[Samba] Replication issue after rejoining a DC
Rowland Penny
rpenny at samba.org
Wed Oct 8 14:50:42 UTC 2025
On Wed, 8 Oct 2025 15:53:43 +0200
Cedric Puchalver via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have 2 Samba DCs running on two different sites. They are both
> running Samba compiled from source and I decided to use Samba from
> Debian Bookworm backports instead.
>
> I demoted the DC that wasn't holding FSMO roles by following the wiki
> :
> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Online_Domain_Controller
>
> I installed Samba packages from Debian repos and followed the wiki to
> join the domain again.
>
> Everything went fine but when I started the freshly-joined DC I have
> errors in the log :
>
> [2025/10/08 07:30:08.906866, 1]
> source4/auth/gensec/gensec_gssapi.c:852(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure
> (see text): Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> [2025/10/08 07:30:08.907110, 0]
> source4/librpc/rpc/dcerpc_util.c:697(dcerpc_pipe_auth_recv)
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:192.168.20.5[49153,seal,krb5,target_hostname=e6af5447-965a-451b-8d60-3bef78100504._msdcs.season-of-mist.intranet,target_principal=GC/dc3.season-of-mist.intranet/season-of-mist.intranet,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.20.5]
> NT_STATUS_UNSUCCESSFUL
When were these log messages created ? Was it shortly after the New DC
was started or quite sometime later ?
When a new DC is joined, quite a few of the required dns records do not
exist and will not until Samba runs a script called samba_dnsupdate,
this is what creates them.
To put it another way, if you rerun 'samba-tool drs showrepl', do you
still get the errors ?
Rowland
More information about the samba
mailing list