[Samba] self compiled 4.10.3 replication failure.

Nico Kadel-Garcia nkadel at gmail.com
Sat May 18 13:05:25 UTC 2019 

On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
<samba at lists.samba.org> wrote:
>
> Hi,
>
> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
> existing samba AD domain that has 2 existing DCs. One of the existing DCs is
> running 4.8.7 and the other is running 4.7.7. Everything looks OK except
> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
> following output:

"self-compiled" can include a lot of sins, especially if trying to
place it alongside *or* in place of the provided libraries for tevent,
ldb, tdb, and talloc. Let me point you to my git repo,
https:/github.com/nkadel/samba4repo/, with submodules for samba
itself, talloc, tevent, etc., etc. It's built to use the official
upstream tarballs from www.samba.org, not tarballs from *me*, and that
also will give you a good git repo you can use to manage any
compilation options in the ".spec" file.

> I see errors similar to below in the logs:
> [2019/05/15 16:19:58.683401,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
> [2019/05/15 16:19:58.695818,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
>    DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279))
> [2019/05/15 16:20:01.245656,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>    Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:06.260687,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>    Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:06.271512,  0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:08.692911,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)
>
> Given the above errors this looks like a permissions problem but so far I have not
> been able to find it.

Hmm. some classic questions include "is SELinux on", and "which
Kerberos did you use, the supported internal Heimdal Kerberos or the
experimental support for MIT kerberos?

> Does anyone have any ideas how to troubleshoot this and fix it?
>
> Regards,
>
> --
> Tom                     me at tdiehl.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list