> root at faiserver:~# samba-tool drs showrepl
> Default-First-Site-Name\FAISERVER
> DSA Options: 0x00000001
> DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
> DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
>
>
> ==== INBOUND NEIGHBORS ====
>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 1 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== OUTBOUND NEIGHBORS ====
>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== KCC CONNECTION OBJECTS ====
>
>
> Connection --
> Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
> Enabled        : TRUE
> Server DNS name : location-000001.example.corp
> Server DN name  : CN=NTDS
> Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> root at faiserver:~# url="
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
> && wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
> ${url})
> Check hostnames : Ok
> ./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 192.168.33.1 : Ok
> Warning, no ping to gateway, this might be firewalled.
> check you internet connection, AD DNS might need it.
> ping nameserver1: 127.0.0.1 : Ok
> ping nameserver2: 8.8.4.4 : Ok
> Check ping google dns : 8.8.8.8 : Ok
> Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
> Check you internet connection, AD DNS might need it.
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- root root /etc/samba/lmhosts
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smbpasswd
> drwxr-xr-x root root /usr/bin
> drwxr-xr-x root root /var/cache/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
> drwxr-xr-x root root /var/run/samba
> drwxr-x--- root adm /var/log/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
> drwxr-xr-x root root /var/run/samba
> drwxr-xr-x root root /var/lib/samba/private
> drwxr-xr-x root root /usr/sbin
> drwxr-xr-x root root /var/lib/samba
> DCS faiserver.example.corp
> DC1 faiserver.example.corp
> DC2
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = faiserver (hostname -s and /etc/hosts and
> DNS server)
> This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
> /etc/hosts and DNS server)
> This server primary dnsdomain = example.corp (hostname -d and
> /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 192.168.33.250  Only one interface
> detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
> The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
> show)
> The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
> The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf
> and resolving)
> The Ipadres of DC faiserver.example.corp        = 192.168.33.250
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
> lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
> root at faiserver:~# url="
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
> && wget --quiet "${url}" && chmod u+x ./$(basename ${url}) && ./$(basename
> ${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
> Collected config  --- 2018-12-20-13:49 -----------
>
>
> Hostname: faiserver
> DNS Domain: example.corp
> FQDN: faiserver.example.corp
> ipaddress: 192.168.33.250
>
>
> -----------
> Samba is running as an AD DC
> Checking file: /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
>
> -----------
>
>
> Warning, /etc/devuan_version does not exist
>
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet MailScanner warning: numerical links are often malicious:
> MailScanner warning: numerical links are often malicious: 127.0.0.1/8
> scope host lo
>     inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UP group default qlen 1000
>     link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
>     inet MailScanner warning: numerical links are often malicious:
> MailScanner warning: numerical links are often malicious:
> 192.168.33.250/24 brd 192.168.33.255 scope global ens3
>     inet6 fe80::5054:ff:fe87:4460/64 scope link
> -----------
> Checking file: /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> -----------
> Checking file: /etc/resolv.conf
>
>
> nameserver 127.0.0.1
> nameserver 8.8.4.4
> domain example.corp
> search example.corp
>
>
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.CORP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> -----------
> Checking file: /etc/nsswitch.conf
>
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
>
> hosts:          files dns
> networks:       files
>
>
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
>
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> -----------
> Checking file: /etc/samba/smb.conf
>
>
>
>
> [global]
> realm = EXAMPLE.CORP
> kerberos method = secrets and keytab
> client use spnego = yes
> client signing = yes
> server services = -dns
> ldap server require strong auth = no
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls keyfile = tls/key.pem
> tls enabled = yes
> idmap_ldb:use rfc2307 = yes
>    workgroup = EXAMPLE
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = active directory domain controller
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
>    usershare allow guests = No
>
>
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
>
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
>
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
>
> [netlogon]
> read only = no
> path = /var/lib/samba/sysvol/example.corp/Scripts
> [sysvol]
> read only = no
> path = /var/lib/samba/sysvol
>
>
> -----------
> No username map detected.
>
>
> -----------
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
>
> -----------
> Checking file: /etc/bind/named.conf.options
> options {
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> forwarders { 8.8.4.4; };
> allow-query { internals; };
> allow-query-cache { internals; };
> recursion yes;
> allow-recursion { internals; };
> allow-transfer { internals; };
> listen-on { any; };
> directory "/var/cache/bind";
> dnssec-validation no;
>
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on-v6 { none; };
> };
>
>
> acl internals {
> MailScanner warning: numerical links are often malicious: MailScanner
> warning: numerical links are often malicious: 127.0.0.1/8; MailScanner
> warning: numerical links are often malicious: MailScanner warning:
> numerical links are often malicious: 192.168.33.0/24;
> };
>
>
> -----------
> Checking file: /etc/bind/named.conf.local
>
>
>
>
>
>
> -----------
> Checking file: /etc/bind/named.conf.default-zones
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
>
>
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
>
>
>
>
>
> -----------
>
>
> Installed packages, running: dpkg -l | egrep
> "samba|winbind|krb5|smb|acl|xattr"
> ii  krb5-config                       2.6                            all
>         Configuration files for Kerberos Version 5
> ii  krb5-user                         1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                     2.2.52-3+b1
> amd64        Access control list shared library
> ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2
>  amd64        Heimdal Kerberos - libraries
> ii  libkrb5-3:amd64                   1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64             1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba nameservice integration plugins
> ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba winbind client library
> ii  python-samba                      2:4.5.12+dfsg-2+deb9u4
>  amd64        Python bindings for Samba
> ii  samba                             2:4.5.12+dfsg-2+deb9u4
>  amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all
>         common files used by both the Samba server and client
> ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Directory Services Database
> ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba core libraries
> ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Virtual FileSystem plugins
> ii  smbclient                         2:4.5.12+dfsg-2+deb9u4
>  amd64        command-line SMB/CIFS clients for Unix
> ii  sssd-krb5                         1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos back end
> ii  sssd-krb5-common                  1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos helpers
> ii  winbind                           2:4.5.12+dfsg-2+deb9u4
>  amd64        service to resolve user and group information from Windows NT
> servers
> -----------
> root at faiserver:~#
>
>
>
>
> Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> > in run*
> > *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
> > sendDsReplicaSync*
> > *    raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list