[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Martin Krämer
mk.maddin at gmail.com
Sat Apr 6 08:58:15 UTC 2019
Hello everyone,
I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns backend.
Both are running Samba 4.5.16 - I know it is already very old version
but this is the default one coming with debian stretch repo.
(I will upgrade to Debian buster - and with this to newer Samba
version - as soon as it is released stable and I could test the
upgrade correctly :) )
location-000001.domain.de is one of the DCs hosting all FSMO
Roles.location-000002.domain.de is the second one.
Both are in different subnets but can reach each other.
Unfortunately replication only works from location-000001.domain.de to
location-000002.domain.de.
The other way round I always end up with error:
----------
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
----------
Additionally within journalctl I see:
----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076
for ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
----------
I already searched the web etc. but unfortunately I did not find
really useful hints.
It seems most of errors "NT_STATUS_LOGON_FAILURE" are related to
Windows client trying to access samba shares - not replication between
two samba DC's.
Below I tried to capture all possible relevant information.
If further information is required please let me know.
Thanks for any hint pointing me into the right direction.
Maybe you know which log file I should check etc.
Kind Regards
mk-maddin
--------ADDITIONAL DETAILS--------
root at location-000001.domain.de: samba-setup-checkup.sh
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.13.254 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS location-000001.domain.delocation-000002.domain.de
DC1 location-000001.domain.de
DC2 location-000002.domain.de
Samba AD DC info: = detected (command and where to look)
This server hostname = location-000001 (hostname -s and
/etc/hosts and DNS server)
This server FQDN (hostname) = location-000001.domain.de (hostname -f
and /etc/hosts and DNS server)
This server primary dnsdomain = domain.de (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.13.251 Only one interface
detected (hostname -i (-I) and /etc/networking/interfaces and DNS
server
The DC with FSMO roles = LOCATION-000001 (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context = DC=domain,DC=de (samba-tool fsmo show)
The Kerberos REALM name used = DOMAIN.DE (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC location-000001.domain.de = 192.168.13.251
The Ipadres of DC location-000002.domain.de = 192.168.30.251
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserverroot at location-000001.domain.de:
samba-collect-debug-info.sh
Password for Administrator at DOMAIN.DE:
Please wait, collecting debug info.
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server location-000001.domain.de failed
with (-1073741715, 'Logon failure')
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server location-000001.domain.de failed
with (-1073741715, 'Logon failure')
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips
attachments.root at location-000001.domain.de: cat
/tmp/samba-debug-info.txt
Collected config --- 2019-04-06-08:30 -----------
Hostname: location-000001
DNS Domain: domain.de
FQDN: location-000001.domain.de
ipaddress: 192.168.13.251
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.8 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:04:58:c9 brd ff:ff:ff:ff:ff:ff
inet 192.168.13.251/24 brd 192.168.13.255 scope global eth0
inet6 fe80::5054:ff:fe04:58c9/64 scope link
-----------
Checking file: /etc/hosts
##--FAI default hosts file
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.13.251 location-000001.domain.de location-000001
192.168.30.251 location-000002.domain.de location-000002
-----------
Checking file: /etc/resolv.conf
# fai installation resolve.conf
#nameserver 127.0.0.1
nameserver 192.168.13.251
nameserver 192.168.30.251
nameserver 8.8.4.4
nameserver 192.168.13.254
domain domain.de
search domain.de
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
## FAI generated smb.conf
## do not manually edit this file - changes might be overwritten
[global]
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
server role = active directory domain controller
usershare allow guests = No
realm = DOMAIN.DE
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
workgroup = DOMAIN
[netlogon]
read only = no
path = /var/lib/samba/sysvol/domain.de/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
allow-recursion { all-networks; 127.0.0.1/32; };
allow-query { all-networks; 127.0.0.1/32; };
empty-zones-enable no;
notify no;
listen-on port 53 { thisserverip; 127.0.0.1; };
forwarders { 192.168.30.251; 8.8.4.4; 192.168.13.254; };
version "0.0.7";
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035=no but we are the Authoritive server
listen-on-v6 { none; };
};
acl thisserverip {
192.168.13.251;
};
acl all-networks {
192.168.13.0/24;
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list:
Samba DNS zone list Automated check :
Installed packages:
ii acl 2.2.52-3+b1
amd64 Access control list utilities
ii attr 1:2.4.47-2+b2
amd64 Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2+b2
amd64 Extended attribute shared library
ii libfile-lchown-perl 0.02-2+b2
amd64 module to modify attributes of symlinks without
dereferencing them
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.5.16+dfsg-1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.16+dfsg-1
amd64 Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1
amd64 Python bindings for Samba
ii samba 2:4.5.16+dfsg-1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.16+dfsg-1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.16+dfsg-1
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.5.16+dfsg-1
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3
amd64 System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.16+dfsg-1
amd64 service to resolve user and group information from
Windows NT servers
-----------root at location-000001.domain.de: kinit -k -i
"LOCATION-000001$"root at location-000001.domain.de: klist
Ticket cache: FILE:/tmp/krb5cc_1334401137_DLDYzd
Default principal: LOCATION-000001$@DOMAIN.DE
Valid starting Expires Service principal
04/06/2019 08:30:26 04/06/2019 18:30:26 krbtgt/DOMAIN.DE at DOMAIN.DE
renew until 04/07/2019 08:30:26root at location-000001.domain.de: 192.168.13.251
251.13.168.192.in-addr.arpa domain name pointer
location-000001.domain.de.root at location-000001.domain.de: host
location-000001.domain.delocation-000001.domain.de has address
192.168.13.251root at location-000001.domain.de: host 192.168.30.251
251.30.168.192.in-addr.arpa domain name pointer
location-000002.domain.de.root at location-000001.domain.de: host
location-000002.domain.delocation-000002.domain.de has address
192.168.30.251root at location-000001.domain.de: host -t CNAME
2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de
2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de is an alias for
location-000001.domain.de.root at location-000001.domain.de: host -t
CNAME 1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de
1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de is an alias for
location-000002.domain.de.root at location-000001.domain.de: samba-tool
drs replicate -k yes location-000001.domain.de
location-000002.domain.de DC=domain,DC=de
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" %
estr)root at location-000001.domain.de: samba-tool drs replicate -k yes
location-000002.domain.de location-000001.domain.de DC=domain,DC=de
Replicate from location-000001.domain.de to location-000002.domain.de
was successful.root at location-000001.domain.de: samba-tool drs showrepl
-k yes
Default-First-Site-Name\LOCATION-000001
DSA Options: 0x00000001
DSA object GUID: 2cb772ba-41ef-450f-bd04-706c5e21fbc7
DSA invocationId: 6726b0b3-edc3-46ea-9d97-a1aea14b20ec
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
160 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
DC=DomainDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
168 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:27 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
191 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
CN=Schema,CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
159 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
159 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 68b39459-45f1-4221-ba3e-bc096201023c
Enabled : TRUE
Server DNS name : location-000002.domain.de
Server DN name : CN=NTDS
Settings,CN=LOCATION-000002,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
More information about the samba
mailing list