[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

lingpanda101 lingpanda101 at gmail.com
Mon Feb 12 18:57:43 UTC 2018


On 2/12/2018 1:24 PM, Denis Cardon via samba wrote:
> Hi Heinz and Johannes,
>
>> I had exactly the same problem, and used ldbedit to apply the fix.
>> Thanks for digging into this!
>>
>> Now I'm interested in the root cause as well ...
>
> I just had a client calling with a replication issue due to the exact 
> same error. The domain was initially build on 4.7.1, upgraded to 
> 4.7.3, and it was also missing the serverReference attribute on one of 
> the DCs... The fix mentionned by the OP did resolve the issue.
>
> I'm wondering what triggered this. I have just installed a fresh 
> 4.7.0, and a fresh 4.7.1, and a fresh 4.7.4. The serverReference 
> attribute is always there...
>
> Thanks Heinz for the hint,
>
> Denis
>
>>
>>
>> Uli
>>
>>
>>
>> Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba:
>>> no, it seems to work!!!
>>>
>>>
>>> i did a ldapmodify on DC2:
>>>
>>> ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W  -f
>>> serverReference.ldif
>>>
>>> serverReference.ldif:
>>> dn: CN=SAMBA3,CN=Servers,CN=Default-First-
>>> SiteName,CN=Sites,CN=Configuration,DC=test,DC=net
>>> changetype: modify
>>> add: serverReference
>>> serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net
>>> -
>>>
>>>
>>> now the question:
>>> Why the attribut serverReference was missing on DC2 after the join?
>>>
>>> Is it a bug?
>>>
>>>
>>>
>>>
>>> Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via samba:
>>>> Hi,
>>>>
>>>> there is no firewall, all DCs are in the same subnet.
>>>>
>>>> here ist the output of a test, you can see, the CNAME guid entries in
>>>> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
>>>> second DCs, SAMBA3 was added at last.
>>>>
>>>> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-
>>>> ncs
>>>> objectguid
>>>> # record 1
>>>> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
>>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>>>> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
>>>>
>>>> # record 2
>>>> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
>>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>>>> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
>>>>
>>>> # record 3
>>>> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
>>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>>>> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
>>>>
>>>> # returned 3 records
>>>> # 3 entries
>>>> # 0 referrals
>>>>
>>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>>>> DC1
>>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>>>> dc2.test.net.
>>>>
>>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>>>> DC2
>>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>>>> dc2.test.net.
>>>>
>>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>>>> SAMBA3
>>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>>>> dc2.test.net.
>>>>
>>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>>>> DC1
>>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>>>> dc1.test.net.
>>>>
>>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>>>> DC2
>>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>>>> dc1.test.net.
>>>>
>>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>>>> SAMBA3
>>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>>>> dc1.test.net.
>>>>
>>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>>>> DC1
>>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>>>> SAMBA3.test.net.
>>>>
>>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>>>> DC2
>>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>>>> SAMBA3.test.net.
>>>>
>>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>>>> SAMBA3
>>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>>>> SAMBA3.test.net.
>>>>
>>>>
>>>> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
>>>>> Hi Heinz,
>>>>>
>>>>>> i have the same problem on samba 4.7.3 and 4.7.4.
>>>>>> I start with 2 DCs and the sync works fine. After the join of a
>>>>>> third
>>>>>> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
>>>>>> times.
>>>>>>
>>>>>> in my case i have:
>>>>>> DC1 (with any FSMO Roles)
>>>>>> DC2
>>>>>>
>>>>>> new join as DC:
>>>>>> DC3
>>>>>>
>>>>>> After the join, the sync from DC2 to DC3 fails.
>>>>>>
>>>>>> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
>>>>>> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
>>>>>> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
>>>>>> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
>>>>>> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
>>>>>> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
>>>>> like Rowland pointed you earlier, it is often an issue with missing
>>>>> DNS
>>>>> entries. Be sure to check that samba_dnsupdate on both servers is
>>>>> happy,
>>>>> especially with the CNAME guid entries in the _msdcs zone.
