[Samba] Replication Failure Issue

lingpanda101 lingpanda101 at gmail.com
Fri Mar 23 14:35:32 UTC 2018 

On 3/22/2018 8:06 PM, David Minard wrote:
> G'day All,
>
>     Will replay to all messages so far in this one to keep it all 
> together.
>
> On 21/03/18 22:52, lingpanda101 wrote:
>> On 3/21/2018 7:32 AM, David Minard via samba wrote:
>>> Thanks Carlos,
>>>
>>> The thing is, that I did not upgrade the version of Samba - that is 
>>> the next step, so the ports used would not have changed. I only 
>>> updated the OS.
>>>
>>>
>>>> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha 
>>>> <carlos.hollow at gmail.com> wrote:
>>>>
>>>> Hi,
>>>> I have same problem after update for samba.
>>>> I allow new ports in firewall.
>>>>
>>>> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
>>>>
>>>> Regards
>>>>
>>>>
>>>> On Wed, Mar 21, 2018, 00:15 David Minard via samba 
>>>> <samba at lists.samba.org> wrote:
>>>> G'day All,
>>>>
>>>>          I have 4 DCs on Centos 7.1. Everything was working really 
>>>> well for
>>>> years, including replication.
>>>>
>>>>          Then I decided that the OS needed updating. Did the yum 
>>>> update on one
>>>> of the DCs, rebooted. That server is now running Centos 7.4. Samba
>>>> seemed to start okay.
>>>>
>>>>          However, samba-tool drs showrepl gives this error on all 3 
>>>> of the other
>>>> DCs, and shows success on the updated DC.
>>>>
>>>> DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
>>>>          Default-First-Site-Name\SAMBA4-10 via RPC
>>>>                  DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
>>>>
>>>>                  Last attempt @ Wed Mar 21 12:58:13 2018 AEDT 
>>>> failed, result 58
>>>> (WERR_BAD_NET_RESP)
>>>>
>>>>                  10623 consecutive failure(s).
>>>>                  Last success @ Thu Mar  8 14:34:14 2018 AEDT
>>>>
>>>>
>>>>          Any thoughts on why this DC is now not replicating 
>>>> properly? Any
>>>> thoughts on how to remedy this?
>>>>
>>>>
>
>>>
>> You most likely will need to turn up the samba log level to get 
>> additional information but you can start with running 'yum history 
>> list all' and post results. This might help identify the changes that 
>> were made to the OS. Are you using bind or the internal DNS?
>>
>>
>
> I will turn up the logs and test it out.
>
> I use Bind-9.9.4-51 (before update 9.9.4-18)
>
> yum history shows 348 packages that got updated... Bind being one. 
> Will sift through them.
>
> My firewall is very lose. All ports are open for the subnets on which 
> the samba servers need to talk. eg:
>
> -A INPUT -s 172.20.0.0/16 -p tcp -m state --state NEW -m tcp -j ACCEPT
> -A INPUT -s 172.20.0.0/16 -p udp -m state --state NEW -m udp -j ACCEPT
>
> When I first set this up with 4.0.0-a2 (or whatever it was right at 
> the beginning), I was not able to work out what ports exactly were 
> needed, hence the lose rules. Now I see they are documented clearly on 
> the Samba site, I will tighten them up, but not until the issue is 
> resolved.
>
> My samba is complied from source. I am currently running 4.3.2. It's 
> been running flawlessly so no urgency to update, until the huge 
> security hole was announced the other week. Now I've got to get it 
> done, but want the ailing server going right first - or should I just 
> do the updates and then worry about the ailing server?
>
> Smb.conf:
>
> # Global parameters
> [global]
>     workgroup = SCEM_AD
>     realm = samba4.scem.westernsydney.edu.au
>     netbios name = SAMBA4-10
>     server role = active directory domain controller
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>
> #        log level = 1 auth:2
> # logs split per machine
>         log file = /var/log/samba/log.%m
>         # max 50KB per log file, then rotate
>         max log size = 0
>
> [netlogon]
>     path = 
> /usr/local/samba/var/locks/sysvol/samba4.scem.westernsydney.edu.au/scripts
>     read only = No
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
>
> It is the out of the box config from the original provision.
>
>
I myself would hold off updating until you correct the DC's with the 
issues. Anything in the Samba logs or yum history stand out? You can try 
and force replication 'samba-tool drs replicate --full-sync' from 
FirstDC to SecondDC.

-- 
--
James

More information about the samba mailing list