[Samba] One DC not replicated
shacky
shacky83 at gmail.com
Tue Jul 2 16:01:03 UTC 2019
I have a Samba managed Windows domain with 3 Domain Controllers: dc1, dc2
and dc-dc.
All three PDC runs on Samba version 4.6.7-Ubuntu on Ubuntu Xenial.
The problem: the Domain Controller dc-dc is not correctly replicated:
========================================================================
root at dc2:/# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc2.my.domain.name[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc2.my.domain.name<0x20>
my\DC2
DSA Options: 0x00000001
DSA object GUID: 009ad456-64de-43a9-a321-dbdbb25fa21b
DSA invocationId: 543d6793-d128-49fb-97bf-01bda21e1634
==== INBOUND NEIGHBORS ====
DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ Tue Jul 2 17:49:21 2019 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jul 2 17:49:21 2019 CEST
DC=my,DC=domain,DC=name
my\DC-DC via RPC
DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
Last attempt @ Tue Jul 2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
5159 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ Tue Jul 2 17:49:20 2019 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jul 2 17:49:20 2019 CEST
DC=ForestDnsZones,DC=my,DC=domain,DC=name
my\DC-DC via RPC
DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
Last attempt @ Tue Jul 2 17:49:20 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
5159 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ Tue Jul 2 17:49:20 2019 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jul 2 17:49:20 2019 CEST
DC=DomainDnsZones,DC=my,DC=domain,DC=name
my\DC-DC via RPC
DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
Last attempt @ Tue Jul 2 17:49:20 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
5159 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ Tue Jul 2 17:49:21 2019 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jul 2 17:49:21 2019 CEST
CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
my\DC-DC via RPC
DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
Last attempt @ Tue Jul 2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
5159 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ Tue Jul 2 17:49:21 2019 CEST was successful
0 consecutive failure(s).
Last success @ Tue Jul 2 17:49:21 2019 CEST
CN=Configuration,DC=my,DC=domain,DC=name
my\DC-DC via RPC
DSA object GUID: c5c6f4b2-d65b-441d-a23d-42bbe3827e1d
Last attempt @ Tue Jul 2 17:49:21 2019 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
5159 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain,DC=name
my\DC1 via RPC
DSA object GUID: 419f9e5a-dc5d-4d03-9f8c-518b5d977b5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 1ef10071-1020-4260-ba81-568c8995677f
Enabled : TRUE
Server DNS name : dc1.my.domain.name
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=my,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=name
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 2e133802-9f86-4d1a-8917-b26511f640fe
Enabled : TRUE
Server DNS name : dc-dc.my.domain.name
Server DN name : CN=NTDS
Settings,CN=DC-DC,CN=Servers,CN=my,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=name
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
========================================================================
If I try to manually replicate dc-dc it works from dc1:
========================================================================
root at dc-dc:/# samba-tool drs replicate dc-dc.my.domain.name
dc1.my.domain.name DC=my,DC=domain,DC=name --full-sync
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc-dc.my.domain.name[,seal]
[...]
Replicate from dc1.my.domain.name to dc-dc.my.domain.name was successful.
========================================================================
but not from dc2:
========================================================================
root at dc-dc:/# samba-tool drs replicate dc-dc.my.domain.name
dc2.my.domain.name DC=my,DC=domain,DC=name --full-sync
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc-dc.my.domain.name[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
Server ldap/DC-DC.my.domain.name at MY.DOMAIN.NAME is not registered with our
KDC: Miscellaneous failure (see text): Server (ldap/
DC-DC.my.domain.name at MY.DOMAIN.NAME) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC-DC.my.domain.name
failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name dc-dc.my.domain.name
<0x20>
Server ldap/dc-dc.my.domain.name at MY.DOMAIN.NAME is not registered with our
KDC: Miscellaneous failure (see text): Server (ldap/
dc-dc.my.domain.name at MY.DOMAIN.NAME) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/dc-dc.my.domain.name
failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
========================================================================
Could you help me please?
Thanks!
More information about the samba
mailing list