[Samba] Failed to commit objects: DOS code 0x000021bf attempting to add DC to Zentyal 3.2 domain (samba 4.1.7)

Andrew Bartlett abartlet at samba.org
Mon May 25 21:22:39 UTC 2020

On Mon, 2020-05-25 at 10:26 -0400, Rich Webb via samba wrote:
> ----- On May 24, 2020, at 11:30 PM, samba samba at lists.samba.org
> wrote:
> > On Sun, 2020-05-24 at 23:01 -0400, Rich Webb via samba wrote:
> > > Hello,
> > > 
> > > I'm attempting to join a new samba 4 server version 4.12.3 to an
> > > existing samba 4 domain running on Zentyal 3.2 (samba version
> > > 4.1.7).
> > > 
> > > I'm getting the error in the subject line: Failed to commit
> > > objects:
> > > DOS code 0x000021bf
> > 
> > If you turn up the log level is there more information?  (eg -d4)?
> > 
> > But yes, Samba 4.1.7 is before we fixed a number of issues in the
> > replication protocol, and I'm not surprised you have issues.
> > 
> > Andrew Bartlett
> > 
> > --
> Also I am currently using 4.10.15 as I tried to backrev to a version
> that would join properly. The -d4 produced a ton of output... Let me
> know if you need more but here is the final pieces that would likely
> give a clue.  I have no idea what mail-fs1 is.. that may have been an
> old host name possibly left hanging around in DNS?  The DC's name is
> fs1:
> Missing parent while attempting to apply records: No parent with GUID
> fe34e0f7-7c0d-415d-af6e-d564e2b1cdb4 found for object remotely known
> as CN=mail-fs1,OU=Kerberos,DC=tca,DC=local

> ERROR(runtime): uncaught exception - (8460, "Failed to process
> 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")

Thanks, this gives us the information we need.

What has happened here is that Samba 4.1, indeed all Samba versions
sort the returned results by the order of last change.  However, before
4.4 did not know about the GET_ANC flag, to sort the results tree-wise, 
which we need in this situation, so we can find the parent objects
before we replicate the children.

This means that, to replicate from Samba 4.1, you need to carefully
change a unimportant attribute in all the child objects of OU=Kerberos
'later' than the last change of OU=Kerberos itself. 

The only other alternative is an in-place upgrade, so the sending Samba
version gains this capability.

If this makes sense, then have a go.  Otherwise (or if this is a large
or critical network) this might be a job for a commercial support
provider who will probably write a script to assist.

How big is your domain?

(Dreaming, with unlimited development time I would love to have Samba
cope with this natively, by sorting the results on the new DC and using
REPL_SINGLE_OBJECT to fill in the gaps, but this is a much bigger

I hope this gives you a way forward.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list