[Samba] WERR_BAD_NET_RESP on replication (--full-sync)
Vinicius Bones Silva
vbs at e-trust.com.br
Mon Jul 2 16:39:15 UTC 2018
What does the WERR_BAD_NET_RESP means? I'm currently upgrading our DCs to 4.8.3 and I've
noticed that the off-site DC has a sync problem of the CN=Configuration NC.
The FSMO DC is still in the 4.5.5, but all other DCs, including the off-site are already
on 4.8.3. Trying to sync the off-site DC with one of the updated DCs does not work either.
The WERR_BAD_NET_RESP message already happened under the older version, but I've not seen
an impact yet.
Att,
Vinicius;
Em 22/06/2018 10:12, Chris Lewis via samba escreveu:
> Thanks Garming.
>
> We currently use a standalone bind DNS server. Will the later version of samba work
> without the integrated DNS backend?
>
> Cheers
>
> Chris
>
>
>
> On 21/06/18 23:41, Garming Sam wrote:
>> Hi,
>>
>> Many of these syncing problems were solved in Samba 4.7 (and probably a
>> few more in 4.8). There were a number of unresolved locking issues that
>> we uncovered as well as some inconsistencies with Windows replication. I
>> would try join a DC with one of the latest Samba versions and see if
>> your problems persist.
>>
>>
>> Cheers,
>>
>> Garming
>>
>>
>> On 21/06/18 21:35, Chris Lewis via samba wrote:
>>> Hello,
>>>
>>> We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2)
>>> server as a backup DC.
>>>
>>> The system for the most-part works OK, but occasionally the Samba DC
>>> goes wildly out of sync (with respect to group membership), normally
>>> after a change to a large group.
>>>
>>> I have noted previously before the out-of-sync event occurs, this
>>> command always fails thus :
>>>
>>>
>>>
>>> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
>>> dc=inview,dc=local --sync-all --full-sync
>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>>> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
>>> line 350, in run
>>> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>>> source_dsa_guid, NC, req_options)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
>>> line 83, in sendDsReplicaSync
>>> raise drsException("DsReplicaSync failed %s" % estr)
>>>
>>>
>>>
>>> However immediately after the out-of-sync event occurred the above
>>> command completed with no errors. It did not solve my issue, the
>>> groups remained out of sync. So I then put the groups back together
>>> manually. At some point during this process of adding members back to
>>> groups, the abovec ommand start failing again.
>>>
>>>
>>> Without the --full sync the command completes OK (always):
>>>
>>>
>>> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
>>> dc=inview,dc=local --sync-all
>>> Replicate from inview-dc1 to inview-dc2 was successful.
>>>
>>>
>>>
>>> This bug looks to be a similar issue:
>>> https://bugzilla.samba.org/show_bug.cgi?id=11987
>>>
>>>
>>> Any ideas what might be going on here?
