[Samba] Replication fails with (WERR_GEN_FAILURE)

Stefan Kania stefan at kania-online.de
Wed Oct 21 17:51:54 UTC 2020 

Figured it out myself ;-)
The problem was:
I use virtualbox for my VMs. My VMs all have two NICs, the first is a
NAT-device with allways the sam IP "10.0.2.15" this device is only used
to get packages from the internet. Then the second NIC is a
HostOnly-device I use to setup differet domains in different subnet.
Wehen I du the provision, or the join Samba is taking all devices. So I
wrot an ansible task to add "interfaces = <ip>" and "bind interfaces
only = yes" to avoid the NAT-device. BUT ^^ there was a typo in my
Ansible-task, so the parameters where not set, so my second DC took the
IP from the NAT-device as the main IP and everything fu*** up :-(. Now
after fixing the typo it works and I can setup a domain, starting with
the provision of the first DC, and many more DCs to come.

So always watch yout IPs ;-)


Am 21.10.20 um 19:02 schrieb Stefan Kania via samba:
> Hello,
> 
> I set up a domain with two DCs (dns-backend is BIND9_DLZ) on a Debian 10
> system. I used either the Debian-packages or the Packages from Louis
> (4.12.8). I created an Ansible-role to setup everything, starting from
> installing the packages over doing the provision/join up to change the
> settings for bind9. The first DC runs fine. After the reboot services
> are all present, allthe SRV Record for the first DC are present.
> Then I do the join with the second DC. The join worked fine I find the
> DC in the DNS I can see the account for the DC. On the second DC I see
> all SRV-Records for both DCs, BUT on the first DC I only see the
> SRV-Records for the first DC. When I check replication I see:
> ------------------
> root at addc-01:~# samba-tool drs showrepl --summary
> There are failing connections
> Failing inbound connection:
> DC=ForestDnsZones,DC=example,DC=net
>         Default-First-Site-Name\ADDC-02 via RPC
>                 DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
>                 Last attempt @ Wed Oct 21 18:47:05 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
>                 11 consecutive failure(s).
>                 Last success @ NTTIME(0)
> 
> CN=Schema,CN=Configuration,DC=example,DC=net
>         Default-First-Site-Name\ADDC-02 via RPC
>                 DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
>                 Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
>                 11 consecutive failure(s).
>                 Last success @ NTTIME(0)
> 
> CN=Configuration,DC=example,DC=net
>         Default-First-Site-Name\ADDC-02 via RPC
>                 DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
>                 Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
>                 11 consecutive failure(s).
>                 Last success @ NTTIME(0)
> 
> DC=DomainDnsZones,DC=example,DC=net
>         Default-First-Site-Name\ADDC-02 via RPC
>                 DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
>                 Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
>                 11 consecutive failure(s).
>                 Last success @ NTTIME(0)
> 
> DC=example,DC=net
>         Default-First-Site-Name\ADDC-02 via RPC
>                 DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
>                 Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
>                 14 consecutive failure(s).
>                 Last success @ NTTIME(0)
> ------------------
> 
> On DC2 the same only with "ADCD-01" as servername.
> 
> If I do a replication from dc1 to dc2 everything seems to work:
> -------------
> root at addc-01:~# samba-tool drs replicate addc-02 addc-01 dc=example,dc=net
> Replicate from addc-01 to addc-02 was successful.
> -------------
> 
> But in the other direction I get:
> -------------
> root at addc-01:~# samba-tool drs replicate addc-01 addc-02 dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88,
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> -------------
> 
> On the second DC I got an errormessage in both directions:
> -------------
> root at addc-02:~# samba-tool drs replicate addc-02 addc-01 dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88,
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> 
> 
> root at addc-02:~# samba-tool drs replicate addc-01 addc-02 dc=example,dc=net
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:10.0.2.15[49152,seal,target_hostname=addc-01,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.0.2.15]
> NT_STATUS_UNSUCCESSFUL
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to addc-01
> failed - drsException: DRS connection to addc-01 failed: (3221225473,
> '{Operation Failed} The requested operation was unsuccessful.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 47,
> in drsuapi_connect
>     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 59,
> in drsuapi_connect
>     raise drsException("DRS connection to %s failed: %s" % (server, e))
> -------------
> 
> No changes where made to smb.conf all default.
> 
> samba_updatedns --verbose --all-names
> 
> is running on both DCs without any error.
> Time is exactly the same on both DCs.
> 
> These are the packages I installed via Ansible:
> --------------
> #Installing all needed packages for Samba-DC with bind9
>   - name: install samba- and bind9-package for ADDC
>     apt:
>       name:
>         - samba
>         - libpam-heimdal
>         - heimdal-clients
>         - ldb-tools
>         - winbind
>         - libpam-winbind
>         - smbclient
>         - libnss-winbind
>         - bind9
>         - dnsutils
> --------------
> 
> This is the provision:
> --------------
> # Provison the first DC with bind9 als DNS-backend
>   - name: Do the provision if first DC
>     command: samba-tool domain provision --dns-backend=BIND9_DLZ
> --realm={{kerberos_realm}} --domain={{domain_name}}
> --adminpass={{admin_password}} --server-role=dc
>     when:
>       - is_dc.stdout == "0" and
>         group_first_dc in group_names
> --------------
> 
> And this ist the join:
> --------------
> # Join DC to existing domain with bind9 as DNS-backend
>   - name: Do the join all other DC
>     command: samba-tool domain join {{dns_name}} --dns-backend=BIND9_DLZ
> DC  --realm={{kerberos_realm}}  -U administrator
> --password={{admin_password}}
>     when:
>       - is_dc.stdout == "0" and
>         group_other_dc in group_names
> --------------
> 
> I'm out of any idea :-( Need help :-)
> 
> Stefan
> 
> 
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

More information about the samba mailing list