[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Rowland Penny
rpenny at samba.org
Sat Apr 6 12:31:11 UTC 2019
On Sat, 6 Apr 2019 10:58:15 +0200
Martin Krämer via samba <samba at lists.samba.org> wrote:
> Hello everyone,
>
> I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns
> backend. Both are running Samba 4.5.16 - I know it is already very
> old version but this is the default one coming with debian stretch
> repo. (I will upgrade to Debian buster - and with this to newer Samba
> version - as soon as it is released stable and I could test the
> upgrade correctly :) )
See here:
http://apt.van-belle.nl/
>
> location-000001.domain.de is one of the DCs hosting all FSMO
> Roles.location-000002.domain.de is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from location-000001.domain.de to
> location-000002.domain.de.
> The other way round I always end up with error:
> ----------
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
> ----------
>
> Additionally within journalctl I see:
> ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> for
> ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
> NT_STATUS_LOGON_FAILURE ----------
Try reading and following this:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record
>
> Checking file: /etc/resolv.conf
>
> # fai installation resolve.conf
>
> #nameserver 127.0.0.1
> nameserver 192.168.13.251
> nameserver 192.168.30.251
> nameserver 8.8.4.4
> nameserver 192.168.13.254
> domain domain.de
> search domain.de
>
Why all the nameservers ?
You only need the DC itself
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat sss
> group: compat sss
> shadow: compat sss
Why are you using sssd ?
You do not seem to be using the DC as a fileserver.
>
> Checking file: /etc/samba/smb.conf
>
> ## FAI generated smb.conf
> ## do not manually edit this file - changes might be overwritten
OH yes, definitely manually edit this by removing the rubbish FAI added
(what is FAI ?) :
[global]
realm = DOMAIN.DE
server role = active directory domain controller
server services = -dns
workgroup = DOMAIN
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
[netlogon]
read only = no
path = /var/lib/samba/sysvol/domain.de/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
Rowland
More information about the samba
mailing list