[Samba] WERR_BAD_NET_RESP on replication (--full-sync)

Garming Sam garming at catalyst.net.nz
Thu Jun 21 22:41:06 UTC 2018


Hi,

Many of these syncing problems were solved in Samba 4.7 (and probably a
few more in 4.8). There were a number of unresolved locking issues that
we uncovered as well as some inconsistencies with Windows replication. I
would try join a DC with one of the latest Samba versions and see if
your problems persist.


Cheers,

Garming


On 21/06/18 21:35, Chris Lewis via samba wrote:
> Hello,
>
> We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2)
> server as a backup DC.
>
> The system for the most-part works OK, but occasionally the Samba DC
> goes wildly out of sync (with respect to group membership), normally
> after a change to a large group.
>
> I have noted previously before the out-of-sync event occurs, this
> command always fails thus :
>
>
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
> dc=inview,dc=local --sync-all --full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 350, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 83, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
>
>
> However immediately after the out-of-sync event occurred the above
> command completed with no errors. It did not solve my issue, the
> groups remained out of sync. So I then put the groups back together
> manually. At some point during this process of adding members back to
> groups, the  abovec ommand start failing again.
>
>
> Without the --full sync the command completes OK (always):
>
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
> dc=inview,dc=local --sync-all
> Replicate from inview-dc1 to inview-dc2 was successful.
>
>
>
> This bug looks to be a similar issue:
> https://bugzilla.samba.org/show_bug.cgi?id=11987
>
>
> Any ideas what might be going on here?
>
>
> Thanks in advance
>
>
> Chris Lewis
>
>
>
>
> PS Here is the full debug of the failing command:
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local
> inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync  -d 8
> INFO: Current debug levels:
>   all: 8
>   tdb: 8
>   printdrivers: 8
>   lanman: 8
>   smb: 8
>   rpc_parse: 8
>   rpc_srv: 8
>   rpc_cli: 8
>   passdb: 8
>   sam: 8
>   auth: 8
>   winbind: 8
>   vfs: 8
>   idmap: 8
>   quota: 8
>   acls: 8
>   locking: 8
>   msdfs: 8
>   dmapi: 8
>   registry: 8
>   scavenger: 8
>   dns: 8
>   ldb: 8
>   tevent: 8
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap
> open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
> Mapped to DCERPC endpoint 135
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Mapped to DCERPC endpoint 1024
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 207
> Received smb_krb5 packet of length 1365
> Received smb_krb5 packet of length 1290
> Received smb_krb5 packet of length 1312
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>      drsuapi_DsBind: struct drsuapi_DsBind
>         in: struct drsuapi_DsBind
>             bind_guid                : *
>                 bind_guid                :
> e24d201a-4fd6-11d1-a3da-0000f875ae0d
>             bind_info                : *
>                 bind_info: struct drsuapi_DsBindInfoCtr
>                     length                   : 0x0000001c (28)
>                     __ndr_length             : 0x0000001c (28)
>                     info                     : union
> drsuapi_DsBindInfo(case 28)
>                     info28: struct drsuapi_DsBindInfo28
>                         supported_extensions     : 0x0fefff7f (267386751)
>                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>                         site_guid                :
> 00000000-0000-0000-0000-000000000000
>                         pid                      : 0x00000000 (0)
>                         repl_epoch               : 0x00000000 (0)
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>      drsuapi_DsBind: struct drsuapi_DsBind
>         out: struct drsuapi_DsBind
>             bind_info                : *
>                 bind_info: struct drsuapi_DsBindInfoCtr
>                     length                   : 0x0000001c (28)
>                     __ndr_length             : 0x0000001c (28)
>                     info                     : union
> drsuapi_DsBindInfo(case 28)
>                     info28: struct drsuapi_DsBindInfo28
>                         supported_extensions     : 0x2fffff6f (805306223)
>                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>                                1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>                                0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>                         site_guid                :