>>>>>
>>>>> Another case I saw was that firewall had not been disable (or at
>>>>> least
>>>>> the port opening was not done right).
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Denis
>>>>>
>>>>>>
>>>>>>
>>>>>> p.s. DC3 is a new server witch newer was member in the ADS.
>>>>>>
>>>>>>
>>>>>> regards,
>>>>>> heinz
>>>>>>
>>>>>> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-
>>>>>> Ulrich
>>>>>> Menzebach via samba:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites
>>>>>>> and
>>>>>>> Services console to each of them).
>>>>>>> - I also checked that "samba-tool dbcheck" completes w/o
>>>>>>> showing
>>>>>>> errors.
>>>>>>> - the objectGUID DNS aliases of all DCs are resolvable against
>>>>>>> all 3
>>>>>>> DCs' builtin DNS
>>>>>>> - I forced a full sync from the FSMO holder (dcge1) to the 2
>>>>>>> other
>>>>>>> DCs
>>>>>>> which finished w/o errors.
>>>>>>> - after that, sync and also full sync dcdo1-->dcnh1 failed
>>>>>>> exactly
>>>>>>> as
>>>>>>> earlier.
>>>>>>>
>>>>>>> I'm wondering whether this is related to
>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm
>>>>>>> running
>>>>>>> 4.7.4 and the domain had been created under 4.7.3 (based on the
>>>>>>> Samba
>>>>>>> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD.
>>>>>>>
>>>>>>> Many thanks,
>>>>>>>
>>>>>>> Uli
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
>>>>>>>> On Wed, 27 Dec 2017 13:00:05 +0100
>>>>>>>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.
>>>>>>>> or
>>>>>>>> g>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> There is additional info in the logs of the source DC
>>>>>>>>> (dcdo1,
>>>>>>>>> log
>>>>>>>>> level 2, manually triggered another replication):
>>>>>>>>> ====================
>>>>>>>>> [2017/12/27 12:31:29.695121,  2]
>>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
>>>>>>>>> ge
>>>>>>>>> s_co
>>>>>>>>> llect_objects)
>>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731:
>>>>>>>>> getncchanges on
>>>>>>>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
>>>>>>>>> [2017/12/27 12:31:29.698828,  2]
>>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
>>>>>>>>> su
>>>>>>>>> api_
>>>>>>>>> DsGetNCChanges)
>>>>>>>>>      DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064
>>>>>>>>> on
>>>>>>>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
>>>>>>>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
>>>>>>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as
>>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112))
>>>>>>>>> [2017/12/27 12:31:29.733157,  1]
>>>>>>>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
>>>>>>>>>      ../source4/dsdb/common/util.c:4807: Failed to find
>>>>>>>>> account dn
>>>>>>>>> (serverReference) for
>>>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
>>>>>>>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-
>>>>>>>>> a0771bb6fb76,
>>>>>>>>> sid S-1-5-21-454945863-777199239-1595221609-1112
>>>>>>>>> [2017/12/27 12:31:29.733198,  0]
>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
>>>>>>>>> pi
>>>>>>>>> _DsR
>>>>>>>>> eplicaUpdateRefs)
>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374:
>>>>>>>>> Refusing
>>>>>>>>> DsReplicaUpdateRefs for sid
>>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>>>>>>
>>>>>>>>> According to what I see in the "Sites and Services" RSAT
>>>>>>>>> console
>>>>>>>>> the
>>>>>>>>> DN for
>>>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>>>> seems to exist.
>>>>>>>>>
>>>>>>>>> Any ideas?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>>        Uli
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via
>>>>>>>>> samba
>>>>>>>>> wrote:
>>>>>>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from
>>>>>>>>>> source,internal
>>>>>>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all
>>>>>>>>>> FSMO
>>>>>>>>>> roles.
>>>>>>>>>> The 3 ADCs are on different locations connected via IPSec
>>>>>>>>>> based
>>>>>>>>>> VPN. No traffic is filtered out.
