[Samba] Replication fails after DC re-joined to domain

Roy Eastwood spindles7 at gmail.com
Thu Feb 8 19:50:49 UTC 2018 

Hi all,
Further update:   I can now connect to the DNS server with Windows RSAT tool - after deleting the gencache.tdb database and running net cache flush.

However, the samba_dnsupdate replicate command still fails with the default of nsupdate, even though kinit is successful.    But,  using the option --use-samba-tool allows the command to succeed.   So the error is presumably coming from nsupdate.   Any ideas how to debug this?

Roy

> -----Original Message-----
> From: Roy Eastwood [mailto:spindles7 at gmail.com]
> Sent: 07 February 2018 22:23
> To: samba at lists.samba.org
> Subject: RE: [Samba] Replication fails after DC re-joined to domain
> 
> Hi Andrew,
> 
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > Sent: 07 February 2018 17:45
> > To: Denis Cardon; Roy Eastwood; samba at lists.samba.org
> > Subject: Re: [Samba] Replication fails after DC re-joined to domain
> >
> > On Wed, 2018-02-07 at 18:38 +0100, Denis Cardon via samba wrote:
> > > Hi Roy,
> > >
> > > > First some background:
> > > > ==================
> > > > I had a test environment which had two samba DCs (running v 4.8.0rc2) and
> 1
> > > > Windows Server 2008R2 DC.    The samba DCs had been upgraded from v
> 4.6x
> > and the
> > > > secrets database was not encrypted (as far as I know).    I decided to
> > downgrade
> > > > one of the samba DCs to v 4.7.4.
> > > >
> > > > On re-starting samba after the downgrade the log shows:
> > > >
> > > > ldb: unable to dlopen /usr/local/samba/lib/ldb/encrypted_secrets.so :
> > > > /usr/local/samba/lib/private/libdsdb-module-samba4.so: version
> > `SAMBA_4.8.0RC2'
> > > > not found (required by /usr/local/samba/lib/ldb/encrypted_secrets.so)
> > >
> > > when you are doing your downgrade, did you clean up all the
> > > /usr/local/samba directory or did you make && make install over the
> > > existing installation?
> > >
> > > If it was a quick'n dirty make && make install over the existing 4.8
> > > install, could you try to do a install on a clean directory and then
> > > copy over etc/smb.conf, private/ and var/locks/?
> > >
> > > Cheers,
> > >
> > > Denis
> >
> > This is exactly the issue.  The install has left an ldb plugin
> > (encrypted_secrets.so) around which blocks operation as it can't
> > operate with the older Samba version but isn't overwritten as it didn't
> > exist in the older version.
> >
> > However I also need to write up about the GUID index change, which also
> > prevents in-place downgrades.  It seems I forgot to mention that in the
> > WHATSNEW.
> >
> > (That requires running source4/scripting/bin/sambaundoguididx before
> > any downgrade in-place from 4.8 to 4.7 and below).
> >
> > Thanks,
> >
> 
> Thanks for that.   However, the subsequent problem remains - ie replication
> failure.   May be related, I also cannot connect to the server using the Windows
> DNS Manager - Access denied.      Running samba_dnsupdate fails with TSIG error
> with server: tsig verify failure.
> 
> I have tried demoting, removing samba, re-installing samba and re-joining the
> domain a second time, but the problems remain.
> 
> Any suggestions how to proceed?
> 
> Thanks,
> 
> Roy

More information about the samba mailing list