[Samba] One DC not replicated

shacky shacky83 at gmail.com
Tue Jul 2 16:01:03 UTC 2019


I have a Samba managed Windows domain with 3 Domain Controllers: dc1, dc2
and dc-dc.
All three PDC runs on Samba version 4.6.7-Ubuntu on Ubuntu Xenial.

The problem: the Domain Controller dc-dc is not correctly replicated:

========================================================================
root at dc2:/# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc2.my.domain.name[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
my\DC2
DSA Options: 0x00000001
DSA object GUID: 009ad456-64de-43a9-a321-dbdbb25fa21b
DSA invocationId: 543d6793-d128-49fb-97bf-01bda21e1634

==== INBOUND NEIGHBORS ====

DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST was successful
        0 consecutive failure(s).
        Last success @ Tue Jul  2 17:49:21 2019 CEST

DC=my,DC=domain,DC=name
    my\DC-DC via RPC
        DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
        5159 consecutive failure(s).
        Last success @ NTTIME(0)

DC=ForestDnsZones,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ Tue Jul  2 17:49:20 2019 CEST was successful
        0 consecutive failure(s).
        Last success @ Tue Jul  2 17:49:20 2019 CEST

DC=ForestDnsZones,DC=my,DC=domain,DC=name
    my\DC-DC via RPC
        DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
        Last attempt @ Tue Jul  2 17:49:20 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
        5159 consecutive failure(s).
        Last success @ NTTIME(0)

DC=DomainDnsZones,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ Tue Jul  2 17:49:20 2019 CEST was successful
        0 consecutive failure(s).
        Last success @ Tue Jul  2 17:49:20 2019 CEST

DC=DomainDnsZones,DC=my,DC=domain,DC=name
    my\DC-DC via RPC
        DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
        Last attempt @ Tue Jul  2 17:49:20 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
        5159 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST was successful
        0 consecutive failure(s).
        Last success @ Tue Jul  2 17:49:21 2019 CEST

CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
    my\DC-DC via RPC
        DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
        5159 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST was successful
        0 consecutive failure(s).
        Last success @ Tue Jul  2 17:49:21 2019 CEST

CN=Configuration,DC=my,DC=domain,DC=name
    my\DC-DC via RPC
        DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
        Last attempt @ Tue Jul  2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
        5159 consecutive failure(s).
        Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

DC=ForestDnsZones,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

DC=DomainDnsZones,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=my,DC=domain,DC=name
    my\DC1 via RPC
        DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
    Connection name: 1ef10071-1020-4260-ba81-568c8995677f
    Enabled        : TRUE
    Server DNS name : dc1.my.domain.name
    Server DN name  : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=my,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=name
        TransportType: RPC
        options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
    Connection name: 2e133802-9f86-4d1a-8917-b26511f640fe
    Enabled        : TRUE
    Server DNS name : dc-dc.my.domain.name
    Server DN name  : CN=NTDS
Settings,CN=DC-DC,CN=Servers,CN=my,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=name
        TransportType: RPC
        options: 0x00000001
Warning: No NC replicated for Connection!
========================================================================

If I try to manually replicate dc-dc it works from dc1:

========================================================================
root at dc-dc:/# samba-tool drs replicate dc-dc.my.domain.name
dc1.my.domain.name DC=my,DC=domain,DC=name --full-sync
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc-dc.my.domain.name[,seal]
[...]
Replicate from dc1.my.domain.name to dc-dc.my.domain.name was successful.
========================================================================

but not from dc2:
========================================================================
root at dc-dc:/# samba-tool drs replicate dc-dc.my.domain.name
dc2.my.domain.name DC=my,DC=domain,DC=name --full-sync
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc-dc.my.domain.name[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
Server ldap/DC-DC.my.domain.name at MY.DOMAIN.NAME is not registered with our
KDC:  Miscellaneous failure (see text): Server (ldap/
DC-DC.my.domain.name at MY.DOMAIN.NAME) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC-DC.my.domain.name
failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
Server ldap/dc-dc.my.domain.name at MY.DOMAIN.NAME is not registered with our
KDC:  Miscellaneous failure (see text): Server (ldap/
dc-dc.my.domain.name at MY.DOMAIN.NAME) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/dc-dc.my.domain.name
failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in
run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
========================================================================

Could you help me please?
Thanks!


More information about the samba mailing list