[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Martin Krämer
mk.maddin at gmail.com
Wed Apr 10 17:47:27 UTC 2019
Hello All,
I just discovered that the last I unfortunately I send only to Louis - not
the list.
So below are my answers included (and log outputs that were requested).
Never the less in meantime I have investigated further into SAMBA & winbind.
I was able to setup samba dc based on previous instructions and guidelines
successfully.
I additionally setup a debian samba member with winbind.
Unfortunately on that samba member I faced the issue of "Could not convert
sid: NT_STATUS_NO_SUCH_USER"
when trying to run "winbind -i <username>" while "winbind -n <username>"
works correctly on the client.
(On the DC both commands work correctly.)
With some more research I found the following articles:
https://wiki.samba.org/index.php/Idmap_config_ad
and
https://wiki.samba.org/index.php/Adding_users_with_samba_tool#Adding_Unix_attributes_to_a_Windows_user
But after reading these two articles I am left over with some questions I
hope you can help me with:
1. Did I understand correctly that if I want to make sure winbind resolve
is working correctly (independently of Samba user, Samba group or samba
computer account) I have to set
non overlapping uidNumber for users and computers and non overlapping
gidNumber for groups?
2. Did I understand correctly that these uid- & gidNumbers cannot be set
automatically/managed by samba-tool or any other linux out of box tool?
3. Did I understand correctly that on windows the "Active directory users
and Computers" (ADUC) sets automatically/manages the uid- & gidNumbers for
users & groups,but not for computers?
4. Did I understand correctly that if I set the uid- & gidNumbers via
samba-tool or ldbedit there is no verification if an uid- & gidNumber
already exists?
--- that was the understanding part - now the real questions :) ---
5. Assuimg 3&4 is correct, what happens if I create one user/group via
samba-tool/ldbedit and another one via ADUC - does ADUC take care of not
using the same uid-/gidNumber as of the user created/set within
samba-tool/ldbedit?
6. Assuimg 2 is correct that means I have to take care about setting the
uid- & gidNumbers (and no overlappings) by myself if not using ADUC (even
with ADUC I have to take care about uidNumber of comptuers by myself - but
thats only secondary).
Never the less I know that on my domain controller I can receive a uid-
& gidNumber of the user/group independently of this being set in AD by
using "wbinfo --name-to-sid <myuser>" and using the resolved SID further in
"wbinfo --sid-to-uid <SID>".
Based on this I could run a cronjob (just as a concept - maybe cronjob
is not best solution) that sets the uid- & gidNumber recieved from the DC
as a global AD uid- & gidNumber.
Would this make sure the uid- & gidNumbers for users, computers and
groups do not overlap?
7. If 6 would be implemented - what happens if I have a second DC...will
the uid- & gidNumbers recieved there differnetiate to the ones of DC1?
(If they would differentiate I assume I would have to make sure the
cronjob runs only on the FSMO role owner or?)
8. If 7 would be implemented with the FSMO role owner only - what would
happen if that FSMO role owner has gone/will go offline and I would have to
online/offline transfer - not seize - the FSMO roles (and with them the
cronjob)?
Would the resolved uid- & gidNumbers still not overlap?
Thanks for answers/help regarding above in advance :)
Martin
Am Mo., 8. Apr. 2019 um 18:09 Uhr schrieb Martin Krämer <mk.maddin at gmail.com
>:
> Thanks for your reply.
> Below some comments.
>
> Am Mo., 8. Apr. 2019 um 11:06 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
>> Hai,
>>
>> I have a few things on this thread.
>>
>> For the DsREplicatSync error, i would suggest these steps first.
>> DC2, change the resolv.conf, set DC1 first, then DC2, reboot.
>> Wait 5 min, now check replication again, if its ok, now you can change
>> the resolv.conf backup.
>
>
> Tried this - unfortunately no change.
> As I see it currently - yes it is a problem with replication but from my
> point of view only secondary.
