[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Denis Cardon
dcardon at tranquil.it
Tue Jan 16 11:10:35 UTC 2018
Hi Heinz,
> i have the same problem on samba 4.7.3 and 4.7.4.
> I start with 2 DCs and the sync works fine. After the join of a third
> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
> times.
>
> in my case i have:
> DC1 (with any FSMO Roles)
> DC2
>
> new join as DC:
> DC3
>
> After the join, the sync from DC2 to DC3 fails.
>
> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
like Rowland pointed you earlier, it is often an issue with missing DNS
entries. Be sure to check that samba_dnsupdate on both servers is happy,
especially with the CNAME guid entries in the _msdcs zone.
Another case I saw was that firewall had not been disable (or at least
the port opening was not done right).
Cheers,
Denis
>
>
>
> p.s. DC3 is a new server witch newer was member in the ADS.
>
>
> regards,
> heinz
>
> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-Ulrich
> Menzebach via samba:
>> Rowland,
>>
>> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and
>> Services console to each of them).
>> - I also checked that "samba-tool dbcheck" completes w/o showing
>> errors.
>> - the objectGUID DNS aliases of all DCs are resolvable against all 3
>> DCs' builtin DNS
>> - I forced a full sync from the FSMO holder (dcge1) to the 2 other
>> DCs
>> which finished w/o errors.
>> - after that, sync and also full sync dcdo1-->dcnh1 failed exactly
>> as
>> earlier.
>>
>> I'm wondering whether this is related to
>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm
>> running
>> 4.7.4 and the domain had been created under 4.7.3 (based on the
>> Samba
>> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD.
>>
>> Many thanks,
>>
>> Uli
>>
>>
>>
>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
>>> On Wed, 27 Dec 2017 13:00:05 +0100
>>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org>
>>> wrote:
>>>
>>>> There is additional info in the logs of the source DC (dcdo1, log
>>>> level 2, manually triggered another replication):
>>>> ====================
>>>> [2017/12/27 12:31:29.695121, 2]
>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_co
>>>> llect_objects)
>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731:
>>>> getncchanges on
>>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
>>>> [2017/12/27 12:31:29.698828, 2]
>>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_
>>>> DsGetNCChanges)
>>>> DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on
>>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
>>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as
>>>> S-1-5-21-454945863-777199239-1595221609-1112))
>>>> [2017/12/27 12:31:29.733157, 1]
>>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
>>>> ../source4/dsdb/common/util.c:4807: Failed to find account dn
>>>> (serverReference) for
>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
>>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-
>>>> a0771bb6fb76,
>>>> sid S-1-5-21-454945863-777199239-1595221609-1112
>>>> [2017/12/27 12:31:29.733198, 0]
>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsR
>>>> eplicaUpdateRefs)
>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
>>>> DsReplicaUpdateRefs for sid
>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>
>>>> According to what I see in the "Sites and Services" RSAT console
>>>> the
>>>> DN for
>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>> seems to exist.
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks,
>>>>
>>>> Uli
>>>>
>>>>
>>>>
>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba
>>>> wrote:
>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from
>>>>> source,internal
>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO
>>>>> roles.
>>>>> The 3 ADCs are on different locations connected via IPSec based
>>>>> VPN. No traffic is filtered out.
>>>>>
>>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
>>>>>
>>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
>>>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
>>>>> failed
>>>>> - drsException: DsReplicaSync failed (8453,
>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File
>>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line
>>>>> 386,
>>>>> in run drs_utils.sendDsReplicaSync(server_bind,
>>>>> server_bind_handle,
>>>>> source_dsa_guid, NC, req_options)
>>>>> File "/usr/lib64/python2.7/site-
>>>>> packages/samba/drs_utils.py",
>>>>> line 85, in sendDsReplicaSync
>>>>> raise drsException("DsReplicaSync failed %s" % estr)
>>>>>
>>>>> Log on dcdo1:
>>>>> ==============
>>>>> [2017/12/27 08:20:56.335895, 0]
>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_D
>>>>> sReplicaUpdateRefs)
>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
>>>>> DsReplicaUpdateRefs for sid
>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>>
>>>>> Log on target DC dcnh1:
>>>>> ==============
>>>>> [2017/12/27 08:20:55.278559, 5]
>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl
>>>>> e)
>>>>> Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017
>>>>> 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196]
>>>>> local
>>>>> host [ipv4:192.168.152.15:135]
>>>>> [2017/12/27 08:20:55.278641, 5]
>>>>> ../auth/auth_log.c:220(log_json)
>>>>> JSON Authorization: {"timestamp":
>>>>> "2017-12-27T08:20:55.278587+0100", "type": "Authorization",
>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>> "localAddress": "ipv4:192.168.152.15:135", "remoteAddress":
>>>>> "ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC",
>>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY",
>>>>> "account":
>>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1",
>>>>> "transportProtection": "NONE", "accountFlags": "0x00000010"}}
>>>>> [2017/12/27 08:20:55.278660,
>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>> get_auth_event_server: Failed to find 'auth_event' registered
>>>>> on
>>>>> the message bus to send JSON authentication events to:
>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.337740,
>>>>> 3]
>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection
>>>>> )
>>>>> Terminating connection - 'dcesrv:
>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
>>>>> 08:20:55.337873, 3]
>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>> single_terminate: reason[dcesrv:
>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>> 08:20:55.506117, 3]
