[Samba] WERR_BAD_NET_RESP on replication (--full-sync)
Chris Lewis
clewis at inview.co.uk
Fri Jun 22 13:12:35 UTC 2018
Thanks Garming.
We currently use a standalone bind DNS server. Will the later version of
samba work without the integrated DNS backend?
Cheers
Chris
On 21/06/18 23:41, Garming Sam wrote:
> Hi,
>
> Many of these syncing problems were solved in Samba 4.7 (and probably a
> few more in 4.8). There were a number of unresolved locking issues that
> we uncovered as well as some inconsistencies with Windows replication. I
> would try join a DC with one of the latest Samba versions and see if
> your problems persist.
>
>
> Cheers,
>
> Garming
>
>
> On 21/06/18 21:35, Chris Lewis via samba wrote:
>> Hello,
>>
>> We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2)
>> server as a backup DC.
>>
>> The system for the most-part works OK, but occasionally the Samba DC
>> goes wildly out of sync (with respect to group membership), normally
>> after a change to a large group.
>>
>> I have noted previously before the out-of-sync event occurs, this
>> command always fails thus :
>>
>>
>>
>> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
>> dc=inview,dc=local --sync-all --full-sync
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
>> line 350, in run
>> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>> source_dsa_guid, NC, req_options)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
>> line 83, in sendDsReplicaSync
>> raise drsException("DsReplicaSync failed %s" % estr)
>>
>>
>>
>> However immediately after the out-of-sync event occurred the above
>> command completed with no errors. It did not solve my issue, the
>> groups remained out of sync. So I then put the groups back together
>> manually. At some point during this process of adding members back to
>> groups, the abovec ommand start failing again.
>>
>>
>> Without the --full sync the command completes OK (always):
>>
>>
>> root at inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
>> dc=inview,dc=local --sync-all
>> Replicate from inview-dc1 to inview-dc2 was successful.
>>
>>
>>
>> This bug looks to be a similar issue:
>> https://bugzilla.samba.org/show_bug.cgi?id=11987
>>
>>
>> Any ideas what might be going on here?
>>
>>
>> Thanks in advance
>>
>>
>> Chris Lewis
>>
>>
>>
>>
>> PS Here is the full debug of the failing command:
>>
>> root at inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local
>> inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync -d 8
>> INFO: Current debug levels:
>> all: 8
>> tdb: 8
>> printdrivers: 8
>> lanman: 8
>> smb: 8
>> rpc_parse: 8
>> rpc_srv: 8
>> rpc_cli: 8
>> passdb: 8
>> sam: 8
>> auth: 8
>> winbind: 8
>> vfs: 8
>> idmap: 8
>> quota: 8
>> acls: 8
>> locking: 8
>> msdfs: 8
>> dmapi: 8
>> registry: 8
>> scavenger: 8
>> dns: 8
>> ldb: 8
>> tevent: 8
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap
>> open of secrets.ldb
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
>> Mapped to DCERPC endpoint 135
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> inview-dc2.inview.local<0x20>
>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>> Error was No such file or directory
>> Mapped to DCERPC endpoint 1024
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> inview-dc2.inview.local<0x20>
>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>> Error was No such file or directory
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gssapi_krb5
>> Received smb_krb5 packet of length 207
>> Received smb_krb5 packet of length 1365
>> Received smb_krb5 packet of length 1290
>> Received smb_krb5 packet of length 1312
>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>> gensec_gssapi: NO credentials were delegated
>> GSSAPI Connection will be cryptographically sealed
>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>> drsuapi_DsBind: struct drsuapi_DsBind
>> in: struct drsuapi_DsBind
>> bind_guid : *
>> bind_guid :
>> e24d201a-4fd6-11d1-a3da-0000f875ae0d
>> bind_info : *
>> bind_info: struct drsuapi_DsBindInfoCtr
>> length : 0x0000001c (28)
>> __ndr_length : 0x0000001c (28)
>> info : union
>> drsuapi_DsBindInfo(case 28)
>> info28: struct drsuapi_DsBindInfo28
>> supported_extensions : 0x0fefff7f (267386751)
>> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>> site_guid :
>> 00000000-0000-0000-0000-000000000000
>> pid : 0x00000000 (0)
>> repl_epoch : 0x00000000 (0)
>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
>> drsuapi_DsBind: struct drsuapi_DsBind