> The primary error seems to be the authentication of DC2 against DC1 - like
> DC2 would have lost the domain membership like this sometimes happens on
> windows devices and AD....
>
>
>>
> The samba_dnsupdate might work also, but in my experiance a reboot is
>> often needed, dont ask why.
>> I dont know and never investigated it because a reboot works for me al
>> the times.
>>
>> As written more early to rowland samba_dnsupdate runs smoothly without
> any errors...
>
>
>
>>
>> On the replication error.
>> Run this script on both DC's and show the output.
>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-db-repl.sh
>> Dont need all, just the results.
>>
>>
> I think the output you are asking for is the following (I tested
> administrator password to be correct three times):
>
> ---------------- DC1 -----------------
> Running with with console output
> Checking the DC_With_FSMO (location-000001) with SAMBA DC:
> location-000002.domain.de
> Running : /usr/bin/samba-tool ldapcmp --filter="whenChanged,dc,DC,cn,CN"
> ldap://location-000001.domain.de ldap://location-000002.domain.de
> Please wait.. this can take a while..
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e,
> v1db1> <>
> Failed to connect to 'ldap://location-000001.domain.de' with backend
> 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error,
> data 52e, v1db1> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 962, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 64, in __init__
> options=ldb_options)
> File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in
> __init__
> self.connect(url, flags, options)
> .. Next check..
> Running : samba-tool drs showrepl
> failures don't match
> successes don't match
>
> ---------------- DC2 -----------------
> Running with with console output
> Checking the DC_With_FSMO (location-000001) with SAMBA DC:
> location-000002.domain.de
> Running : /usr/bin/samba-tool ldapcmp --filter="whenChanged,dc,DC,cn,CN"
> ldap://location-000001.domain.de ldap://location-000002.domain.de
> Please wait.. this can take a while..
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e,
> v1db1> <>
> Failed to connect to 'ldap://location-000002.domain.de' with backend
> 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error,
> data 52e, v1db1> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 968, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line
> 64, in __init__
> options=ldb_options)
> File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in
> __init__
> self.connect(url, flags, options)
> .. Next check..
> Running : samba-tool drs showrepl
> failures don't match
> successes don't match
>
>
> BUT - what works correctly is if I authenticate like the following by
> using kerberos:
>
> ---------------- DC1 -----------------
> /usr/bin/samba-tool ldapcmp -k yes --filter="whenChanged,dc,DC,cn,CN"
> ldap://location-000001.domain.de ldap://location-000002.domain.de
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 353
>
> Comparing:
> 'CN=Administrator,CN=Users,DC=domain,DC=de' [ldap://
> location-000001.domain.de]
> 'CN=Administrator,CN=Users,DC=domain,DC=de' [ldap://
> location-000002.domain.de]
> Difference in attribute values:
> lastLogonTimestamp =>
> ['131990081769899510']
> ['131990081770581220']
> FAILED
>
> Comparing:
> 'CN=LOCATION-000001,OU=Domain Controllers,DC=domain,DC=de' [ldap://
> location-000001.domain.de]
> 'CN=LOCATION-000001,OU=Domain Controllers,DC=domain,DC=de' [ldap://
> location-000002.domain.de]
> Difference in attribute values:
> lastLogonTimestamp =>
> ['131991113774626660']
> ['131991113774175790']
> FAILED
>
> Comparing:
> 'CN=LOCATION-000002,OU=Domain Controllers,DC=domain,DC=de' [ldap://
> location-000001.domain.de]
> 'CN=LOCATION-000002,OU=Domain Controllers,DC=domain,DC=de' [ldap://
> location-000002.domain.de]
> Difference in attribute values:
> lastLogonTimestamp =>
> ['131987828972205070']
> ['131990122230450530']
> pwdLastSet =>
> ['131964524527478280']
> ['131990983474537410']
> FAILED
>
> * Result for [DOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes with different values:
>
> lastLogonTimestamp
> pwdLastSet
>
> * Comparing [CONFIGURATION] context...
