[Samba] Can't replicate DCs
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 12 06:57:06 UTC 2019
Try this.
On all DC's set the first resolver in /et/resolv.conf to the DC with FSMO roles.
Run :
kinit Administrator
samba_dnsupdate --verbose
Stop en start samba-ad-dc
Check again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luke
> Barone via samba
> Verzonden: maandag 12 augustus 2019 0:54
> Aan: samba
> Onderwerp: [Samba] Can't replicate DCs
>
> Hi list,
>
> I'm running into issues with Samba 4.5.16-Debian. I am trying
> to get 3 DCs
> to talk to each other and replicate. DC1 and DC3 are on the
> same subnet;
> DC2 is on another subnet, accessible by IP. Currently, no
> firewalls on any
> of the DCs.
>
> Issue 1 - When I run "samba-tool drs showrepl", I get various results:
>
> DC1 -
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.examp
> le.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x
00000004,localaddress=10.1.10.10]
> NT_STATUS_IO_TIMEOUT
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> dc3.ad.example.com failed - drsException: DRS connection to
> dc3.ad.example.com failed: (-1073741643, '{Device Timeout}
> The specified
> I/O operation on %hs was not completed before the time-out
> period expired.')
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in
> drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
> line 54, in
> drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" %
> (server, e))
>
>
> ===============================================================
>
> DC2 -
>
> Valemount\DC2
> DSA Options: 0x00000001
> DSA object GUID: 617c7792-2980-4625-917d-21418ac96f06
> DSA invocationId: b5e8a8b6-ada3-472f-bee8-4e7d9ab813bc
>
> ==== INBOUND NEIGHBORS ====
>
> CN=Configuration,dc=ad,dc=example,dc=com
> McBride\DC1 via RPC
> DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
> Last attempt @ Sun Aug 11 15:40:51 2019 PDT
> failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
> 6664 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:51 2019 PDT
>
> CN=Configuration,dc=ad,dc=example,dc=com
> McBride\DC3 via RPC
> DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
> Last attempt @ Sun Aug 11 15:40:51 2019 PDT
> was successful
> 0 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:51 2019 PDT
>
> CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
> McBride\DC1 via RPC
> DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
> Last attempt @ Sun Aug 11 15:40:52 2019 PDT
> failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
> 6665 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:51 2019 PDT
>
> CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
> McBride\DC3 via RPC
> DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
> Last attempt @ Sun Aug 11 15:40:52 2019 PDT
> was successful
> 0 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:52 2019 PDT
>
> dc=ad,dc=example,dc=com
> McBride\DC1 via RPC
> DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
> Last attempt @ Sun Aug 11 15:40:52 2019 PDT
> failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
> 6666 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:52 2019 PDT
>
> dc=ad,dc=example,dc=com
> McBride\DC3 via RPC
> DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
> Last attempt @ Sun Aug 11 15:40:52 2019 PDT
> was successful
> 0 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:52 2019 PDT
>
> DC=ForestDnsZones,dc=ad,dc=example,dc=com
> McBride\DC1 via RPC
> DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
> Last attempt @ Sun Aug 11 15:40:50 2019 PDT
> failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
> 6668 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:50 2019 PDT
>
> DC=ForestDnsZones,dc=ad,dc=example,dc=com
> McBride\DC3 via RPC
> DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
> Last attempt @ Sun Aug 11 15:40:50 2019 PDT
> was successful
> 0 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:50 2019 PDT
>
> DC=DomainDnsZones,dc=ad,dc=example,dc=com
> McBride\DC1 via RPC
> DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
> Last attempt @ Sun Aug 11 15:40:51 2019 PDT
> failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
> 6666 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:51 2019 PDT
>
> DC=DomainDnsZones,dc=ad,dc=example,dc=com
> McBride\DC3 via RPC
> DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
> Last attempt @ Sun Aug 11 15:40:51 2019 PDT
> was successful
> 0 consecutive failure(s).
> Last success @ Sun Aug 11 15:40:51 2019 PDT
>
> ==== OUTBOUND NEIGHBORS ====
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
> Connection name: 715f06d2-cb2e-4cb5-b1d7-8bae66efd634
> Enabled : TRUE
> Server DNS name : dc1.ad.example.com
> Server DN name : CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio
> n,dc=ad,dc=example,dc=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: a4f43954-9213-4622-a455-3bd319ab3018
> Enabled : TRUE
> Server DNS name : dc3.ad.example.com
> Server DN name : CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio
> n,dc=ad,dc=example,dc=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: DC1
> Enabled : TRUE
> Server DNS name : dc1.ad.example.com
> Server DN name : CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio
> n,dc=ad,dc=example,dc=com
> TransportType: RPC
> options: 0x00000000
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: DC3
> Enabled : TRUE
> Server DNS name : dc3.ad.example.com
> Server DN name : CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio
> n,dc=ad,dc=example,dc=com
> TransportType: RPC
> options: 0x00000000
> Warning: No NC replicated for Connection!
>
> =====================================================================
>
> DC3 -
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.examp
> le.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x
00000004,localaddress=10.1.10.10]
> NT_STATUS_IO_TIMEOUT
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> dc3.ad.example.com failed - drsException: DRS connection to
> dc3.ad.example.com failed: (-1073741643, '{Device Timeout}
> The specified
> I/O operation on %hs was not completed before the time-out
> period expired.')
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in
> drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
> line 54, in
> drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" %
> (server, e))
>
>
> =============
>
> When I attempt to manually replicate, I can get DC3 to talk
> to DC2, but no
> other communication. DC1 -> DC2 fails; DC1 to DC3 fails; DC2
> to DC1 fails;
> DC2 to DC3 fails. DC3 cannot replicate to DC1.
>
> Users created on the various DCs do not show up under Active Directory
> Users and Computers on other DCs. If I attempt to create a
> user under the
> ADUC tool, I get an error saying:
>
> Windows cannot verify that the user name is unique because
> the following
> error occurred while contacting the global catalog: The user name or
> password is incorrect
>
> This is after ensuring I can log in as the
> DOMAIN\Administrator account.
>
> There are two sites, one is "McBride", one is "Valemount". DC2 is in
> McBride, the others are in Valemount.
>
> Finally, the file contents on the DCs:
>
> /etc/hosts:
>
> # cat /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.1.4 dc2.ad.example.com dc2
> 10.1.10.3 dc1.ad.example.com dc1
> 10.1.10.10 dc3.ad.example.com dc3
>
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = AD.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> ntlm auth = yes
> disable netbios = yes
> bind interfaces only = Yes
> interfaces = lo eth0
> netbios name = DC2
> realm = AD.EXAMPLE.COM
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = AD
> server role = active directory domain controller
> winbind separator = /
> idmap_ldb:use rfc2307 = yes
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list