>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>> ldb_wrap open of secrets.ldb
>>>>> [2017/12/27 08:20:55.506420, 5]
>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>> Starting GENSEC mechanism spnego
>>>>> [2017/12/27 08:20:55.506501, 5]
>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>> Starting GENSEC submechanism gssapi_krb5
>>>>> [2017/12/27 08:20:55.536259, 5]
>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update
>>>>> _internal)
>>>>> gensec_gssapi: credentials were delegated
>>>>> [2017/12/27 08:20:55.536320, 5]
>>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update
>>>>> _internal)
>>>>> GSSAPI Connection will be cryptographically sealed
>>>>> [2017/12/27 08:20:55.538591, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_T\04\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.538644, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_\04\02\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.538712, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_<\02\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.538762, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.538819, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.538864, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.538909, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.538967, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
>>>>> [2017/12/27 08:20:55.539029, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
>>>>> [2017/12/27 08:20:55.539087, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
>>>>> [2017/12/27 08:20:55.539289, 4]
>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl
>>>>> e)
>>>>> Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec
>>>>> 2017
>>>>> 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364]
>>>>> local
>>>>> host [ipv4:192.168.152.15:49152]
>>>>> [2017/12/27 08:20:55.539359, 4]
>>>>> ../auth/auth_log.c:220(log_json)
>>>>> JSON Authorization: {"timestamp":
>>>>> "2017-12-27T08:20:55.539334+0100", "type": "Authorization",
>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>> "localAddress": "ipv4:192.168.152.15:49152", "remoteAddress":
>>>>> "ipv4:192.168.172.14:57364", "serviceDescription": "DCE/RPC",
>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
>>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags":
>>>>> "0x00002100"}} [2017/12/27 08:20:55.539398,
>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>> get_auth_event_server: Failed to find 'auth_event' registered
>>>>> on
>>>>> the message bus to send JSON authentication events to:
>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.568937,
>>>>> 3]
>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuap
>>>>> i_DsBind)
>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing
>>>>> DsBind
>>>>> with system_session
>>>>> [2017/12/27 08:20:55.641297, 3]
>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>> ldb_wrap open of secrets.ldb
>>>>> [2017/12/27 08:20:55.644257, 5]
>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest
>>>>> )
>>>>> ldb_request BASE dn=
>>>>> filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27
>>>>> 08:20:55.706421, 6] ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.706573, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.706777, 3]
>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_
>>>>> wrapper)
>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kdu.COM
>>>>> [canonicalize] [2017/12/27 08:20:55.708186, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.708670, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.708795, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.709594, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.710027, 3]
>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_
>>>>> wrapper)
>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till:
>>>>> unset
>>>>> [2017/12/27 08:20:55.740222, 3]
>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection
>>>>> )
>>>>> Terminating connection - 'kdc_tcp_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>> [2017/12/27 08:20:55.740440, 3]
>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>> single_terminate: reason[kdc_tcp_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>> [2017/12/27 08:20:55.770764, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.771034, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.771283, 3]
>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_
>>>>> wrapper)
>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.COM
>>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.771786, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.772103, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.772257, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.773194, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>>>> [2017/12/27 08:20:55.773691, 3]
>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_
>>>>> wrapper)
>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till:
>>>>> unset
>>>>> [2017/12/27 08:20:55.804565, 3]
>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection
>>>>> )
>>>>> Terminating connection - 'kdc_tcp_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>> [2017/12/27 08:20:55.804774, 3]
>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>> single_terminate: reason[kdc_tcp_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>> [2017/12/27 08:20:55.806137, 5]
>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>> Starting GENSEC mechanism spnego
>>>>> [2017/12/27 08:20:55.806296, 5]
>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>> Starting GENSEC submechanism gssapi_krb5
>>>>> [2017/12/27 08:20:55.807170, 5]
>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update
>>>>> _internal)
>>>>> gensec_gssapi: credentials were delegated
>>>>> [2017/12/27 08:20:55.807242, 5]
>>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update
>>>>> _internal)
>>>>> GSSAPI Connection will be cryptographically signed
>>>>> [2017/12/27 08:20:55.810168, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_T\04\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.810265, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_\04\02\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.810353, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES
>>>>> .i\26\15_<\02\00\00
>>>>> -> 0