>
> * Objects to be compared: 1615
>
>
>
> * Result for [CONFIGURATION]: SUCCESS
>
> * Comparing [SCHEMA] context...
>
> * Objects to be compared: 1561
>
> * Result for [SCHEMA]: SUCCESS
>
> * Comparing [DNSDOMAIN] context...
>
> * Objects to be compared: 115
>
> Comparing:
> 'DC=251,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=251,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['
> \x00\x0c\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00']
> ['
> \x00\x0c\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=251,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=251,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['
> \x00\x0c\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00']
> ['
> \x00\x0c\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=26,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=26,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> [")\x00\x0c\x00\x05\xf0\x00\x00\xa2\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x82\xf17\x00'\x03\x18android-a2bb8d65e49d7f4c\tdomain\x02de\x00"]
>
> [")\x00\x0c\x00\x05\xf0\x00\x00\xeb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xfa\xf17\x00'\x03\x18android-a2bb8d65e49d7f4c\tdomain\x02de\x00"]
> FAILED
>
> Comparing:
> 'DC=31,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=31,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\xab\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xb8\xf17\x00\x1d\x03\x0etv8a0f26eac0f5\tdomain\x02de\x00']
>
> ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\t\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x04\xf27\x00\x1d\x03\x0etv8a0f26eac0f5\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=32,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=32,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ["'\x00\x0c\x00\x05\xf0\x00\x00\xad\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00%\x03\x16Samsung-Galaxy-S7-edge\tdomain\x02de\x00"]
>
> ["'\x00\x0c\x00\x05\xf0\x00\x001\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00%\x03\x16Samsung-Galaxy-S7-edge\tdomain\x02de\x00"]
> FAILED
>
> Comparing:
> 'DC=36,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=36,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x1a\x00\x0c\x00\x05\xf0\x00\x00\xad\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00\x18\x03\tGalaxy-S8\tdomain\x02de\x00']
>
> ['\x1a\x00\x0c\x00\x05\xf0\x00\x00\x03\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x03\xf27\x00\x18\x03\tGalaxy-S8\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=37,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=37,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x16\x00\x0c\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc7\xf17\x00\x14\x03\x05fritz\tdomain\x02de\x00']
>
> ['\x16\x00\x0c\x00\x05\xf0\x00\x003\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x14\x03\x05fritz\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=38,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=38,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\xaf\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xcb\xf17\x00\x1d\x03\x0eJuergen-Tablet\tdomain\x02de\x00']
>
> ['\x1f\x00\x0c\x00\x05\xf0\x00\x00\x1b\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x1d\x03\x0eJuergen-Tablet\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=40,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=40,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['
> \x00\x0c\x00\x05\xf0\x00\x00\xaf\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xf17\x00\x1e\x03\x0fnxtcloud-000002\tdomain\x02de\x00']
> ['
> \x00\x0c\x00\x05\xf0\x00\x00#\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\n\xf27\x00\x1e\x03\x0fnxtcloud-000002\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=41,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=41,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x1e\x00\x0c\x00\x05\xf0\x00\x00\xab\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xbb\xf17\x00\x1c\x03\rSusanne_Buero\tdomain\x02de\x00']
>
> ['\x1e\x00\x0c\x00\x05\xf0\x00\x00\x17\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x07\xf27\x00\x1c\x03\rSusanne_Buero\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=@,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=@,DC=13.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['
> \x00\x02\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xee7\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x00\xdb\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\x00\x00\x00\xdc\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> ['
> \x00\x02\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xee7\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x00\xd9\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\x00\x00\x00\xda\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=@,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=@,DC=30.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['
> \x00\x02\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x00\xb8\x00\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\x00\x00\x00\xb9\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> ['
