[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)

Rowland Penny rpenny at samba.org
Wed Mar 8 17:39:22 UTC 2023 


On 08/03/2023 17:09, Fabrizio Rompani via samba wrote:

> 
> yes , after join completed .
> error is trigged  with the command :
> 
> root at landc:~# samba-tool drs showrepl --summary
> There are failing connections
> Failing outbound connections:
> CN=Configuration,DC=domain,DC=lan
>          Default-First-Site-Name\NEXTCLOUD via RPC
>                  DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347
>                  Last attempt @ Wed Mar  8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND)
>                  4 consecutive failure(s).
>                  Last success @ NTTIME(0)
>                                                   
> DC=ForestDnsZones,DC=domain,DC=lan
>          Default-First-Site-Name\NEXTCLOUD via RPC
>                  DSA object GUID: 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347
>                  Last attempt @ Wed Mar  8 17:30:23 2023 CET failed, result 2 (WERR_FILE_NOT_FOUND)
>                  4 consecutive failure(s).
>                  Last success @ NTTIME(0)
> 
> 
> 

> Is each DC using its own ipaddress as its first nameserver in
> /etc/resolv.conf ?
> 
> yes but one of them has 127.0.0.1  can make any difference ?

There have been problems in the past when '127.0.0.1' has been used, I 
don't think it will help much, but I would change it to the DC's 
ipaddress, you never know your luck.

> 
> 
> Have you checked replication with:
>    samba-tool drs relication
> yes, OK
> 
> Have you checked each DC's database with:
>     samba-tool dbcheck
> yes, OK
> 
> 
> have you tried to replicate from the DC that holds the PDC_Emulator FSMO
> role to the other two
> yes
> 
> Have you checked replication with:
>    samba-tool ldapcmp
> 
> there' s error:
> 
> samba-tool  ldapcmp ldap://landc ldap://nextcloud domain -U administrator
> 
> * Comparing [DOMAIN] context...
> 
> * Objects to be compared: 309
> 
> Comparing:
> 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://landc]
> 'CN=NEXTCLOUD,OU=DOMAIN CONTROLLERS,DC=DOMAIN,DC=LAN' [ldap://nextcloud]
>      Difference in attribute values:
>          servicePrincipalName =>
> [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan']
> [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347/domain.lan', b'GC/nextcloud.domain.lan/domain.lan', b'HOST/NEXTCLOUD', b'HOST/nextcloud.domain.lan', b'HOST/nextcloud.domain.lan/WORKGROUP', b'HOST/nextcloud.domain.lan/domain.lan', b'RestrictedKrbHost/NEXTCLOUD', b'RestrictedKrbHost/nextcloud.domain.lan', b'ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan', b'ldap/NEXTCLOUD', b'ldap/nextcloud.domain.lan', b'ldap/nextcloud.domain.lan/DomainDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/WORKGROUP', b'ldap/nextcloud.domain.lan/ForestDnsZones.domain.lan', b'ldap/nextcloud.domain.lan/domain.lan']
> 
>      FAILED
> 
> * Result for [DOMAIN]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes with different values:
> 
>      servicePrincipalName
> ERROR: Compare failed: -1

You have a serious problem there, there are 4 SPN's on landc and 15 on 
the other, there seems to something going wrong and, at the moment, it 
is escaping me.
You could try a forced sync from nextcloud with 'samba-tool drs 
replicate' using the '--sync-forced' switch

Rowland

More information about the samba mailing list