>>>>>>>>>>
>>>>>>>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
>>>>>>>>>>
>>>>>>>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
>>>>>>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
>>>>>>>>>> ERROR(<class 'samba.drs_utils.drsException'>):
>>>>>>>>>> DsReplicaSync
>>>>>>>>>> failed
>>>>>>>>>> - drsException: DsReplicaSync failed (8453,
>>>>>>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File
>>>>>>>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
>>>>>>>>>> line
>>>>>>>>>> 386,
>>>>>>>>>> in run drs_utils.sendDsReplicaSync(server_bind,
>>>>>>>>>> server_bind_handle,
>>>>>>>>>> source_dsa_guid, NC, req_options)
>>>>>>>>>>     File "/usr/lib64/python2.7/site-
>>>>>>>>>> packages/samba/drs_utils.py",
>>>>>>>>>> line 85, in sendDsReplicaSync
>>>>>>>>>>       raise drsException("DsReplicaSync failed %s" % estr)
>>>>>>>>>>
>>>>>>>>>> Log on dcdo1:
>>>>>>>>>> ==============
>>>>>>>>>> [2017/12/27 08:20:56.335895,  0]
>>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
>>>>>>>>>> ua
>>>>>>>>>> pi_D
>>>>>>>>>> sReplicaUpdateRefs)
>>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374:
>>>>>>>>>> Refusing
>>>>>>>>>> DsReplicaUpdateRefs for sid
>>>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>>>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>>>>>>>
>>>>>>>>>> Log on target DC dcnh1:
>>>>>>>>>> ==============
>>>>>>>>>> [2017/12/27 08:20:55.278559,  5]
>>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>>>> ea
>>>>>>>>>> dabl
>>>>>>>>>> e)
>>>>>>>>>>     Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
>>>>>>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec
>>>>>>>>>> 2017
>>>>>>>>>> 08:20:55.278538 CET] Remote host
>>>>>>>>>> [ipv4:192.168.172.14:36196]
>>>>>>>>>> local
>>>>>>>>>> host [ipv4:192.168.152.15:135]
>>>>>>>>>> [2017/12/27 08:20:55.278641,  5]
>>>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>>>> "2017-12-27T08:20:55.278587+0100", "type":
>>>>>>>>>> "Authorization",
>>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>>>>>>> "localAddress": "ipv4:192.168.152.15:135",
>>>>>>>>>> "remoteAddress":
>>>>>>>>>> "ipv4:192.168.172.14:36196", "serviceDescription":
>>>>>>>>>> "DCE/RPC",
>>>>>>>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY",
>>>>>>>>>> "account":
>>>>>>>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer":
>>>>>>>>>> "DCNH1",
>>>>>>>>>> "transportProtection": "NONE", "accountFlags":
>>>>>>>>>> "0x00000010"}}
>>>>>>>>>> [2017/12/27 08:20:55.278660,
>>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>>>> get_auth_event_server: Failed to find 'auth_event'
>>>>>>>>>> registered
>>>>>>>>>> on
>>>>>>>>>> the message bus to send JSON authentication events to:
>>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>>>> 08:20:55.337740,
>>>>>>>>>> 3]
>>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>>>> ec
>>>>>>>>>> tion
>>>>>>>>>> )
>>>>>>>>>>     Terminating connection - 'dcesrv:
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
>>>>>>>>>> 08:20:55.337873,  3]
>>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>>>     single_terminate: reason[dcesrv:
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>>>>>>> 08:20:55.506117,  3]
>>>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>>>>>>>     ldb_wrap open of secrets.ldb
>>>>>>>>>> [2017/12/27 08:20:55.506420,  5]
>>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>>>     Starting GENSEC mechanism spnego
>>>>>>>>>> [2017/12/27 08:20:55.506501,  5]
>>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>>>     Starting GENSEC submechanism gssapi_krb5
>>>>>>>>>> [2017/12/27 08:20:55.536259,  5]
>>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
>>>>>>>>>> up
>>>>>>>>>> date
