[Samba] Replication issues / local DRS authentication failure

Derek Lambert dlambert at dereklambert.com
Mon Oct 19 17:43:46 UTC 2020 

Hello,

I've having recurring issues with the second DC in my Samba AD domain. I've
demoted/removed the second DC a number of times and re-provisioned it.
It'll work for a bit and then replication breaks.

Since replication is broken I've been doing the following to remove it:

DC-02
systemctl stop samba
systemctl disable samba

DC-01
samba-tool domain demote --remove-other-dead-server=h-msn-smbdc-02
--verbose --username=administrator
samba-tool dbcheck --cross-ncs --fix --yes
systemctl restart samba
samba-tool domain tombstones expunge


Before re-provisioning DC-02 yet again, I wanted to make sure DC-01 is
truly healthy, and it appears that it may not be.

[root at h-msn-smbdc-01 ~]# samba-tool drs showrepl
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.10.50.10[49153,seal,target_hostname=
h-msn-smbdc-01.dom.local.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.10.50.10]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
h-msn-smbdc-01.dom.local.com failed - drsException: DRS connection to
h-msn-smbdc-01.dom.local.com failed: (3221225581, 'The attempted logon is
invalid. This is either due to a bad username or authentication
information.')
  File "/usr/lib64/python3.8/site-packages/samba/netcmd/drs.py", line 55,
in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python3.8/site-packages/samba/drs_utils.py", line 63, in
drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))


[root at h-msn-smbdc-01 ~]# net ads testjoin
kerberos_kinit_password LOCAL at DOM.LOCAL.COM failed: Client not found in
Kerberos database
kerberos_kinit_password LOCAL at DOM.LOCAL.COM failed: Client not found in
Kerberos database
Join to domain is not valid: The name provided is not a properly formed
account name.


[root at h-msn-smbdc-01 ~]# net rpc testjoin
Join to domain 'LOCAL' is not valid: NT_STATUS_ACCESS_DENIED


It looks like there's some sort of authentication issue with authenticating
to itself?

I've considered re-provisioning DC-02 and stealing all the FMSO roles,
demoting/removing DC-01, and re-provisioning DC-01. Not sure if that'd fix
the issue, but I'd rather understand what the root cause of this is.

Any help would be greatly appreciated.

Thanks,
Derek

More information about the samba mailing list