[Samba] messy replication
Rowland penny
rpenny at samba.org
Tue Jul 16 11:55:34 UTC 2019
On 16/07/2019 12:30, Adam Weremczuk via samba wrote:
> Hi all,
>
> I have an old dc (4.0.9). Let's call it dc1.
Yes, that is an old DC ;-)
> I also have a new one (4.5.16) which I'm planning to switch to. Let's
> call it dc2.
No that is still an old DC ;-)
>
> After initial set up of dc2 I initialised replication and things
> looked ok for a couple of weeks.
> Recently I've managed to mess it up. Possibly by editing users and DNS
> records.
How did you edit the users and why ?
> Or copying Kerberos cache and trying to use it elsewhere for DHCP with
> DDNS.
You do not use the kerberos cache with dhcp.
>
>
> I can connect to DNS with Windows domain tool fine and can see both
> domain controllers.
>
> Active Directory Users and Computers fails intermittently (not always)
> with:
>
> "Naming information cannot be located because:
> The user name or password is incorrect.
> Contact your system administrator to verify that your domain is
> properly configured and is currently online"
>
> Another symptom is network drives not being automatically mounted with
> group policy (similar authentication error).
> They can be mounted manually though.
> Users can log in and computers can quit and rejoin the domain.
> So the situation is not dramatic yet.
>
> Errors from samba-tool (output abbreviated).
>
> *dc1:* samba-tool drs showrepl
>
> ==== INBOUND NEIGHBORS ====
>
> DC=DomainDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
>
> DC=ForestDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
>
> DC=my_domain_name
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1474 consecutive failure(s)
>
> DC=Schema
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
>
> DC=Configuration
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 1463 consecutive failure(s)
>
> ==== OUTBOUND NEIGHBORS ====
>
> DC=DomainDnsZones
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 26 consecutive failure(s)
>
> DC=ForestDnsZones
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
>
> DC=my_domain_name
> Last attempt failed, result 87 (WERR_INVALID_PARAM)
> 26 consecutive failure(s)
>
> DC=Schema
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
>
> DC=Configuration
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s)
>
> *dc2:* All the sections above show success but I can see some other
> errors:
>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc2.my_domain_name<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
>
That isn't an error as such, so it can be ignored.
> Server ldap/dc2.my_domain_name at my_domain_name is not registered with
> our KDC: Miscellaneous failure (see text): Server
> (ldap/dc2.my_domain_name at my_domain_name) unknown
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INVALID_PARAMETER
It looks like the SPN hasn't replicated.
>
> *dc1: *samba-tool dbcheck
>
> Checking 466 objects
> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> Not removing orphaned backlink member
Ah, did you remove a 'member' attribute from a group ?
>
> ERROR: incorrect DN string component for member in object CN=...
> Not fixing incorrect string version of DN
>
> ERROR: orphaned backlink attribute 'memberOf' in CN=...
> Not removing orphaned backlink member
>
> Please use --fix to fix these errors
> Checked 466 objects (86 errors)
>
> *dc2:* samba-tool dbcheck
>
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Checking 466 objects
> Checked 466 objects (0 errors)
>
> I don't care about any data on dc2. I'm happy to purge it and re-run
> replication if it makes my issue go away.
>
> But I do care a lot about dc1 since it's live and was working fine not
> long ago.
>
> What's the likely root cause of my problems?
>
> How to fix it safely without risking things getting worse?
>
> Is it safe to run "samba-tool dbcheck --fix" on dc1?
>
> Any other hints?
>
> Thanks,
> Adam
>
I see Louis has responded, please do what he has requested and we will
take it from there.
Rowland
More information about the samba
mailing list