> \x00\x02\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x002\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\x00\x00\x013\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000002\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=@,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=@,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xa8\r\xfb',
> '\x04\x00\x01\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\xc0\xa8\x1e\xfb',
> '
> \x00\x02\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00',
> '
> \x00\x02\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x00M\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xd7\xf17\x00\x00\x00\x01N\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000001\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> ['\x04\x00\x01\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\xc0\xa8\r\xfb',
> '\x04\x00\x01\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\xc0\xa8\x1e\xfb',
> '
> \x00\x02\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x03\x0flocation-000001\tdomain\x02de\x00',
> '
> \x00\x02\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x11\xef7\x00\x1e\x03\x0flocation-000002\tdomain\x02de\x00',
> 'O\x00\x06\x00\x05\xf0\x00\x00R\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xf7\xf17\x00\x00\x00\x01S\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x1e\x03\x0flocation-000002\tdomain\x02de\x00\x19\x03\nhostmaster\tdomain\x02de\x00']
> FAILED
>
> Comparing:
> 'DC=Galaxy-S8,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=Galaxy-S8,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\r\x1e']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x03\xf27\x00\xc0\xa8\x1e$']
> FAILED
>
> Comparing:
> 'DC=Juergen-Tablet,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=Juergen-Tablet,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xcb\xf17\x00\xc0\xa8\x1e&']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\xc0\xa8\x1e&']
> FAILED
>
> Comparing:
> 'DC=Samsung-Galaxy-S7-edge,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=Samsung-Galaxy-S7-edge,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00G\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xc6\xf17\x00\xc0\xa8\x1e
> ']
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\x1e
> ']
> FAILED
>
> Comparing:
> 'DC=Susanne_Buero,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=Susanne_Buero,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00F\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xbb\xf17\x00\xc0\xa8\x1e)']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x07\xf27\x00\xc0\xa8\x1e)']
> FAILED
>
> Comparing:
> 'DC=android-a2bb8d65e49d7f4c,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=android-a2bb8d65e49d7f4c,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00;\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x82\xf17\x00\xc0\xa8\x1e\x1a']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xfa\xf17\x00\xc0\xa8\x1e\x1a']
> FAILED
>
> Comparing:
> 'DC=location-000001,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=location-000001,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0f\xf27\x00\xc0\xa8\r\xfb']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x08\xf27\x00\xc0\xa8\r\xfb']
> FAILED
>
> Comparing:
> 'DC=location-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=location-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00N\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x10\xf27\x00\xc0\xa8\x1e\xfb']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x0e\xf27\x00\xc0\xa8\x1e\xfb']
> FAILED
>
> Comparing:
> 'DC=nxtcloud-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=nxtcloud-000002,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00H\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xca\xf17\x00\xc0\xa8\x1e(']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\n\xf27\x00\xc0\xa8\x1e(']
> FAILED
>
> Comparing:
> 'DC=tv8a0f26eac0f5,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000001.domain.de]
> 'DC=tv8a0f26eac0f5,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de'
> [ldap://location-000002.domain.de]
> Difference in attribute values:
> dnsRecord =>
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00F\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\xb8\xf17\x00\xc0\xa8\x1e\x1f']
>
> ['\x04\x00\x01\x00\x05\xf0\x00\x00S\x01\x00\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x04\xf27\x00\xc0\xa8\x1e\x1f']
> FAILED
>
> * Result for [DNSDOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes with different values:
>
> dnsRecord
>
> * Comparing [DNSFOREST] context...
>
> * Objects to be compared: 18
>
> * Result for [DNSFOREST]: SUCCESS
> ERROR: Compare failed: -1
>
>
>
>> About the howto and packages.
>> If your now on 4.5.16 ( official debian ), then the shown howto's are
>> good.
>> If you upgrade to higher, then you might need to adjust some settings in
>> smb.conf,
>> which are shown in the upgrade-into.txt and offcourse the samba change
>> logs.
>>
>>
> yep - of course I will start with test environment and check first :)
>
>
>>
>> About sssd, yes i could build these also, but that would increase my
>> packages needed to build even more.
>> Do remember one samba version, ( debian stretch amd64 ) requeres me to
>> build between 5 and 11 packages.
