[Samba] How to determine KCC/idmap error source

Hakim Liso liso at frauenarzt.gmbh
Tue May 3 12:09:18 UTC 2022 

Hello everyone,
I am currently trying to get 2 Samba DCs to run.
Both DCs set up according to Wiki incl. DRS and workaround Rsync Sysvol Replication.
When trying to perform a remote online backup via Sh script, I came across failures on the 2nd DC while pulling a  backup of dc01. I re-joined the 2nd DC, same scenario. Samba completely wiped, installed and rejoined and now the replication doesn't work anymore.

user create on DC1 → DC2 sees the user

vice versa not.

Am i just missing out on something? 
smb.conf dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Global parameters
[global]
        min protocol = NT1
        dns forwarder = 8.8.8.8
        netbios name = DC01
        realm = MY.DOMAIN
        server role = active directory domain controller
        workgroup = MY
        idmap_ldb:use rfc2307 = yes

        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 3

template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307

        winbind enum users = yes
        winbind enum groups = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
        read only = No
#--------------------Location----------------------------
[U2-Sono]
        path = /var/lib/samba/shares/Location/U2/Sono
        read only = no
[U1-Sono]
        path = /var/lib/samba/shares/Location/U1/Sono
        read only = no
[U1-Kolposkop]
        path = /var/lib/samba/shares/Location/U1/Kolposkop
        read only = no
[U1-Fetview]
        path = /var/lib/samba/shares/Location/U1/Fetview
        read only = no
[CTG]
        path = /var/lib/samba/shares/Location/CTG
        read only = no
[Scan]
        path = /var/lib/samba/shares/Location/Scan
        read only = no

smb.conf dc02
vergrößern
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC02
        realm = MY.DOMAIN
        server role = active directory domain controller
        workgroup = MY
        idmap_ldb:use rfc2307 = yes

        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 3

template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307

        winbind enum users = yes
        winbind enum groups = yes
name resolve order = bcast host
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
        read only = No

krb5.conf ( identisch )
vergrößern
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[libdefaults]
        default_realm = MY.DOMAIN
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
MY.DOMAIN = {
        default_domain = MY.DOMAIN
}

[domain_realm]
        DC02 = MY.DOMAIN
        DC01 = MY.DOMAIN

drs replicate von dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root at dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc02[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
Server ldap/dc02 at MY.DOMAIN is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/dc02 at MY.DOMAIN) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
Server ldap/dc02 at MY.DOMAIN is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/dc02 at MY.DOMAIN) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Replicate from dc01 to dc02 was successful.

drs replicate nach dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 sudo samba-tool drs replicate dc01 dc02 DC=MY,DC=DOMAIN
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc01[,seal]
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
  File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 577, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
  File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 92, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

drs kcc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
administrator at DC02:~$ sudo samba-tool drs kcc
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20>
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9
Server ldap/DC02.MY.DOMAIN at MY.DOMAIN is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/DC02.MY.DOMAIN at MY.DOMAIN) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/DC02.MY.DOMAIN failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Consistency check on DC02.MY.DOMAIN successful.




Smbd log während sysvolcheck
2022/05/03 13:49:46.897388,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897429,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17469 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897475,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897503,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1197 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897569,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897597,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17484 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897699,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897755,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17486 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897863,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897906,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1134 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898097,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898151,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1198 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898384,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898439,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1159 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898471,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898509,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1263 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898667,  3] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898727,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17437 failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
Which commands could limit the failure source?

I have read various messages in forums and the mailing archive and tried them without success.

Some Guesses: idmap ldb/tdb, any other ldb tdb file, stuck objects / attributes

Maybe someone has an idea on this.

Greetings

More information about the samba mailing list