>>>>>>>>>> _internal)
>>>>>>>>>>     gensec_gssapi: credentials were delegated
>>>>>>>>>> [2017/12/27 08:20:55.536320,  5]
>>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
>>>>>>>>>> up
>>>>>>>>>> date
>>>>>>>>>> _internal)
>>>>>>>>>>     GSSAPI Connection will be cryptographically sealed
>>>>>>>>>> [2017/12/27 08:20:55.538591,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_T\04\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538644,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_\04\02\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538712,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_<\02\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538762,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538819,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538864,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538909,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.538967,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
>>>>>>>>>> ->
>>>>>>>>>> 0
>>>>>>>>>> [2017/12/27 08:20:55.539029,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
>>>>>>>>>> 0
>>>>>>>>>> -> 1
>>>>>>>>>> [2017/12/27 08:20:55.539087,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
>>>>>>>>>> 0
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.539289,  4]
>>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>>>> ea
>>>>>>>>>> dabl
>>>>>>>>>> e)
>>>>>>>>>>     Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
>>>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
>>>>>>>>>> 27
>>>>>>>>>> Dec
>>>>>>>>>> 2017
>>>>>>>>>> 08:20:55.539277 CET] Remote host
>>>>>>>>>> [ipv4:192.168.172.14:57364]
>>>>>>>>>> local
>>>>>>>>>> host [ipv4:192.168.152.15:49152]
>>>>>>>>>> [2017/12/27 08:20:55.539359,  4]
>>>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>>>> "2017-12-27T08:20:55.539334+0100", "type":
>>>>>>>>>> "Authorization",
>>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>>>>>>> "localAddress": "ipv4:192.168.152.15:49152",
>>>>>>>>>> "remoteAddress":
>>>>>>>>>> "ipv4:192.168.172.14:57364", "serviceDescription":
>>>>>>>>>> "DCE/RPC",
>>>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$",
>>>>>>>>>> "sid":
>>>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108",
>>>>>>>>>> "logonServer":
>>>>>>>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags":
>>>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.539398,
>>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>>>> get_auth_event_server: Failed to find 'auth_event'
>>>>>>>>>> registered
>>>>>>>>>> on
>>>>>>>>>> the message bus to send JSON authentication events to:
>>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>>>> 08:20:55.568937,
>>>>>>>>>> 3]
>>>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
>>>>>>>>>> dr
>>>>>>>>>> suap
>>>>>>>>>> i_DsBind)
>>>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
>>>>>>>>>> doing
>>>>>>>>>> DsBind
>>>>>>>>>> with system_session
>>>>>>>>>> [2017/12/27 08:20:55.641297,  3]
>>>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>>>>>>>     ldb_wrap open of secrets.ldb
>>>>>>>>>> [2017/12/27 08:20:55.644257,  5]
>>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>>>> eq
>>>>>>>>>> uest
>>>>>>>>>> )
>>>>>>>>>>     ldb_request BASE dn=
>>>>>>>>>> filter=(|(objectClass=*)(distinguishedName=*))
>>>>>>>>>> [2017/12/27
>>>>>>>>>> 08:20:55.706421,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.706573,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.706777,  3]
>>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>>>> de
>>>>>>>>>> bug_
>>>>>>>>>> wrapper)
>>>>>>>>>>     Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>>>>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kd
>>>>>>>>>> u.