>> Now add i386, jessie, bionic, 3 different samba version... So thats why..
>> To much, this is a lot already.
>>
>>
> Absolutely understandable. BTW: think this is a great work you do here :)
>
>
>> And better option for you, but this highly depends on whats running on
>> the server, upgrade now to debian buster.
>> This way you can still use sssd and your up in samba version.
>> But i only recommend this if you only use samba on the servers and not
>> much other packages.
>> Debian Buster is in freeze state, so no major changes should enter.
>>
>>
> hm...unfortunately I see other dependencies beside SAMBA here.
> Really would like to wait for official release and do some tests
> (especially with self build scripts that might be incompatible).
>
>
>> Today wil be building day, so if you have more questions, just ask, im
>> monitoring the list today.
>> New packages will arrive soon.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Rowland Penny via samba
>> > Verzonden: zaterdag 6 april 2019 20:43
>> > Aan: samba at lists.samba.org
>> > Onderwerp: Re: [Samba] DsReplicaSync failed -
>> > WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp
>> > - NT_STATUS_LOGON_FAILURE
>> >
>> > On Sat, 6 Apr 2019 19:08:30 +0200
>> > Martin Krämer <mk.maddin at gmail.com> wrote:
>> >
>> > > hm... to be truth there were already multiple times I tough
>> > of having
>> > > a more up-to-date version would be greate...
>> > > Maybe I can try with my test servers first (I would start with
>> > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt here I think )
>> > > - but first I think have to check how to get rid of sssd ( I do not
>> > > want to build on my own)
>> >
>> > It all depends on how you use your Samba machines. If you use
>> > your DC's
>> > just for authentication and never log in as a domain user and never
>> > store anything in shares (except sysvol & netlogon) then you do not
>> > need to use sssd or anything else. It is only when you use a DC as
>> > fileserver that you may need something like sssd.
>> >
>> > > Thanks for this - I tried "samba_dnsupdate" in following ways.
>> > > All of them run through without any error telling me "No DNS updates
>> > > needed" at the end
>> > >
>> > > samba_dnsupdate --verbose
>> > > samba_dnsupdate --verbose --rpc-server-ip=location-000001.domain.de
>> > > samba_dnsupdate --verbose --rpc-server-ip=location-000002.domain.de
>> > >
>> > > afterwards unfortunately there is still no change to the error :/
>> >
>> > Try comparing the databases on the DC's, see 'samba-tool ldapcmp
>> > --help' for more info.
>> >
>> > You could also try replicating from the good DC to the other, see
>> > 'samba-tool drs replicate --help' for more info
>> >
>> > There is also 'samba-tool dbcheck'
>> >
>> > Finally, is something like a firewall getting in the way.
>> >
>> > >
>> > > hm...this is how I currently use sssd & sudo:
>> > > https://linux.die.net/man/5/sssd-sudo
>> > > I think with sudo-ldap you refere to the following:
>> > > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html ?
>> > > As of today my sudo rules are "linked" to the ou of the device and
>> > > based on the "ldap_sudo_search_base" config from sudo-sssd devices
>> > > apply one the one matching for them.
>> > > (nearly the same way as group policy linking in windows works)
>> > > I think in case of switching I need to work with
>> > > "SUDOERS_SEARCH_FILTER" or "SUDOERS_BASE" option... maybe I will
>> > > check.
>> >
>> > From memory, sudo-ldap works in much the same way as sssd, the only
>> > real difference is the lack of a cache, but, from my experience, this
>> > would be the last thing on your mind if something has gone wrong and
>> > you cannot login as a sudo user from ldap.
>> >
>> > >
>> > > Louis once guided me to:
>> > > https://github.com/thctlo/samba4/tree/master/howtos Are these how-to
>> > > compliant to what you mention about samba support & winbind?
>> >
>> > Apart from referring to older versions of Samba, they should still be
>> > valid.
>> >
>> > Rowland
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list