[Samba] Replication fails after DC re-joined to domain
Roy Eastwood
spindles7 at gmail.com
Wed Feb 7 16:30:56 UTC 2018
Hi,
First some background:
==================
I had a test environment which had two samba DCs (running v 4.8.0rc2) and 1
Windows Server 2008R2 DC. The samba DCs had been upgraded from v 4.6x and the
secrets database was not encrypted (as far as I know). I decided to downgrade
one of the samba DCs to v 4.7.4.
On re-starting samba after the downgrade the log shows:
ldb: unable to dlopen /usr/local/samba/lib/ldb/encrypted_secrets.so :
/usr/local/samba/lib/private/libdsdb-module-samba4.so: version `SAMBA_4.8.0RC2'
not found (required by /usr/local/samba/lib/ldb/encrypted_secrets.so)
and the samba daemons are left in a failed state.
So I removed this failed DC (dc1) from the domain, using the (working) 4.8.0rc2
samba machine after seizing the FSMO roles and using the
remove-other-dead-server option. I removed all traces of the existing samba
installation and then installed a freshly compiled copy of v. 4.7.5 and
re-joined the domain. All was working, including replication (as far as I
know).
I then demoted the other 4.8.0rc2 samba machine (dc2), with the same result, so
had to repeat the seizing of roles and removal then install 4.7.5 and re-join.
Current problem:
==============
Replication reports successful when running samba-tool drs showrepl on both
machines. However, running:
samba-tool drs replicate dc1 dc2 dc=samdom,dc=example,dc=com --full-sync
or
samba-tool drs replicate dc2 dc1 dc=samdom,dc=example,dc=com --full-sync
on dc1 it runs fine. Indeed dc1 can do a full replication to the Windows DC as
well.
But running the command
samba-tool drs replicate dc1 dc2 dc=samdom,dc=example,dc=com --full-sync
on dc2 produces an error:
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1 failed -
drsException: DRS connection to dc1 failed: (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line
44, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line
56, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
and the logs show:
[2018/02/07 16:02:50.440699, 1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type
aes256-cts-hmac-sha1-96
[2018/02/07 16:02:50.440729, 1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Replication is OK in the other direction on dc2: ie
samba-tool drs replicate dc2 dc1 dc=samdom,dc=example,dc=com --full-sync
works ok.
samba-tool dbcheck --cross-ncs shows no errors when run on either machine.
Any help appreciated,
TIA
Roy
More information about the samba
mailing list