[Samba] Replication between Samba DCs (on different sites)?

Rowland Penny rpenny at samba.org
Wed Feb 8 10:49:20 UTC 2023 


On 08/02/2023 10:16, Lorenzo Milesi via samba wrote:
>> Lorenzo seems to be able to do some basic debugging too.. maybe we
>> can use this opportunity and try to understand what is going on,
>> instead of using the force?
> 
> Inspired by those kind words (:D), I tried investigating further... Indeed, I'd rather find a solution than wiping dc2. At the moment users are authenticating correctly, I have some time. I asked to avoid any administration task on the domain in the meantime.

If you can do a bit of investigation, this will help to make Samba 
better in the long term, I was just focussing on fixing your immediate 
problem.

> 
> 
> root at dc2:~# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b DC=DomainDnsZones,DC=wdc,DC=domain,DC=it '(cn=Infrastructure)'
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=wdc,DC=domain,DC=it
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20200723054831.0Z
> uSNCreated: 5712
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 21b49376-474e-481b-b18d-0062e980b1f3
> systemFlags: -1946157056
> objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=wdc,DC=domain,DC=it
> isCriticalSystemObject: TRUE
> whenChanged: 20230207165009.0Z
> uSNChanged: 6269
> fSMORoleOwner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=ARUBA-DataCenter1,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=wdc,DC=domain,DC=it
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> Same output is returned on DC1:
> root at dc1:~# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b DC=DomainDnsZones,DC=wdc,DC=domain,DC=it '(cn=Infrastructure)'
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=wdc,DC=domain,DC=it
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20200723054831.0Z
> whenChanged: 20230207165009.0Z
> uSNCreated: 5834
> uSNChanged: 5834
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 21b49376-474e-481b-b18d-0062e980b1f3
> fSMORoleOwner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=ARUBA-DataCenter1,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> systemFlags: -1946157056
> objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=wdc,DC=domain,DC=it
> isCriticalSystemObject: TRUE
> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=wdc,DC=domain,DC=it
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> I found this[1] thread from last month, unfortunately without a solution, where Rowland talks about possible issues with DC's site. So I moved dc2 to "Default-First-Site-Name" and attempted roles transfer, and IT WORKED:

I think you have just proved that there is a bug in the 'sites' code, 
though were it is, I couldn't see.

> 
> root at dc1:~# samba-tool fsmo transfer --role=all -U administrator
> This DC already has the 'rid' FSMO role
> This DC already has the 'pdc' FSMO role
> This DC already has the 'naming' FSMO role
> This DC already has the 'infrastructure' FSMO role
> This DC already has the 'schema' FSMO role
> Password for [WDC\administrator]:
> FSMO transfer of 'domaindns' role successful
> FSMO transfer of 'forestdns' role successful
> 
> root at dc1:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
> 
> 
> Now all DCs reports the roles managed by dc1.
> 
> Replication is still not working on dc2:
> root at dc2~# samba-tool drs replicate dc2 dc1 DC=ForestDnsZones,DC=wdc,DC=domain,DC=it
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_FILE_NOT_FOUND')
>    File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run
>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
>    File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync
>      raise drsException("DsReplicaSync failed %s" % estr)

Problem is, your replication is failing because it cannot find a file 
(but what file ?) and your searches above only searched 
'DC=DomainDnsZones,DC=wdc,DC=domain,DC=it'.
Can you try with the base 'DC=ForestDnsZones,DC=wdc,DC=domain,DC=it'


> 
> 
> So I should now have a sane domain, correct me if I'm wrong.

No, not in my opinion, not when 'samba-tool drs replicate' doesn't seem 
to be working.

Rowland

More information about the samba mailing list