[Samba] messy replication

Adam Weremczuk adamw at matrixscience.com
Tue Jul 16 11:30:05 UTC 2019


Hi all,

I have an old dc (4.0.9). Let's call it dc1.
I also have a new one (4.5.16) which I'm planning to switch to. Let's 
call it dc2.

After initial set up of dc2 I initialised replication and things looked 
ok for a couple of weeks.
Recently I've managed to mess it up. Possibly by editing users and DNS 
records. Or copying Kerberos cache and trying to use it elsewhere for 
DHCP with DDNS.

I can connect to DNS with Windows domain tool fine and can see both 
domain controllers.

Active Directory Users and Computers fails intermittently (not always) with:

"Naming information cannot be located because:
The user name or password is incorrect.
Contact your system administrator to verify that your domain is properly 
configured and is currently online"

Another symptom is network drives not being automatically mounted with 
group policy (similar authentication error).
They can be mounted manually though.
Users can log in and computers can quit and rejoin the domain.
So the situation is not dramatic yet.

Errors from samba-tool (output abbreviated).

*dc1:* samba-tool drs showrepl

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones
Last attempt failed, result 87 (WERR_INVALID_PARAM)
1463 consecutive failure(s)

DC=ForestDnsZones
Last attempt failed, result 87 (WERR_INVALID_PARAM)
1463 consecutive failure(s)

DC=my_domain_name
Last attempt failed, result 87 (WERR_INVALID_PARAM)
1474 consecutive failure(s)

DC=Schema
Last attempt failed, result 87 (WERR_INVALID_PARAM)
1463 consecutive failure(s)

DC=Configuration
Last attempt failed, result 87 (WERR_INVALID_PARAM)
1463 consecutive failure(s)

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones
Last attempt failed, result 87 (WERR_INVALID_PARAM)
26 consecutive failure(s)

DC=ForestDnsZones
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s)

DC=my_domain_name
Last attempt failed, result 87 (WERR_INVALID_PARAM)
26 consecutive failure(s)

DC=Schema
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s)

DC=Configuration
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s)

*dc2:* All the sections above show success but I can see some other errors:

resolve_lmhosts: Attempting lmhosts lookup for name dc2.my_domain_name<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory

Server ldap/dc2.my_domain_name at my_domain_name is not registered with our 
KDC:  Miscellaneous failure (see text): Server 
(ldap/dc2.my_domain_name at my_domain_name) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INVALID_PARAMETER

*dc1: *samba-tool dbcheck

Checking 466 objects
ERROR: orphaned backlink attribute 'memberOf' in CN=...
Not removing orphaned backlink member

ERROR: incorrect DN string component for member in object CN=...
Not fixing incorrect string version of DN

ERROR: orphaned backlink attribute 'memberOf' in CN=...
Not removing orphaned backlink member

Please use --fix to fix these errors
Checked 466 objects (86 errors)

*dc2:* samba-tool dbcheck

Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Checking 466 objects
Checked 466 objects (0 errors)

I don't care about any data on dc2. I'm happy to purge it and re-run 
replication if it makes my issue go away.

But I do care a lot about dc1 since it's live and was working fine not 
long ago.

What's the likely root cause of my problems?

How to fix it safely without risking things getting worse?

Is it safe to run "samba-tool dbcheck --fix" on dc1?

Any other hints?

Thanks,
Adam



More information about the samba mailing list