>>>
>>>
>>> Thanks in advance
>>>
>>>
>>> Chris Lewis
>>>
>>>
>>>
>>>
>>> PS Here is the full debug of the failing command:
>>>
>>> root at inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local
>>> inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync -d 8
>>> INFO: Current debug levels:
>>> all: 8
>>> tdb: 8
>>> printdrivers: 8
>>> lanman: 8
>>> smb: 8
>>> rpc_parse: 8
>>> rpc_srv: 8
>>> rpc_cli: 8
>>> passdb: 8
>>> sam: 8
>>> auth: 8
>>> winbind: 8
>>> vfs: 8
>>> idmap: 8
>>> quota: 8
>>> acls: 8
>>> locking: 8
>>> msdfs: 8
>>> dmapi: 8
>>> registry: 8
>>> scavenger: 8
>>> dns: 8
>>> ldb: 8
>>> tevent: 8
>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>> Processing section "[global]"
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> pm_process() returned Yes
>>> Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap
>>> open of secrets.ldb
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'naclrpc_as_system' registered
>>> GENSEC backend 'sasl-EXTERNAL' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'ntlmssp_resume_ccache' registered
>>> GENSEC backend 'http_basic' registered
>>> GENSEC backend 'http_ntlm' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
>>> Mapped to DCERPC endpoint 135
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> inview-dc2.inview.local<0x20>
>>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>>> Error was No such file or directory
>>> Mapped to DCERPC endpoint 1024
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> inview-dc2.inview.local<0x20>
>>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>>> Error was No such file or directory
>>> Starting GENSEC mechanism spnego
>>> Starting GENSEC submechanism gssapi_krb5
>>> Received smb_krb5 packet of length 207
>>> Received smb_krb5 packet of length 1365
>>> Received smb_krb5 packet of length 1290
>>> Received smb_krb5 packet of length 1312
>>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>>> gensec_gssapi: NO credentials were delegated
>>> GSSAPI Connection will be cryptographically sealed
>>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>>> drsuapi_DsBind: struct drsuapi_DsBind
>>> in: struct drsuapi_DsBind
>>> bind_guid : *
>>> bind_guid :
>>> e24d201a-4fd6-11d1-a3da-0000f875ae0d
>>> bind_info : *
>>> bind_info: struct drsuapi_DsBindInfoCtr
>>> length : 0x0000001c (28)
>>> __ndr_length : 0x0000001c (28)
>>> info : union
>>> drsuapi_DsBindInfo(case 28)
>>> info28: struct drsuapi_DsBindInfo28
>>> supported_extensions : 0x0fefff7f (267386751)
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>>> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>>> site_guid :
>>> 00000000-0000-0000-0000-000000000000
>>> pid : 0x00000000 (0)
>>> repl_epoch : 0x00000000 (0)
>>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>>> drsuapi_DsBind: struct drsuapi_DsBind
>>> out: struct drsuapi_DsBind
>>> bind_info : *
>>> bind_info: struct drsuapi_DsBindInfoCtr
>>> length : 0x0000001c (28)
>>> __ndr_length : 0x0000001c (28)
>>> info : union
>>> drsuapi_DsBindInfo(case 28)
>>> info28: struct drsuapi_DsBindInfo28
>>> supported_extensions : 0x2fffff6f (805306223)
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>>> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>>> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>>> 1:
>>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>>> 0:
>>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>>> site_guid :
>>> 229f5470-27e6-4f0f-994b-4073a5fc4dc5
>>> pid : 0x00000000 (0)
>>> repl_epoch : 0x00000000 (0)
>>> bind_handle : *
>>> bind_handle: struct policy_handle
>>> handle_type : 0x00000000 (0)
>>> uuid :
>>> aba489c0-92cd-4a95-ba59-04b765e37884
>>> result : WERR_OK
>>> lpcfg_servicenumber: couldn't find ldb
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>>> netmask=255.255.255.0
>>> resolve_lmhosts: Attempting lmhosts lookup for name
>>> inview-dc2.inview.local<0x20>
>>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>>> Error was No such file or directory
>>> Starting GENSEC mechanism spnego
