[Samba] messy replication

L.P.H. van Belle belle at bazuin.nl
Tue Jul 16 11:38:14 UTC 2019 

Can you run this on both your DC's 

wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
bash samba-collect-debug-info.sh 

As im seeing multiple "invalid parameter" message, we need to see more of the setup. 
Anonimize the output if needed. 

Run this on both DC's  : touch /etc/samba/lmhosts 
And that lmhosts message is gone. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam 
> Weremczuk via samba
> Verzonden: dinsdag 16 juli 2019 13:30
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] messy replication
> 
> Hi all,
> 
> I have an old dc (4.0.9). Let's call it dc1.
> I also have a new one (4.5.16) which I'm planning to switch to. Let's 
> call it dc2.
> 
> After initial set up of dc2 I initialised replication and 
> things looked 
> ok for a couple of weeks.
> Recently I've managed to mess it up. Possibly by editing 
> users and DNS 
> records. Or copying Kerberos cache and trying to use it elsewhere for 
> DHCP with DDNS.
> 
> I can connect to DNS with Windows domain tool fine and can see both 
> domain controllers.
> 
> Active Directory Users and Computers fails intermittently 
> (not always) with:
> 
> "Naming information cannot be located because:
> The user name or password is incorrect.
> Contact your system administrator to verify that your domain 
> is properly 
> configured and is currently online"
> 
> Another symptom is network drives not being automatically 
> mounted with 
> group policy (similar authentication error).
> They can be mounted manually though.
> Users can log in and computers can quit and rejoin the domain.
> So the situation is not dramatic yet.
> 
> Errors from samba-tool (output abbreviated).
> 
> *dc1:* samba-tool drs showrepl
> 
> ==== INBOUND NEIGHBORS ====
> 
> DC=DomainDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
> 
> DC=ForestDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
> 
> DC=my_domain_name
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1474 consecutive failure(s)
> 
> DC=Schema
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
> 
> DC=Configuration
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
> 
> ==== OUTBOUND NEIGHBORS ====
> 
> DC=DomainDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 26 consecutive failure(s)
> 
> DC=ForestDnsZones
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
> 
> DC=my_domain_name
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 26 consecutive failure(s)
> 
> DC=Schema
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
> 
> DC=Configuration
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
> 
> *dc2:* All the sections above show success but I can see some 
> other errors:
> 
> resolve_lmhosts: Attempting lmhosts lookup for name 
> dc2.my_domain_name<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. 
> Error was No 
> such file or directory
> 
> Server ldap/dc2.my_domain_name at my_domain_name is not 
> registered with our 
> KDC:  Miscellaneous failure (see text): Server 
> (ldap/dc2.my_domain_name at my_domain_name) unknown
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: 
> NT_STATUS_INVALID_PARAMETER
> 
> *dc1: *samba-tool dbcheck
> 
> Checking 466 objects
> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> Not removing orphaned backlink member
> 
> ERROR: incorrect DN string component for member in object CN=...
> Not fixing incorrect string version of DN
> 
> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> Not removing orphaned backlink member
> 
> Please use --fix to fix these errors
> Checked 466 objects (86 errors)
> 
> *dc2:* samba-tool dbcheck
> 
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Checking 466 objects
> Checked 466 objects (0 errors)
> 
> I don't care about any data on dc2. I'm happy to purge it and re-run 
> replication if it makes my issue go away.
> 
> But I do care a lot about dc1 since it's live and was working 
> fine not 
> long ago.
> 
> What's the likely root cause of my problems?
> 
> How to fix it safely without risking things getting worse?
> 
> Is it safe to run "samba-tool dbcheck --fix" on dc1?
> 
> Any other hints?
> 
> Thanks,
> Adam
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list