[Samba] No RID Set found for this server. Can't self-allocate
Felipe Martínez Hermo
felipe at galicia.ugt.org
Fri May 24 10:36:11 UTC 2024
It seems like the problem somehow has been solved. By solved, I mean
that both servers that did not have a RID set, finally have contacted
the RID master and do not report the error anymore when dbcheck is run.
The bad part is that I don't know how.
These last days I have been trying several things on all the servers to
which I have access to: (all except SAMBADC, which has all FSMO roles).
Server STG-DC has a reasonably reliable copy of the database, and
although manual sync fails, samba-tool drs showrepl reports success.
COR-DC2 and VIG-DC3 were the servers that did not have a RID set.
What I have been doing on these servers:
samba_dnsupdate --verbose --all-names
samba-tool dbcheck --cross-ncs --fix
samba-tool domain tombstones expunge --tombstone-lifetime=0
Also, I run
samba-tool drs replicate from and to the problem servers to the main
servers (SAMBADC and STG-DC).
What shocks me most is that now everyone reports success on samba-tool
drs showrepl, although the problematic servers fail when run samba-tool
drs replicate.
Thanks to everyone who has checked on this thread
El 23/05/2024 a las 10:29, Felipe Martínez Hermo via samba escribió:
>
>
> The Samba ports are not filtered. The firewall is between STG-DC and
> SAMBADC (both of them sync correctly). The sync problems happen in
> VIG-DC3, which is behind the same firewall of STG-DC.
>
> Here's nmap output (SAMBADC is 172.16.50.9):
>
> root at vig-dc3:~# nmap -Pn 172.16.50.9
> Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-23 08:22 UTC
> Nmap scan report for SAMBADC.ugt.ldap (172.16.50.9)
> Host is up (0.035s latency).
> Not shown: 986 closed tcp ports (reset)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 88/tcp open kerberos-sec
> 135/tcp open msrpc
> 139/tcp open netbios-ssn
> 389/tcp open ldap
> 445/tcp open microsoft-ds
> 464/tcp open kpasswd5
> 636/tcp open ldapssl
> 3268/tcp open globalcatLDAP
> 3269/tcp open globalcatLDAPssl
> 49152/tcp open unknown
> 49153/tcp open unknown
> 49154/tcp open unknown
>
> Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
>
>
> Regards,
>
> Felipe
>
> El 23/05/2024 a las 9:50, Rowland Penny via samba escribió:
>> On Wed, 22 May 2024 18:11:17 +0200
>> Felipe Martínez Hermo via samba<samba at lists.samba.org> wrote:
>>
>>> Hi, there
>>>
>>> I have been checking connections between my servers, trying to find
>>> the reason why my trouble server (VIG-DC3) does not reach the RID
>>> Madster.
>>>
>>> I have to describe my topology a little better.
>>>
>>> These are my servers:
>>>
>>> (Root) SAMBADC -> FSMO Roles Owner, including RID Master
>>>
>>> (First level node) STG-DC -> Syncs correctly with SAMBADC (samba-tool
>>> drs replicate reports successful)
>>>
>>> (Second level nodes)
>>> OUR-DC (DOES have a RID set). Replicates with both SAMBADC and STG-DC
>>> ===================================
>>> samba-tool drs replicate our-dc sambadc dc=ugt,dc=ldap
>>> Replicate from sambadc to our-dc was successful.
>>> samba-tool drs replicate our-dc sambadc
>>> dc=ForestDnsZones,dc=ugt,dc=ldap Replicate from sambadc to our-dc was
>>> successful. samba-tool drs replicate our-dc sambadc
>>> dc=DomainDnsZones,dc=ugt,dc=ldap Replicate from sambadc to our-dc was
>>> successful. samba-tool drs replicate our-dc sambadc
>>> cn=configuration,dc=ugt,dc=ldap Replicate from sambadc to our-dc was
>>> successful. samba-tool drs replicate our-dc sambadc
>>> cn=Schema,cn=configuration,dc=ugt,dc=ldap
>>> Replicate from sambadc to our-dc was successful.
>>> ===================================
>>>
>>> VIG-DC3 (does NOT have a RID set). Replicates with STG-DC, fails to
>>> replicate with SAMBA-DC
>>> ===================================
>>> samba-tool drs replicate vig-dc3 stg-dc dc=ugt,dc=ldap
>>> Replicate from stg-dc to vig-dc3 was successful.
>>> samba-tool drs replicate vig-dc3 stg-dc
>>> dc=ForestDnsZones,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was
>>> successful. samba-tool drs replicate vig-dc3 stg-dc
>>> dc=DomainDnsZones,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was
>>> successful. samba-tool drs replicate vig-dc3 stg-dc
>>> cn=configuration,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was
>>> successful. samba-tool drs replicate vig-dc3 stg-dc
>>> cn=Schema,cn=configuration,dc=ugt,dc=ldap
>>> Replicate from stg-dc to vig-dc3 was successful.
>>>
>>> root at vig-dc3:~# adsync.sh sambadc vig-dc3
>>>
>>> samba-tool drs replicate vig-dc3 sambadc dc=ugt,dc=ldap
>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>>> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>> Have you checked the firewall isn't blocking any required ports ?
>>
>> Rowland
>>
>
--
Firma
Felipe Martínez Hermo
Servizos Informáticos
felipe at galicia.ugt.org
981 577 171
*Unión Xeral de Traballadoras e Traballadores*
Miguel Ferro Caaveiro, 12 - 15707, Santiago de Compostela
<https://twitter.com/UGT_Galicia>
<https://www.youtube.com/channel/UCvmQas6GB5fWAuxc1UM8XVg>
<https://www.facebook.com/ugtgalicia>
<https://www.instagram.com/ugt_galicia> www.ugtgalicia.org
<https://www.ugtgalicia.org/>
--
Este mensaje y los ficheros anexos que pueda contener son confidenciales. Los mismos pueden contener información reservada que no puede ser difundida. Si usted ha recibido este correo por error, tenga la amabilidad de eliminarlo de su sistema. No deberá copiar el mensaje ni divulgar su contenido.Su dirección de correo electrónico, junto a sus datos personales recibidos, serán gestionados por UGT Galicia con la finalidad de la gestión de la comunicación recibida y el contacto con usted, y se adoptarán sobre los mismos las medidas de seguridad oportunas en garantía del RGPD y la LOPDGDD. Para cualquier información adicional o cuestión relacionada con Protección de Datos, diríjase a dpo at galicia.ugt.org o a nuestras Políticas de Privacidad ubicadas en www.ugt.es/clausulas-rgpd
More information about the samba
mailing list