[Samba] Problems with replication in the Samba 4
Marcio Demetrio Bacci
marciobacci at gmail.com
Sat Jul 27 19:13:24 UTC 2019
Hi,
I noticed that my Samba 4 DC isn't OK, because the are differences between
the data storaged int he Schema on my Windows Server 2008 (isn't R2) DC and
Samba 4 DC.
This way, I performed several tests on my servers as shown below.
Follow the results of command repadmin in the Windows Server 2008:
C:\Windows\system32>repadmin /showreps /verbose
Default-First-Site-Name\WIN-DC1
Opções DSA: IS_GC
Opções de site: (none)
GUID de objeto DSA: d580939f-a8b9-43ea-84e9-be0f9bd29468
ID Invocation DSA: 71c305c7-564f-44dc-bdc7-c03ee501bd52
==== VIZINHOS DE ENTRADA ======================================
DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC via RPC
GUID de objeto DSA: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Address: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br
ID Invocation DSA: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE NEVER_SYNCED
USNs: 0/OU, 0/PU
Last attempt on 2019-07-27 15:05:47 was delayed for a standard
reason
l,
resultado 8418 (0x20e2):
Replication operation failed due to a difference between the servers
involved.
Último êxito em (never).
Default-First-Site-Name\WIN-DC2 via RPC
GUID de objeto DSA: 3b894dae-0497-43ae-b69a-e31750112321
Address: 3b894dae-0497-43ae-b69a-e31750112321._msdcs.empresa.com.br
ID Invocation DSA: ad07f0d5-237c-4611-80a5-3751a318329b
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26947030/OU, 26947030/PU
Last attempt on 2019-07-27 15:28:39 successful.
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC via RPC
GUID de objeto DSA: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Address: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br
ID Invocation DSA: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8413/OU, 8413/PU
Last attempt on 2019-07-27 14:58:10 successful.
Default-First-Site-Name\WIN-DC2 via RPC
GUID de objeto DSA: 3b894dae-0497-43ae-b69a-e31750112321
Address: 3b894dae-0497-43ae-b69a-e31750112321._msdcs.empresa.com.br
ID Invocation DSA: ad07f0d5-237c-4611-80a5-3751a318329b
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26946849/OU, 26946849/PU
Last attempt on 2019-07-27 14:58:11 successful.
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
GUID de objeto DSA: 3b894dae-0497-43ae-b69a-e31750112321
Address: 3b894dae-0497-43ae-b69a-e31750112321._msdcs.empresa.com.br
ID Invocation DSA: ad07f0d5-237c-4611-80a5-3751a318329b
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26946580/OU, 26946580/PU
Last attempt on 2019-07-27 14:58:11 successful.
Default-First-Site-Name\SAMBA4-DC via RPC
GUID de objeto DSA: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Address: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br
ID Invocation DSA: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8415/OU, 8415/PU
Last attempt on 2019-07-27 15:05:47 successful.
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
GUID de objeto DSA: 3b894dae-0497-43ae-b69a-e31750112321
Address: 3b894dae-0497-43ae-b69a-e31750112321._msdcs.empresa.com.br
ID Invocation DSA: ad07f0d5-237c-4611-80a5-3751a318329b
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26946580/OU, 26946580/PU
Last attempt on 2019-07-27 14:58:11 successful.
Default-First-Site-Name\SAMBA4-DC via RPC
GUID de objeto DSA: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Address: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br
ID Invocation DSA: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8416/OU, 8416/PU
Last attempt on 2019-07-27 14:58:11 successful.
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC via RPC
GUID de objeto DSA: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Address: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br
ID Invocation DSA: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8417/OU, 8417/PU
Last attempt on 2019-07-27 14:58:11 successful.
Default-First-Site-Name\WIN-DC2 via RPC
GUID de objeto DSA: 3b894dae-0497-43ae-b69a-e31750112321
Address: 3b894dae-0497-43ae-b69a-e31750112321._msdcs.empresa.com.br
ID Invocation DSA: ad07f0d5-237c-4611-80a5-3751a318329b
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 26946847/OU, 26946847/PU
Last attempt on 2019-07-27 14:58:12 successful.
