[Samba] Can't replicate DCs
Luke Barone
lukebarone at gmail.com
Sun Aug 11 22:53:41 UTC 2019
Hi list,
I'm running into issues with Samba 4.5.16-Debian. I am trying to get 3 DCs
to talk to each other and replicate. DC1 and DC3 are on the same subnet;
DC2 is on another subnet, accessible by IP. Currently, no firewalls on any
of the DCs.
Issue 1 - When I run "samba-tool drs showrepl", I get various results:
DC1 -
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]
NT_STATUS_IO_TIMEOUT
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc3.ad.example.com failed - drsException: DRS connection to
dc3.ad.example.com failed: (-1073741643, '{Device Timeout} The specified
I/O operation on %hs was not completed before the time-out period expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in
drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
===============================================================
DC2 -
Valemount\DC2
DSA Options: 0x00000001
DSA object GUID: 617c7792-2980-4625-917d-21418ac96f06
DSA invocationId: b5e8a8b6-ada3-472f-bee8-4e7d9ab813bc
==== INBOUND NEIGHBORS ====
CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:51 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6664 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:51 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:52 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6665 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:52 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:52 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6666 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:52 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
DC=ForestDnsZones,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:50 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6668 consecutive failure(s).
Last success @ Sun Aug 11 15:40:50 2019 PDT
DC=ForestDnsZones,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:50 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:50 2019 PDT
DC=DomainDnsZones,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:51 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6666 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
DC=DomainDnsZones,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:51 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 715f06d2-cb2e-4cb5-b1d7-8bae66efd634
Enabled : TRUE
Server DNS name : dc1.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: a4f43954-9213-4622-a455-3bd319ab3018
Enabled : TRUE
Server DNS name : dc3.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: DC1
Enabled : TRUE
Server DNS name : dc1.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
Connection --
Connection name: DC3
Enabled : TRUE
Server DNS name : dc3.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
=====================================================================
DC3 -
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]
NT_STATUS_IO_TIMEOUT
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc3.ad.example.com failed - drsException: DRS connection to
dc3.ad.example.com failed: (-1073741643, '{Device Timeout} The specified
I/O operation on %hs was not completed before the time-out period expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in
drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in
drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
=============
When I attempt to manually replicate, I can get DC3 to talk to DC2, but no
other communication. DC1 -> DC2 fails; DC1 to DC3 fails; DC2 to DC1 fails;
DC2 to DC3 fails. DC3 cannot replicate to DC1.
Users created on the various DCs do not show up under Active Directory
Users and Computers on other DCs. If I attempt to create a user under the
ADUC tool, I get an error saying:
Windows cannot verify that the user name is unique because the following
error occurred while contacting the global catalog: The user name or
password is incorrect
This is after ensuring I can log in as the DOMAIN\Administrator account.
There are two sites, one is "McBride", one is "Valemount". DC2 is in
McBride, the others are in Valemount.
Finally, the file contents on the DCs:
/etc/hosts:
# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.4 dc2.ad.example.com dc2
10.1.10.3 dc1.ad.example.com dc1
10.1.10.10 dc3.ad.example.com dc3
# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# cat /etc/samba/smb.conf
# Global parameters
[global]
ntlm auth = yes
disable netbios = yes
bind interfaces only = Yes
interfaces = lo eth0
netbios name = DC2
realm = AD.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
server role = active directory domain controller
winbind separator = /
idmap_ldb:use rfc2307 = yes
More information about the samba
mailing list