>>>>>>>>>> COM
>>>>>>>>>> [canonicalize] [2017/12/27 08:20:55.708186,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.708670,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.708795,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.709594,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.710027,  3]
>>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>>>> de
>>>>>>>>>> bug_
>>>>>>>>>> wrapper)
>>>>>>>>>>     Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54
>>>>>>>>>> starttime:
>>>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew
>>>>>>>>>> till:
>>>>>>>>>> unset
>>>>>>>>>> [2017/12/27 08:20:55.740222,  3]
>>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>>>> ec
>>>>>>>>>> tion
>>>>>>>>>> )
>>>>>>>>>>     Terminating connection - 'kdc_tcp_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>>>> [2017/12/27 08:20:55.740440,  3]
>>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>>>     single_terminate: reason[kdc_tcp_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>>>> [2017/12/27 08:20:55.770764,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.771034,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.771283,  3]
>>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>>>> de
>>>>>>>>>> bug_
>>>>>>>>>> wrapper)
>>>>>>>>>>     Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>>>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.CO
>>>>>>>>>> M
>>>>>>>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.771786,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.772103,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.772257,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.773194,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>>>>>>> [2017/12/27 08:20:55.773691,  3]
>>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>>>> de
>>>>>>>>>> bug_
>>>>>>>>>> wrapper)
>>>>>>>>>>     Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54
>>>>>>>>>> starttime:
>>>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew
>>>>>>>>>> till:
>>>>>>>>>> unset
>>>>>>>>>> [2017/12/27 08:20:55.804565,  3]
>>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>>>> ec
>>>>>>>>>> tion
>>>>>>>>>> )
>>>>>>>>>>     Terminating connection - 'kdc_tcp_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>>>> [2017/12/27 08:20:55.804774,  3]
>>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>>>     single_terminate: reason[kdc_tcp_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>>>> [2017/12/27 08:20:55.806137,  5]
>>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>>>     Starting GENSEC mechanism spnego
>>>>>>>>>> [2017/12/27 08:20:55.806296,  5]
>>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>>>     Starting GENSEC submechanism gssapi_krb5
>>>>>>>>>> [2017/12/27 08:20:55.807170,  5]
>>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
>>>>>>>>>> up
>>>>>>>>>> date
>>>>>>>>>> _internal)
>>>>>>>>>>     gensec_gssapi: credentials were delegated
>>>>>>>>>> [2017/12/27 08:20:55.807242,  5]
>>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
>>>>>>>>>> up
>>>>>>>>>> date
>>>>>>>>>> _internal)
>>>>>>>>>>     GSSAPI Connection will be cryptographically signed
>>>>>>>>>> [2017/12/27 08:20:55.810168,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_T\04\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810265,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_\04\02\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810353,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>>>> 87
>>>>>>>>>> \1ES
>>>>>>>>>> .i\26\15_<\02\00\00
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810428,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810507,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810582,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810674,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>>>>>>>>> [2017/12/27 08:20:55.810745,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
>>>>>>>>>> ->
>>>>>>>>>> 0
>>>>>>>>>> [2017/12/27 08:20:55.810826,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
>>>>>>>>>> 0
>>>>>>>>>> -> 1
>>>>>>>>>> [2017/12/27 08:20:55.810901,  6]