>> out: struct drsuapi_DsBind
>> bind_info : *
>> bind_info: struct drsuapi_DsBindInfoCtr
>> length : 0x0000001c (28)
>> __ndr_length : 0x0000001c (28)
>> info : union
>> drsuapi_DsBindInfo(case 28)
>> info28: struct drsuapi_DsBindInfo28
>> supported_extensions : 0x2fffff6f (805306223)
>> 1: DRSUAPI_SUPPORTED_EXTENSION_BASE
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
>> 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
>> 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
>> 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
>> 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
>> 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
>> 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
>> 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
>> 1:
>> DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
>> 0:
>> DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
>> site_guid :
>> 229f5470-27e6-4f0f-994b-4073a5fc4dc5
>> pid : 0x00000000 (0)
>> repl_epoch : 0x00000000 (0)
>> bind_handle : *
>> bind_handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> aba489c0-92cd-4a95-ba59-04b765e37884
>> result : WERR_OK
>> lpcfg_servicenumber: couldn't find ldb
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
>> netmask=255.255.255.0
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> inview-dc2.inview.local<0x20>
>> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
>> Error was No such file or directory
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gssapi_krb5
>> GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
>> Received smb_krb5 packet of length 1290
>> Received smb_krb5 packet of length 1312
>> gensec_gssapi: NO credentials were delegated
>> GSSAPI Connection will be cryptographically signed
>> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>> in: struct drsuapi_DsReplicaSync
>> bind_handle : *
>> bind_handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> aba489c0-92cd-4a95-ba59-04b765e37884
>> level : 0x00000001 (1)
>> req : *
>> req : union
>> drsuapi_DsReplicaSyncRequest(case 1)
>> req1: struct drsuapi_DsReplicaSyncRequest1
>> naming_context : *
>> naming_context: struct
>> drsuapi_DsReplicaObjectIdentifier
>> __ndr_size : 0x0000005e (94)
>> __ndr_size_sid : 0x00000000 (0)
>> guid :
>> 00000000-0000-0000-0000-000000000000
>> sid : S-0-0
>> __ndr_size_dn : 0x00000012 (18)
>> dn :
>> 'dc=inview,dc=local'
>> source_dsa_guid :
>> 8be331d4-be37-43d6-9593-2ea1d095d504
>> source_dsa_dns : NULL
>> options : 0x00008018 (32792)
>> 0: DRSUAPI_DRS_ASYNC_OP
>> 0: DRSUAPI_DRS_GETCHG_CHECK
>> 0: DRSUAPI_DRS_UPDATE_NOTIFICATION
>> 0: DRSUAPI_DRS_ADD_REF
>> 1: DRSUAPI_DRS_SYNC_ALL
>> 1: DRSUAPI_DRS_DEL_REF
>> 1: DRSUAPI_DRS_WRIT_REP
>> 0: DRSUAPI_DRS_INIT_SYNC
>> 0: DRSUAPI_DRS_PER_SYNC
>> 0: DRSUAPI_DRS_MAIL_REP
>> 0: DRSUAPI_DRS_ASYNC_REP
>> 0: DRSUAPI_DRS_IGNORE_ERROR
>> 0: DRSUAPI_DRS_TWOWAY_SYNC
>> 0: DRSUAPI_DRS_CRITICAL_ONLY
>> 0: DRSUAPI_DRS_GET_ANC
>> 0: DRSUAPI_DRS_GET_NC_SIZE
>> 0: DRSUAPI_DRS_LOCAL_ONLY
>> 0: DRSUAPI_DRS_NONGC_RO_REP
>> 0: DRSUAPI_DRS_SYNC_BYNAME
>> 0: DRSUAPI_DRS_REF_OK
>> 1: DRSUAPI_DRS_FULL_SYNC_NOW
>> 1: DRSUAPI_DRS_NO_SOURCE
>> 0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
>> 0: DRSUAPI_DRS_FULL_SYNC_PACKET
>> 0: DRSUAPI_DRS_SYNC_REQUEUE
>> 0: DRSUAPI_DRS_SYNC_URGENT
>> 0: DRSUAPI_DRS_REF_GCSPN
>> 0: DRSUAPI_DRS_NO_DISCARD
>> 0: DRSUAPI_DRS_NEVER_SYNCED
>> 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
>> 0: DRSUAPI_DRS_INIT_SYNC_NOW
>> 0: DRSUAPI_DRS_PREEMPTED
>> 0: DRSUAPI_DRS_SYNC_FORCED
>> 0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
>> 0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
>> 0: DRSUAPI_DRS_USE_COMPRESSION
>> 0: DRSUAPI_DRS_NEVER_NOTIFY
>> 0: DRSUAPI_DRS_SYNC_PAS
>> 0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
>> ../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
>> drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>> out: struct drsuapi_DsReplicaSync
>> result : WERR_BAD_NET_RESP
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
>> line 350, in run
>> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>> source_dsa_guid, NC, req_options)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
>> line 83, in sendDsReplicaSync
>> raise drsException("DsReplicaSync failed %s" % estr)
>>
>>
>>
>>
>>
>>
>>
>>
--
Chris Lewis
Systems Administrator
Inview Technology Ltd.
T: +44 (0) 1606 812500
M: +44 (0) 7980 446907
More information about the samba
mailing list