[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE

Rowland Penny rpenny at samba.org
Sat Apr 6 12:31:11 UTC 2019 

On Sat, 6 Apr 2019 10:58:15 +0200
Martin Krämer via samba <samba at lists.samba.org> wrote:

> Hello everyone,
> 
> I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns
> backend. Both are running Samba 4.5.16 - I know it is already very
> old version but this is the default one coming with debian stretch
> repo. (I will upgrade to Debian buster - and with this to newer Samba
> version - as soon as it is released stable and I could test the
> upgrade correctly :) )

See here:

http://apt.van-belle.nl/

> 
> location-000001.domain.de is one of the DCs hosting all FSMO
> Roles.location-000002.domain.de is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from location-000001.domain.de to
> location-000002.domain.de.
> The other way round I always end up with error:
> ----------
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
> ----------
> 
> Additionally within journalctl I see:
> ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> for
> ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
> NT_STATUS_LOGON_FAILURE ----------

Try reading and following this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record

> 
>        Checking file: /etc/resolv.conf
> 
> # fai installation resolve.conf
> 
> #nameserver 127.0.0.1
> nameserver 192.168.13.251
> nameserver 192.168.30.251
> nameserver 8.8.4.4
> nameserver 192.168.13.254
> domain domain.de
> search domain.de
>

Why all the nameservers ?
You only need the DC itself

> 
>        Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss

Why are you using sssd ?
You do not seem to be using the DC as a fileserver.

> 
>        Checking file: /etc/samba/smb.conf
> 
> ## FAI generated smb.conf
> ## do not manually edit this file - changes might be overwritten

OH yes, definitely manually edit this by removing the rubbish FAI added
(what is FAI ?) :

[global]
	realm = DOMAIN.DE
	server role = active directory domain controller
	server services = -dns
	workgroup = DOMAIN
	idmap_ldb:use rfc2307 = yes
	ldap server require strong auth = no

[netlogon]
	read only = no
	path = /var/lib/samba/sysvol/domain.de/Scripts
[sysvol]
	read only = no
	path = /var/lib/samba/sysvol

Rowland

More information about the samba mailing list