[Samba] Replication issue after rejoining a DC

Cedric Puchalver cedric at season-of-mist.com
Thu Oct 9 09:16:53 UTC 2025 

Le 09/10/2025 à 09:40, Luis Peromarta via samba a écrit :
> Hi there,
>
> Just as a precaution, and in order to double check all steps, please see
> this and make sure you did not miss any step.
>
> http://samba.bigbird.es/doku.php?id=samba:aditional-dc
>
> On Oct 9, 2025 at 08:04 +0100, Cedric Puchalver via samba
> <samba at lists.samba.org>, wrote:
>> Le 08/10/2025 à 16:50, Rowland Penny via samba a écrit :
>>> On Wed, 8 Oct 2025 15:53:43 +0200
>>> Cedric Puchalver via samba<samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have 2 Samba DCs running on two different sites. They are both
>>>> running Samba compiled from source and I decided to use Samba from
>>>> Debian Bookworm backports instead.
>>>>
>>>>
Hi Luis,

I double-checked all the steps and I didn't miss any.

When testing the AD replication, the command samba-tool visualize 
uptodateness -rS --utf8 returns an error :

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: 
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, 
v1db1> <>
Failed to connect to 'ldap://dc3.season-of-mist.intranet' with backend 
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: 
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Could not contact ldap://dc3.season-of-mist.intranet ((49, 'LDAP error 
49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, 
comment: AcceptSecurityContext error, data 52e, v1db1> <>'))
missing dn 
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet 
from UTD vector list
missing dn 
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet 
from UTD vector list
ERROR(<class 'KeyError'>): uncaught exception - 
'CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
356, in _run
     return self.run(*args, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/netcmd/visualize.py", line 
685, in run
     s = full_matrix(distances,
         ^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/graph.py", line 725, in 
full_matrix
     rows2[vmap[vert]] = dict((vmap[k], v) for k, v in r.items())
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/graph.py", line 725, in 
<genexpr>
     rows2[vmap[vert]] = dict((vmap[k], v) for k, v in r.items())

Then I decided to ping dc3 (which IP address is 192.168.10.5) 
supprisingly it was pinging 192.168.20.5 :

PING dc3.season-of-mist.intranet (192.168.20.5) 56(84) bytes of data.
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=1 
ttl=64 time=0.023 ms
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=2 
ttl=64 time=0.045 ms
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=3 
ttl=64 time=0.031 ms

The command host -t A dc3.season-of-mist.intranet returns :

host -t A dc3.season-of-mist.intranet
dc3.season-of-mist.intranet has address 192.168.10.5
dc3.season-of-mist.intranet has address 192.168.20.5

Obviously wrong...

The AD replication seems fine after deleting the wrong A record for DC3.

samba-tool drs showrepl shows no error. Same for samba-tool dbcheck 
--cross-ncs

I ran samba-tool visualize uptodateness -rS --utf8 and to be honest I 
don't know how to interpret the result :


DOMAIN

                                                 out-of-date-ness
                                        ╭─────── 
CN=DC3,**,CN=Default-First-Site-Name+
                                    DC  │  ╭──── CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+  · 13
            CN=DC2,**,CN=Chaos-Theory+ 16  ·

'**' stands for 'CN=Servers'
'+' stands for ',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

CONFIGURATION

                                                 out-of-date-ness
                                        ╭─────── 
CN=DC3,**,CN=Default-First-Site-Name+
                                    DC  │  ╭──── CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+  · 13
            CN=DC2,**,CN=Chaos-Theory+ 16  ·

'**' stands for 'CN=Servers'
'+' stands for ',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

SCHEMA

                                                 out-of-date-ness
                                        ╭─────── 
CN=DC3,**,CN=Default-First-Site-Name+
                                    DC  │  ╭──── CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+  · 13
            CN=DC2,**,CN=Chaos-Theory+ 16  ·

'**' stands for 'CN=Servers'
'+' stands for ',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

DNSDOMAIN

                                                 out-of-date-ness
                                        ╭─────── 
CN=DC3,**,CN=Default-First-Site-Name+
                                    DC  │  ╭──── CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+  · 13
            CN=DC2,**,CN=Chaos-Theory+  0  ·

'**' stands for 'CN=Servers'
'+' stands for ',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

DNSFOREST

                                                 out-of-date-ness
                                        ╭─────── 
CN=DC3,**,CN=Default-First-Site-Name+
                                    DC  │  ╭──── CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+  · 13
            CN=DC2,**,CN=Chaos-Theory+ 16  ·

'**' stands for 'CN=Servers'
'+' stands for ',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

More information about the samba mailing list