>>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>>>     gendb_search_v: NULL
>>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
>>>>>>>>>> 0
>>>>>>>>>> -> 0
>>>>>>>>>> [2017/12/27 08:20:55.811125,  4]
>>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>>>> ea
>>>>>>>>>> dabl
>>>>>>>>>> e)
>>>>>>>>>>     Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
>>>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
>>>>>>>>>> 27
>>>>>>>>>> Dec
>>>>>>>>>> 2017
>>>>>>>>>> 08:20:55.811108 CET] Remote host
>>>>>>>>>> [ipv4:192.168.172.14:56798]
>>>>>>>>>> local
>>>>>>>>>> host [ipv4:192.168.152.15:389]
>>>>>>>>>> [2017/12/27 08:20:55.811301,  4]
>>>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>>>> "2017-12-27T08:20:55.811228+0100", "type":
>>>>>>>>>> "Authorization",
>>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>>>>>>> "localAddress": "ipv4:192.168.152.15:389",
>>>>>>>>>> "remoteAddress":
>>>>>>>>>> "ipv4:192.168.172.14:56798", "serviceDescription":
>>>>>>>>>> "LDAP",
>>>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$",
>>>>>>>>>> "sid":
>>>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108",
>>>>>>>>>> "logonServer":
>>>>>>>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags":
>>>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.811385,
>>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>>>> get_auth_event_server: Failed to find 'auth_event'
>>>>>>>>>> registered
>>>>>>>>>> on
>>>>>>>>>> the message bus to send JSON authentication events to:
>>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>>>> 08:20:55.841539,
>>>>>>>>>> 5]
>>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>>>> eq
>>>>>>>>>> uest
>>>>>>>>>> )
>>>>>>>>>>     ldb_request BASE dn= filter=(objectClass=*)
>>>>>>>>>> [2017/12/27 08:20:55.871177,  5]
>>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>>>> eq
>>>>>>>>>> uest
>>>>>>>>>> )
>>>>>>>>>>     ldb_request SUB
>>>>>>>>>> dn=CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
>>>>>>>>>> (d
>>>>>>>>>> NSHo
>>>>>>>>>> stName=dcdo1.ad.kdu.com)))
>>>>>>>>>> [2017/12/27 08:20:55.902579,  5]
>>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>>>> eq
>>>>>>>>>> uest
>>>>>>>>>> )
>>>>>>>>>>     ldb_request ONE
>>>>>>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
>>>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
>>>>>>>>>> O)
>>>>>>>>>> )
>>>>>>>>>> [2017/12/27 08:20:55.932550,  5]
>>>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
>>>>>>>>>> pa
>>>>>>>>>> tch)
>>>>>>>>>>     function drsuapi_DsReplicaSync will reply async
>>>>>>>>>> [2017/12/27 08:20:55.932676,  3]
>>>>>>>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
>>>>>>>>>> re
>>>>>>>>>> plic
>>>>>>>>>> ation)
>>>>>>>>>>     _drepl_schedule_replication: forcing sync of partition
>>>>>>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
>>>>>>>>>> dc=ad,dc=kdu,dc=com,
>>>>>>>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
>>>>>>>>>> [2017/12/27 08:20:55.932697,  4]
>>>>>>>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
>>>>>>>>>> go
>>>>>>>>>> ps_s
>>>>>>>>>> chedule)
>>>>>>>>>>     dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27
>>>>>>>>>> 08:20:57
>>>>>>>>>> 2017 CET
>>>>>>>>>> [2017/12/27 08:20:56.971645,  4]
>>>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
>>>>>>>>>> ep
>>>>>>>>>> lmd_
>>>>>>>>>> extended_replicated_objects)
>>>>>>>>>>     linked_attributes_count=0
>>>>>>>>>> [2017/12/27 08:20:56.971966,  4]
>>>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
>>>>>>>>>> ep
>>>>>>>>>> lmd_
>>>>>>>>>> replicated_uptodate_modify)
>>>>>>>>>>     DRS replication uptodate modify message:
>>>>>>>>>>     dn: DC=ad,DC=kdu,DC=com
>>>>>>>>>>     changetype: modify
>>>>>>>>>>     replace: replUpToDateVector
>>>>>>>>>>     replUpToDateVector::
>>>>>>>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
>>>>>>>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
>>>>>>>>>> rz
>>>>>>>>>> S7KY
>>>>>>>>>> P2wnvCZRbBYAAA
>>>>>>>>>>
>>>>>>>>>>      AAAAAAgD7V3rGdAQ==
>>>>>>>>>>     -
>>>>>>>>>>     replace: repsFrom
>>>>>>>>>>     repsFrom::
