[Samba] Replication Failure Issue

David Minard david at scem.westernsydney.edu.au
Sun Mar 25 23:01:48 UTC 2018 


On 24/03/18 01:35, lingpanda101 wrote:
> On 3/22/2018 8:06 PM, David Minard wrote:
>> G'day All,
>>
>>     Will replay to all messages so far in this one to keep it all 
>> together.
>>
>> On 21/03/18 22:52, lingpanda101 wrote:
>>> On 3/21/2018 7:32 AM, David Minard via samba wrote:
>>>> Thanks Carlos,
>>>>
>>>> The thing is, that I did not upgrade the version of Samba - that is 
>>>> the next step, so the ports used would not have changed. I only 
>>>> updated the OS.
>>>>
>>>>
>>>>> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha 
>>>>> <carlos.hollow at gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>> I have same problem after update for samba.
>>>>> I allow new ports in firewall.
>>>>>
>>>>> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>> On Wed, Mar 21, 2018, 00:15 David Minard via samba 
>>>>> <samba at lists.samba.org> wrote:
>>>>> G'day All,
>>>>>
>>>>>          I have 4 DCs on Centos 7.1. Everything was working really 
>>>>> well for
>>>>> years, including replication.
>>>>>
>>>>>          Then I decided that the OS needed updating. Did the yum 
>>>>> update on one
>>>>> of the DCs, rebooted. That server is now running Centos 7.4. Samba
>>>>> seemed to start okay.
>>>>>
>>>>>          However, samba-tool drs showrepl gives this error on all 3 
>>>>> of the other
>>>>> DCs, and shows success on the updated DC.
>>>>>
>>>>> DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
>>>>>          Default-First-Site-Name\SAMBA4-10 via RPC
>>>>>                  DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
>>>>>
>>>>>                  Last attempt @ Wed Mar 21 12:58:13 2018 AEDT 
>>>>> failed, result 58
>>>>> (WERR_BAD_NET_RESP)
>>>>>
>>>>>                  10623 consecutive failure(s).
>>>>>                  Last success @ Thu Mar  8 14:34:14 2018 AEDT
>>>>>
>>>>>
>>>>>          Any thoughts on why this DC is now not replicating 
>>>>> properly? Any
>>>>> thoughts on how to remedy this?
>>>>>
>>>>>
>>
>>>>
>>> You most likely will need to turn up the samba log level to get 
>>> additional information but you can start with running 'yum history 
>>> list all' and post results. This might help identify the changes that 
>>> were made to the OS. Are you using bind or the internal DNS?
>>>
>>>
>>
>> I will turn up the logs and test it out.
>>
>> I use Bind-9.9.4-51 (before update 9.9.4-18)
>>
>> yum history shows 348 packages that got updated... Bind being one. 
>> Will sift through them.
>>
>> My firewall is very lose. All ports are open for the subnets on which 
>> the samba servers need to talk. eg:
>>
>> -A INPUT -s 172.20.0.0/16 -p tcp -m state --state NEW -m tcp -j ACCEPT
>> -A INPUT -s 172.20.0.0/16 -p udp -m state --state NEW -m udp -j ACCEPT
>>
>> When I first set this up with 4.0.0-a2 (or whatever it was right at 
>> the beginning), I was not able to work out what ports exactly were 
>> needed, hence the lose rules. Now I see they are documented clearly on 
>> the Samba site, I will tighten them up, but not until the issue is 
>> resolved.
>>
>> My samba is complied from source. I am currently running 4.3.2. It's 
>> been running flawlessly so no urgency to update, until the huge 
>> security hole was announced the other week. Now I've got to get it 
>> done, but want the ailing server going right first - or should I just 
>> do the updates and then worry about the ailing server?
>>
>> Smb.conf:
>>
>> # Global parameters
>> [global]
>>     workgroup = SCEM_AD
>>     realm = samba4.scem.westernsydney.edu.au
>>     netbios name = SAMBA4-10
>>     server role = active directory domain controller
>>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>> winbindd, ntp_signd, kcc, dnsupdate
>>
>> #        log level = 1 auth:2
>> # logs split per machine
>>         log file = /var/log/samba/log.%m
>>         # max 50KB per log file, then rotate
>>         max log size = 0
>>
>> [netlogon]
>>     path = 
>> /usr/local/samba/var/locks/sysvol/samba4.scem.westernsydney.edu.au/scripts 
>>
>>     read only = No
>>
>> [sysvol]
>>     path = /usr/local/samba/var/locks/sysvol
>>     read only = No
>>
>>
>> It is the out of the box config from the original provision.
>>
>>
> I myself would hold off updating until you correct the DC's with the 
> issues. Anything in the Samba logs or yum history stand out? You can try 
> and force replication 'samba-tool drs replicate --full-sync' from 
> FirstDC to SecondDC.
> 

Going through the yum history, there were 348 updates. Bind,
     Updated     iproute-3.10.0-21.el7.x86_64 
          @base
     Update              3.10.0-87.el7.x86_64 
          @base
     Updated     iprutils-2.4.3-3.el7.x86_64 
          @base
     Update               2.4.14.1-1.el7.x86_64 
          @base
     Updated     iptables-1.4.21-13.el7.x86_64 
          @anaconda
     Update               1.4.21-18.2.el7_4.x86_64 
          @updates
     Updated     iptables-services-1.4.21-13.el7.x86_64 
          @base
     Update                        1.4.21-18.2.el7_4.x86_64 
          @updates
     Updated     iputils-20121221-6.el7_1.1.x86_64 
          @updates
     Update              20160308-10.el7.x86_64 
          @base


The firmware updates.

I can list them all, but it's rather long (348 updates).
Never needed to, but can I undo certain yum updates?

Nothing seems to stand out in the samba logs either. Will investigate 
with higher debug levels between working and less working server.

I will try the forced replication with debug flag.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list