>>> Starting GENSEC submechanism gssapi_krb5
>>> GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
>>> Received smb_krb5 packet of length 1290
>>> Received smb_krb5 packet of length 1312
>>> gensec_gssapi: NO credentials were delegated
>>> GSSAPI Connection will be cryptographically signed
>>> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>> in: struct drsuapi_DsReplicaSync
>>> bind_handle : *
>>> bind_handle: struct policy_handle
>>> handle_type : 0x00000000 (0)
>>> uuid :
>>> aba489c0-92cd-4a95-ba59-04b765e37884
>>> level : 0x00000001 (1)
>>> req : *
>>> req : union
>>> drsuapi_DsReplicaSyncRequest(case 1)
>>> req1: struct drsuapi_DsReplicaSyncRequest1
>>> naming_context : *
>>> naming_context: struct
>>> drsuapi_DsReplicaObjectIdentifier
>>> __ndr_size : 0x0000005e (94)
>>> __ndr_size_sid : 0x00000000 (0)
>>> guid :
>>> 00000000-0000-0000-0000-000000000000
>>> sid : S-0-0
>>> __ndr_size_dn : 0x00000012 (18)
>>> dn :
>>> 'dc=inview,dc=local'
>>> source_dsa_guid :
>>> 8be331d4-be37-43d6-9593-2ea1d095d504
>>> source_dsa_dns : NULL
>>> options : 0x00008018 (32792)
>>> 0: DRSUAPI_DRS_ASYNC_OP
>>> 0: DRSUAPI_DRS_GETCHG_CHECK
>>> 0: DRSUAPI_DRS_UPDATE_NOTIFICATION
>>> 0: DRSUAPI_DRS_ADD_REF
>>> 1: DRSUAPI_DRS_SYNC_ALL
>>> 1: DRSUAPI_DRS_DEL_REF
>>> 1: DRSUAPI_DRS_WRIT_REP
>>> 0: DRSUAPI_DRS_INIT_SYNC
>>> 0: DRSUAPI_DRS_PER_SYNC
>>> 0: DRSUAPI_DRS_MAIL_REP
>>> 0: DRSUAPI_DRS_ASYNC_REP
>>> 0: DRSUAPI_DRS_IGNORE_ERROR
>>> 0: DRSUAPI_DRS_TWOWAY_SYNC
>>> 0: DRSUAPI_DRS_CRITICAL_ONLY
>>> 0: DRSUAPI_DRS_GET_ANC
>>> 0: DRSUAPI_DRS_GET_NC_SIZE
>>> 0: DRSUAPI_DRS_LOCAL_ONLY
>>> 0: DRSUAPI_DRS_NONGC_RO_REP
>>> 0: DRSUAPI_DRS_SYNC_BYNAME
>>> 0: DRSUAPI_DRS_REF_OK
>>> 1: DRSUAPI_DRS_FULL_SYNC_NOW
>>> 1: DRSUAPI_DRS_NO_SOURCE
>>> 0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
>>> 0: DRSUAPI_DRS_FULL_SYNC_PACKET
>>> 0: DRSUAPI_DRS_SYNC_REQUEUE
>>> 0: DRSUAPI_DRS_SYNC_URGENT
>>> 0: DRSUAPI_DRS_REF_GCSPN
>>> 0: DRSUAPI_DRS_NO_DISCARD
>>> 0: DRSUAPI_DRS_NEVER_SYNCED
>>> 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
>>> 0: DRSUAPI_DRS_INIT_SYNC_NOW
>>> 0: DRSUAPI_DRS_PREEMPTED
>>> 0: DRSUAPI_DRS_SYNC_FORCED
>>> 0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
>>> 0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
>>> 0: DRSUAPI_DRS_USE_COMPRESSION
>>> 0: DRSUAPI_DRS_NEVER_NOTIFY
>>> 0: DRSUAPI_DRS_SYNC_PAS
>>> 0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
>>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
>>> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>> out: struct drsuapi_DsReplicaSync
>>> result : WERR_BAD_NET_RESP
>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>>> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
>>> line 350, in run
>>> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>>> source_dsa_guid, NC, req_options)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
>>> line 83, in sendDsReplicaSync
>>> raise drsException("DsReplicaSync failed %s" % estr)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
--
Vinicius Silva
SOC,PCNSE
<https://www.certmetrics.com/paloaltonetworks/public/badge.aspx?t=c&d=2018-05-02&i=12&ci=PAN00158552>
BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
soc at e-trust.com.br
skype: vinicius.bones.silva
Smiley face
www.e-trust.com.br <http://www.e-trust.com.br/>
Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou
informações contidas nesta mensagem não necessariamente refletem a posição oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.
This message may contain privileged and confidential information for the use of the
intended recipients only. If you are not an intended recipient then you should not
disseminate, copy, or take any action based on its contents. If you have received this
message in error then please notify E-TRUST by sending an e-mail message to
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not
necessarily reflect the position of E-TRUST. If this message is digitally signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at
www.e-trust.com.br.
More information about the samba
mailing list