>>>>> [2017/12/27 08:20:55.810428, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.810507, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.810582, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.810674, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>>>> [2017/12/27 08:20:55.810745, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
>>>>> [2017/12/27 08:20:55.810826, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
>>>>> [2017/12/27 08:20:55.810901, 6]
>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>> gendb_search_v: NULL
>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
>>>>> [2017/12/27 08:20:55.811125, 4]
>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl
>>>>> e)
>>>>> Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec
>>>>> 2017
>>>>> 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798]
>>>>> local
>>>>> host [ipv4:192.168.152.15:389]
>>>>> [2017/12/27 08:20:55.811301, 4]
>>>>> ../auth/auth_log.c:220(log_json)
>>>>> JSON Authorization: {"timestamp":
>>>>> "2017-12-27T08:20:55.811228+0100", "type": "Authorization",
>>>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>>>> "localAddress": "ipv4:192.168.152.15:389", "remoteAddress":
>>>>> "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP",
>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
>>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags":
>>>>> "0x00002100"}} [2017/12/27 08:20:55.811385,
>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>>>> get_auth_event_server: Failed to find 'auth_event' registered
>>>>> on
>>>>> the message bus to send JSON authentication events to:
>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.841539,
>>>>> 5]
>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest
>>>>> )
>>>>> ldb_request BASE dn= filter=(objectClass=*)
>>>>> [2017/12/27 08:20:55.871177, 5]
>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest
>>>>> )
>>>>> ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHo
>>>>> stName=dcdo1.ad.kdu.com)))
>>>>> [2017/12/27 08:20:55.902579, 5]
>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest
>>>>> )
>>>>> ldb_request ONE
>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO))
>>>>> [2017/12/27 08:20:55.932550, 5]
>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch)
>>>>> function drsuapi_DsReplicaSync will reply async
>>>>> [2017/12/27 08:20:55.932676, 3]
>>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replic
>>>>> ation)
>>>>> _drepl_schedule_replication: forcing sync of partition
>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com,
>>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
>>>>> [2017/12/27 08:20:55.932697, 4]
>>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_s
>>>>> chedule)
>>>>> dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27
>>>>> 08:20:57
>>>>> 2017 CET
>>>>> [2017/12/27 08:20:56.971645, 4]
>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_
>>>>> extended_replicated_objects)
>>>>> linked_attributes_count=0
>>>>> [2017/12/27 08:20:56.971966, 4]
>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_
>>>>> replicated_uptodate_modify)
>>>>> DRS replication uptodate modify message:
>>>>> dn: DC=ad,DC=kdu,DC=com
>>>>> changetype: modify
>>>>> replace: replUpToDateVector
>>>>> replUpToDateVector::
>>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
>>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KY
>>>>> P2wnvCZRbBYAAA
>>>>>
>>>>> AAAAAAgD7V3rGdAQ==
>>>>> -
>>>>> replace: repsFrom
>>>>> repsFrom::
>>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAA
>>>>> AERE
>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>> ERERERERERERER
>>>>>
>>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgA
>>>>> AAAAAAKQMPrx0t
>>>>>
>>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABi
>>>>> YzNlMGNhNC1iNT
>>>>>
>>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A
>>>>> repsFrom::
>>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAA
>>>>> AERE
>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>> ERERERERERERER
>>>>>
>>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAA
>>>>> AAAAAABNWUx36g
>>>>>
>>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAx
>>>>> ZDUzNTYxMy04MW
>>>>>
>>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A
>>>>> -
>>>>>
>>>>>
>>>>> [2017/12/27 08:20:56.974912, 2]
>>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_
>>>>> objects_commit)
>>>>> Replicated 0 objects (0 linked attributes) for
>>>>> DC=ad,DC=kdu,DC=com
>>>>> [2017/12/27 08:20:57.004974, 0]
>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_r
>>>>> efs_done)
>>>>> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code
>>>>> 0xc0002105 for
>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
>>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4]
>>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_c
>>>>> allback)
>>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
>>>>> DC=ad,DC=kdu,DC=com
>>>>> [2017/12/27 08:20:57.009507, 5]
>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply)
>>>>> function drsuapi_DsReplicaSync replied async
>>>>> [2017/12/27 08:20:57.053246, 3]
>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection
>>>>> )
>>>>> Terminating connection - 'dcesrv:
>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
>>>>> 08:20:57.053478, 3]
>>>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>>> single_terminate: reason[dcesrv:
>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>> 08:20:57.053528, 3]
>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection
>>>>> )
>>>>> Terminating connection - 'ldapsrv_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>> [2017/12/27 08:20:57.053760, 2]
>>>>> ../source4/smbd/process_standard.c:473(standard_terminate)
>>>>> standard_terminate: reason[ldapsrv_call_loop:
>>>>> tstream_read_pdu_blob_recv() -
>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>> [2017/12/27 08:20:57.057842, 2]
>>>>> ../source4/smbd/process_standard.c:157(standard_child_pipe_hand
>>>>> ler)
>>>>> Child 900 () exited with status 0
>>>>>
>>>>> Any hints/ideas very much appreciated ...
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Uli
>>>>>
>>>>>
>>>
>>> Couple of thoughts, try reading this:
>>>
>>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Re
>>> cord
>>>
>>> and this:
>>>
>>> https://wiki.samba.org/index.php/Manually_Replicating_Directory_Par
>>> titions
>>>
>>> Does the missing 'CN' exist on the other two DCs ?
>>>
>>> Rowland
>>>
>>
>>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list