> 229f5470-27e6-4f0f-994b-4073a5fc4dc5
>                         pid                      : 0x00000000 (0)
>                         repl_epoch               : 0x00000000 (0)
>             bind_handle              : *
>                 bind_handle: struct policy_handle
>                     handle_type              : 0x00000000 (0)
>                     uuid                     :
> aba489c0-92cd-4a95-ba59-04b765e37884
>             result                   : WERR_OK
> lpcfg_servicenumber: couldn't find ldb
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
> Received smb_krb5 packet of length 1290
> Received smb_krb5 packet of length 1312
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>         in: struct drsuapi_DsReplicaSync
>             bind_handle              : *
>                 bind_handle: struct policy_handle
>                     handle_type              : 0x00000000 (0)
>                     uuid                     :
> aba489c0-92cd-4a95-ba59-04b765e37884
>             level                    : 0x00000001 (1)
>             req                      : *
>                 req                      : union
> drsuapi_DsReplicaSyncRequest(case 1)
>                 req1: struct drsuapi_DsReplicaSyncRequest1
>                     naming_context           : *
>                         naming_context: struct
> drsuapi_DsReplicaObjectIdentifier
>                             __ndr_size               : 0x0000005e (94)
>                             __ndr_size_sid           : 0x00000000 (0)
>                             guid                     :
> 00000000-0000-0000-0000-000000000000
>                             sid                      : S-0-0
>                             __ndr_size_dn            : 0x00000012 (18)
>                             dn                       :
> 'dc=inview,dc=local'
>                     source_dsa_guid          :
> 8be331d4-be37-43d6-9593-2ea1d095d504
>                     source_dsa_dns           : NULL
>                     options                  : 0x00008018 (32792)
>                            0: DRSUAPI_DRS_ASYNC_OP
>                            0: DRSUAPI_DRS_GETCHG_CHECK
>                            0: DRSUAPI_DRS_UPDATE_NOTIFICATION
>                            0: DRSUAPI_DRS_ADD_REF
>                            1: DRSUAPI_DRS_SYNC_ALL
>                            1: DRSUAPI_DRS_DEL_REF
>                            1: DRSUAPI_DRS_WRIT_REP
>                            0: DRSUAPI_DRS_INIT_SYNC
>                            0: DRSUAPI_DRS_PER_SYNC
>                            0: DRSUAPI_DRS_MAIL_REP
>                            0: DRSUAPI_DRS_ASYNC_REP
>                            0: DRSUAPI_DRS_IGNORE_ERROR
>                            0: DRSUAPI_DRS_TWOWAY_SYNC
>                            0: DRSUAPI_DRS_CRITICAL_ONLY
>                            0: DRSUAPI_DRS_GET_ANC
>                            0: DRSUAPI_DRS_GET_NC_SIZE
>                            0: DRSUAPI_DRS_LOCAL_ONLY
>                            0: DRSUAPI_DRS_NONGC_RO_REP
>                            0: DRSUAPI_DRS_SYNC_BYNAME
>                            0: DRSUAPI_DRS_REF_OK
>                            1: DRSUAPI_DRS_FULL_SYNC_NOW
>                            1: DRSUAPI_DRS_NO_SOURCE
>                            0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
>                            0: DRSUAPI_DRS_FULL_SYNC_PACKET
>                            0: DRSUAPI_DRS_SYNC_REQUEUE
>                            0: DRSUAPI_DRS_SYNC_URGENT
>                            0: DRSUAPI_DRS_REF_GCSPN
>                            0: DRSUAPI_DRS_NO_DISCARD
>                            0: DRSUAPI_DRS_NEVER_SYNCED
>                            0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
>                            0: DRSUAPI_DRS_INIT_SYNC_NOW
>                            0: DRSUAPI_DRS_PREEMPTED
>                            0: DRSUAPI_DRS_SYNC_FORCED
>                            0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
>                            0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
>                            0: DRSUAPI_DRS_USE_COMPRESSION
>                            0: DRSUAPI_DRS_NEVER_NOTIFY
>                            0: DRSUAPI_DRS_SYNC_PAS
>                            0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>         out: struct drsuapi_DsReplicaSync
>             result                   : WERR_BAD_NET_RESP
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 350, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 83, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
>
>
>
>
>
>
>




More information about the samba mailing list