[Samba] WERR_BAD_NET_RESP on replication (--full-sync)
Garming Sam
garming at catalyst.net.nz
Thu Jun 21 22:41:06 UTC 2018
Hi,
Many of these syncing problems were solved in Samba 4.7 (and probably a
few more in 4.8). There were a number of unresolved locking issues that
we uncovered as well as some inconsistencies with Windows replication. I
would try join a DC with one of the latest Samba versions and see if
your problems persist.
Cheers,
Garming
On 21/06/18 21:35, Chris Lewis via samba wrote:
> Hello,
>
> We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2)
> server as a backup DC.
>
> The system for the most-part works OK, but occasionally the Samba DC
> goes wildly out of sync (with respect to group membership), normally
> after a change to a large group.
>
> I have noted previously before the out-of-sync event occurs, this
> command always fails thus :
>
>
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
> dc=inview,dc=local --sync-all --full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 350, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 83, in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
>
>
> However immediately after the out-of-sync event occurred the above
> command completed with no errors. It did not solve my issue, the
> groups remained out of sync. So I then put the groups back together
> manually. At some point during this process of adding members back to
> groups, the abovec ommand start failing again.
>
>
> Without the --full sync the command completes OK (always):
>
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
> dc=inview,dc=local --sync-all
> Replicate from inview-dc1 to inview-dc2 was successful.
>
>
>
> This bug looks to be a similar issue:
> https://bugzilla.samba.org/show_bug.cgi?id=11987
>
>
> Any ideas what might be going on here?
>
>
> Thanks in advance
>
>
> Chris Lewis
>
>
>
>
> PS Here is the full debug of the failing command:
>
> root at inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local
> inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync -d 8
> INFO: Current debug levels:
> all: 8
> tdb: 8
> printdrivers: 8
> lanman: 8
> smb: 8
> rpc_parse: 8
> rpc_srv: 8
> rpc_cli: 8
> passdb: 8
> sam: 8
> auth: 8
> winbind: 8
> vfs: 8
> idmap: 8
> quota: 8
> acls: 8
> locking: 8
> msdfs: 8
> dmapi: 8
> registry: 8
> scavenger: 8
> dns: 8
> ldb: 8
> tevent: 8
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap
> open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
> Mapped to DCERPC endpoint 135
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Mapped to DCERPC endpoint 1024
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 207
> Received smb_krb5 packet of length 1365
> Received smb_krb5 packet of length 1290
> Received smb_krb5 packet of length 1312
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
> drsuapi_DsBind: struct drsuapi_DsBind
> in: struct drsuapi_DsBind
> bind_guid : *
> bind_guid :
> e24d201a-4fd6-11d1-a3da-0000f875ae0d
> bind_info : *
> bind_info: struct drsuapi_DsBindInfoCtr
> length : 0x0000001c (28)
> __ndr_length : 0x0000001c (28)
> info : union
> drsuapi_DsBindInfo(case 28)
> info28: struct drsuapi_DsBindInfo28
> supported_extensions : 0x0fefff7f (267386751)
> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
> site_guid :
> 00000000-0000-0000-0000-000000000000
> pid : 0x00000000 (0)
> repl_epoch : 0x00000000 (0)
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
> drsuapi_DsBind: struct drsuapi_DsBind
> out: struct drsuapi_DsBind
> bind_info : *
> bind_info: struct drsuapi_DsBindInfoCtr
> length : 0x0000001c (28)
> __ndr_length : 0x0000001c (28)
> info : union
> drsuapi_DsBindInfo(case 28)
> info28: struct drsuapi_DsBindInfo28
> supported_extensions : 0x2fffff6f (805306223)
> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
> 1:
> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
> 0:
> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
> site_guid :
> 229f5470-27e6-4f0f-994b-4073a5fc4dc5
> pid : 0x00000000 (0)
> repl_epoch : 0x00000000 (0)
> bind_handle : *
> bind_handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid :
> aba489c0-92cd-4a95-ba59-04b765e37884
> result : WERR_OK
> lpcfg_servicenumber: couldn't find ldb
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
> netmask=255.255.255.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> inview-dc2.inview.local<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
> Error was No such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
> Received smb_krb5 packet of length 1290
> Received smb_krb5 packet of length 1312
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
> in: struct drsuapi_DsReplicaSync
> bind_handle : *
> bind_handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid :
> aba489c0-92cd-4a95-ba59-04b765e37884
> level : 0x00000001 (1)
> req : *
> req : union
> drsuapi_DsReplicaSyncRequest(case 1)
> req1: struct drsuapi_DsReplicaSyncRequest1
> naming_context : *
> naming_context: struct
> drsuapi_DsReplicaObjectIdentifier
> __ndr_size : 0x0000005e (94)
> __ndr_size_sid : 0x00000000 (0)
> guid :
> 00000000-0000-0000-0000-000000000000
> sid : S-0-0
> __ndr_size_dn : 0x00000012 (18)
> dn :
> 'dc=inview,dc=local'
> source_dsa_guid :
> 8be331d4-be37-43d6-9593-2ea1d095d504
> source_dsa_dns : NULL
> options : 0x00008018 (32792)
> 0: DRSUAPI_DRS_ASYNC_OP
> 0: DRSUAPI_DRS_GETCHG_CHECK
> 0: DRSUAPI_DRS_UPDATE_NOTIFICATION
> 0: DRSUAPI_DRS_ADD_REF
> 1: DRSUAPI_DRS_SYNC_ALL
> 1: DRSUAPI_DRS_DEL_REF
> 1: DRSUAPI_DRS_WRIT_REP
> 0: DRSUAPI_DRS_INIT_SYNC
> 0: DRSUAPI_DRS_PER_SYNC
> 0: DRSUAPI_DRS_MAIL_REP
> 0: DRSUAPI_DRS_ASYNC_REP
> 0: DRSUAPI_DRS_IGNORE_ERROR
> 0: DRSUAPI_DRS_TWOWAY_SYNC
> 0: DRSUAPI_DRS_CRITICAL_ONLY
> 0: DRSUAPI_DRS_GET_ANC
> 0: DRSUAPI_DRS_GET_NC_SIZE
> 0: DRSUAPI_DRS_LOCAL_ONLY
> 0: DRSUAPI_DRS_NONGC_RO_REP
> 0: DRSUAPI_DRS_SYNC_BYNAME
> 0: DRSUAPI_DRS_REF_OK
> 1: DRSUAPI_DRS_FULL_SYNC_NOW
> 1: DRSUAPI_DRS_NO_SOURCE
> 0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
> 0: DRSUAPI_DRS_FULL_SYNC_PACKET
> 0: DRSUAPI_DRS_SYNC_REQUEUE
> 0: DRSUAPI_DRS_SYNC_URGENT
> 0: DRSUAPI_DRS_REF_GCSPN
> 0: DRSUAPI_DRS_NO_DISCARD
> 0: DRSUAPI_DRS_NEVER_SYNCED
> 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
> 0: DRSUAPI_DRS_INIT_SYNC_NOW
> 0: DRSUAPI_DRS_PREEMPTED
> 0: DRSUAPI_DRS_SYNC_FORCED
> 0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
> 0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
> 0: DRSUAPI_DRS_USE_COMPRESSION
> 0: DRSUAPI_DRS_NEVER_NOTIFY
> 0: DRSUAPI_DRS_SYNC_PAS
> 0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
> out: struct drsuapi_DsReplicaSync
> result : WERR_BAD_NET_RESP
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 350, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 83, in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
>
>
>
>
>
>
>
More information about the samba
mailing list