[Samba] self compiled 4.10.3 replication failure.

Nico Kadel-Garcia nkadel at gmail.com
Mon May 20 23:38:02 UTC 2019 

On Mon, May 20, 2019 at 3:33 PM <me at tdiehl.org> wrote:
>
> On Sat, 18 May 2019, Nico Kadel-Garcia wrote:
>
> > On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
> > <samba at lists.samba.org> wrote:
> >>
> >> Hi,
> >>
> >> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
> >> existing samba AD domain that has 2 existing DCs. One of the existing DCs is
> >> running 4.8.7 and the other is running 4.7.7. Everything looks OK except
> >> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
> >> following output:
> >
> > "self-compiled" can include a lot of sins, especially if trying to
> > place it alongside *or* in place of the provided libraries for tevent,
> > ldb, tdb, and talloc. Let me point you to my git repo,
>
> Well OK maybe I should have said self compiled using the instructions
> @ https://wiki.samba.org/index.php/Build_Samba_from_Source#configure and
> the package list from https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_7_.2F_CentOS_7_.2F_Scientific_Linux_7
> substituting python36-devel for python-devel and adding python32-dns
> to get the samba-tool dns module to work.
> None of the distro samba packages are installed.
>
> TBH, I am guessng about the package list given the change from python2 to python3
> as it does not look like the wiki has been updated for 4.10.x.
>
> > https:/github.com/nkadel/samba4repo/, with submodules for samba
> > itself, talloc, tevent, etc., etc. It's built to use the official
> > upstream tarballs from www.samba.org, not tarballs from *me*, and that
> > also will give you a good git repo you can use to manage any
> > compilation options in the ".spec" file.
>
> Is there a way to only build the Centos bits using your git repo? I have no
> Fedora machines and so far I have not been successful in getting the above
> to build on a Centos 7 VM using the version of Mock supplied by the Centos
> project.

Yeah. Comment out the other operating systems in the Makefiles.
Install the dependencies, as  RPMs, in order. The order in the top
level Makefile should get you through the process.

> >> I see errors similar to below in the logs:
> >> [2019/05/15 16:19:58.683401,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
> >>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
> >> [2019/05/15 16:19:58.695818,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
> >>    DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279))
> >> [2019/05/15 16:20:01.245656,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
> >>    Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> >> [2019/05/15 16:20:06.260687,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
> >>    Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> >> [2019/05/15 16:20:06.271512,  0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
> >>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> >> [2019/05/15 16:20:08.692911,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
> >>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)
> >>
> >> Given the above errors this looks like a permissions problem but so far I have not
> >> been able to find it.
> >
> > Hmm. some classic questions include "is SELinux on", and "which
> > Kerberos did you use, the supported internal Heimdal Kerberos or the
> > experimental support for MIT kerberos?
>
> SELinux is in permissive and my configure line is simply ./configure so no MIT
> here. IMO no one in their right mind would try to use MIT in production.

If you just run "./configure" and then "make install, you can wind up
interleaving RPM based components on top of system components. Some of
the critical libraries are system libraries, used by other components,
and may not have been updated or may show up before your new compiled
versions based the system's LD_LIBRARY_PATH and other factors. I can't
try to debug that without a good look at what you have in place, and
where you put things, deliberately or accidentally. This is precisely
why I publish RPM's, and why for someone who doesn't like to play with
this stuff I'd actually they spend some money and pay for the Sernet,
commercially supported binaries.

> Regards,
>
> --
> Tom                     me at tdiehl.org

More information about the samba mailing list