#########################################################################################
Below is the result of command repadmin in the Samba 4 DC:
samba-tool drs showrepl
Default-First-Site-Name\SAMBA4-DC
DSA Options: 0x00000001
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
DSA invocationId: a20c8ed0-c72a-4e57-9e59-2236f127d0b8
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 15:22:01 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:22:01 2019 -03
DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:25:55 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:25:55 2019 -03
DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 15:25:10 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:25:10 2019 -03
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Fri Jul 26 22:58:50 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 22:58:50 2019 -03
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Fri Jul 26 11:56:48 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 11:56:48 2019 -03
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Fri Jul 26 22:58:00 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 22:58:00 2019 -03
CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Fri Jul 26 11:56:48 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 11:56:48 2019 -03
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Fri Jul 26 22:58:45 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 22:58:45 2019 -03
DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Fri Jul 26 11:56:48 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 11:56:48 2019 -03
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Fri Jul 26 22:58:10 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 22:58:10 2019 -03
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Fri Jul 26 11:56:48 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Jul 26 11:56:48 2019 -03
DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC1 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Sat Jul 27 15:05:48 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 15:05:48 2019 -03
DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: 3b894dae-0497-43ae-b69a-e31750112321
Last attempt @ Sat Jul 27 12:30:30 2019 -03 was successful
0 consecutive failure(s).
Last success @ Sat Jul 27 12:30:30 2019 -03
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: c6393fbd-461c-4fd7-ac62-4801a3de43d2
Enabled : TRUE
Server DNS name : win-dc1.empresa.com.br
Server DN name : CN=NTDS
Settings,CN=WIN-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: e5cef3eb-3c8a-4a75-8907-6712af32c952
Enabled : TRUE
Server DNS name : win-dc2.empresa.com.br
Server DN name : CN=NTDS
Settings,CN=WIN-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
###################################################
Below is part of the result of command samba-tool ldapcmp in the Samba 4 DC:
samba-tool ldapcmp ldap://WIN-DC1 ldap://SAMBA4-DC -UAdministrator
Password for [EMPRESA\Administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 1788
Comparing:
'CN=COMP0039,CN=Computers,DC=empresa,DC=com,DC=br' [ldap://WIN-DC1]
'CN=COMP0039,CN=Computers,DC=empresa,DC=com,DC=br' [ldap://SAMBA4-DC]
Difference in attribute values:
lastLogonTimestamp =>
['132076666821833100']
['132085303876955790']
FAILED
Comparing:
'CN=COMP10005,CN=Computers,DC=empresa,DC=com,DC=br' [ldap://WIN-DC1]
'CN=COMP10005,CN=Computers,DC=empresa,DC=com,DC=br' [ldap://SAMBA4-DC]
Difference in attribute values:
lastLogonTimestamp =>
['132077518489276456']
['132086132301542190']
FAILED
.......
Comparing:
'CN=Administrador,CN=Users,DC=empresa,DC=com,DC=br' [ldap://WIN-DC1]
'CN=Administrador,CN=Users,DC=empresa,DC=com,DC=br' [ldap://SAMBA4-DC]
Difference in attribute values:
userParameters =>
['
P\x04\x1a\x08\x01CtxCfgPresent\xe3\x94\xb5\xe6\x94\xb1\xe6\x88\xb0\xe3\x81\xa2\x18\x08\x01CtxCfgFlags1\xe3\x80\xb0\xe3\x81\xa5\xe3\x80\xb0\xe3\x80\xb1\x12\x08\x01CtxShadow\xe3\x84\xb0\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0*\x02\x01CtxMinEncryptionLevel\xe3\x80\xb0']
[' \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00 \x00 \x00
\x00P\x00\x04\x00\x1a\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00P\x00r\x00e\x00s\x00e\x00n\x00t\x00551e0bb0\x18\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00F\x00l\x00a\x00g\x00s\x001\x0000e00010\x12\x00\x08\x00\x01\x00C\x00t\x00x\x00S\x00h\x00a\x00d\x00o\x00w\x0001000000*\x00\x02\x00\x01\x00C\x00t\x00x\x00M\x00i\x00n\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00i\x00o\x00n\x00L\x00e\x00v\x00e\x00l\x0000']
FAILED
.......
* Result for [DOMAIN]: FAILURE
SUMMARY
---------
Attributes with different values:
servicePrincipalName
lastLogonTimestamp
userParameters
pwdLastSet
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1649
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1518
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 209
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 17
* Result for [DNSFOREST]: SUCCESS
ERROR: Compare failed: -1
#############################################
Below is the result of command ldbsearch -H in the Samba 4 DC:
ldbsearch -H /var/lib/samba/private/sam.ldb '(fromServer=*CN=SAMBA4-DC*)'
--cross-ncs dn
# record 1
dn: CN=b58de6d7-9206-42ff-9a85-56a40a93b327,CN=NTDS
Settings,CN=WIN-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
# record 2
dn: CN=10993b69-00cf-404a-be18-c77e1d3417d1,CN=NTDS
Settings,CN=WIN-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
# returned 2 records
# 2 entries
# 0 referrals
Would anyone have an idea to properly sync my servers?
Regards,
Márcio Bacci
More information about the samba
mailing list