>>>>>>>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
>>>>>>>>>> AB
>>>>>>>>>> 0AAA
>>>>>>>>>> AERE
>>>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>>>>>>> ER
>>>>>>>>>> ERER
>>>>>>>>>> ERERERERERERER
>>>>>>>>>>
>>>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
>>>>>>>>>> AB
>>>>>>>>>> rFgA
>>>>>>>>>> AAAAAAKQMPrx0t
>>>>>>>>>>
>>>>>>>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
>>>>>>>>>> oA
>>>>>>>>>> AABi
>>>>>>>>>> YzNlMGNhNC1iNT
>>>>>>>>>>
>>>>>>>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
>>>>>>>>>> jb
>>>>>>>>>> 20A
>>>>>>>>>>     repsFrom::
>>>>>>>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
>>>>>>>>>> AB
>>>>>>>>>> kAAA
>>>>>>>>>> AERE
>>>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>>>>>>> ER
>>>>>>>>>> ERER
>>>>>>>>>> ERERERERERERER
>>>>>>>>>>
>>>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
>>>>>>>>>> AD
>>>>>>>>>> 4FAA
>>>>>>>>>> AAAAAABNWUx36g
>>>>>>>>>>
>>>>>>>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
>>>>>>>>>> oA
>>>>>>>>>> AAAx
>>>>>>>>>> ZDUzNTYxMy04MW
>>>>>>>>>>
>>>>>>>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
>>>>>>>>>> jb
>>>>>>>>>> 20A
>>>>>>>>>>     -
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [2017/12/27 08:20:56.974912,  2]
>>>>>>>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
>>>>>>>>>> ca
>>>>>>>>>> ted_
>>>>>>>>>> objects_commit)
>>>>>>>>>>     Replicated 0 objects (0 linked attributes) for
>>>>>>>>>> DC=ad,DC=kdu,DC=com
>>>>>>>>>> [2017/12/27 08:20:57.004974,  0]
>>>>>>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
>>>>>>>>>> da
>>>>>>>>>> te_r
>>>>>>>>>> efs_done)
>>>>>>>>>>     UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT
>>>>>>>>>> code
>>>>>>>>>> 0xc0002105 for
>>>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
>>>>>>>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468,  4]
>>>>>>>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
>>>>>>>>>> g_
>>>>>>>>>> op_c
>>>>>>>>>> allback)
>>>>>>>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
>>>>>>>>>> DC=ad,DC=kdu,DC=com
>>>>>>>>>> [2017/12/27 08:20:57.009507,  5]
>>>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
>>>>>>>>>> pl
>>>>>>>>>> y)
>>>>>>>>>>     function drsuapi_DsReplicaSync replied async
>>>>>>>>>> [2017/12/27 08:20:57.053246,  3]
>>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>>>> ec
>>>>>>>>>> tion
>>>>>>>>>> )
>>>>>>>>>>     Terminating connection - 'dcesrv:
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
>>>>>>>>>> 08:20:57.053478,  3]
>>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>>>     single_terminate: reason[dcesrv:
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>>>>>>> 08:20:57.053528,  3]
>>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>>>> ec
>>>>>>>>>> tion
>>>>>>>>>> )
>>>>>>>>>>     Terminating connection - 'ldapsrv_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>>>> [2017/12/27 08:20:57.053760,  2]
>>>>>>>>>> ../source4/smbd/process_standard.c:473(standard_terminate
>>>>>>>>>> )
>>>>>>>>>>     standard_terminate: reason[ldapsrv_call_loop:
>>>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>>>> [2017/12/27 08:20:57.057842,  2]
>>>>>>>>>> ../source4/smbd/process_standard.c:157(standard_child_pip
>>>>>>>>>> e_
>>>>>>>>>> hand
>>>>>>>>>> ler)
>>>>>>>>>>     Child 900 () exited with status 0
>>>>>>>>>>
>>>>>>>>>> Any hints/ideas very much appreciated ...
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Uli
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> Couple of thoughts, try reading this:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
>>>>>>>> DN
>>>>>>>> S_Re
>>>>>>>> cord
>>>>>>>>
>>>>>>>> and this:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Manually_Replicating_Directo
>>>>>>>> ry
>>>>>>>> _Par
>>>>>>>> titions
>>>>>>>>
>>>>>>>> Does the missing 'CN' exist on the other two DCs ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>
>>
>
Was one the DC's exhibiting the issue manually moved to another site 
prior to or after the update? Normally the attribute is updated during a 
site creation.

-- 
--
James




More information about the samba mailing list