Hi all, I have 3 DCs running Samba 4.3.1 in the same domain. They seem to work quiet well with coherent databases on each of them. After rebuilding my RPM to include systemd units, I've joined a Samba 4.3.1 today, using --domain-critical-only. The join was successful, the replication was not. This DC has only 146 objects in the DB when it should have a bit less than 50000 objects. As I was suspecting the newly built RPMs, I set up another DC using same RPMs as the ones used to prepare first 3 DC. I joined that 5th DC to the domain, successfully, but replication does not work too. Finally I installed 4.2.5 sernet's version, join it to the domain and still replication does not work. In log.samba from newly added DC there are lines: [2015/11/16 14:25:05.966500, 0] ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit) ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of transaction: operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 [2015/11/16 14:25:05.968151, 0] ../source4/dsdb/repl/drepl_out_helpers.c:770(dreplsrv_op_pull_source_apply_changes_trigger) Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE Coming repetitively. One important thing is I changed FSMO owner on that domain once I switched from 4.3.0 to 4.3.1. As already discussed seizing FSMO does not modify DNS entry for SOA so I'd modified that manually plus lot of others entries to remove traces of old DCs. There is no more LDAP entry for these old DCs. If someone has some idea to solve that, he would be welcomed :) Cheers, mathias
Another error coming often: [2015/11/16 15:11:07.592598, 0] ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:10.156.248.219[1024,seal,krb5,target_hostname=231cc777-1ab8-4b15-be6c-dcd218df48e9._msdcs.samba.domain.tld,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.156.248.221] NT_STATUS_INVALID_PARAMETER Digging a bit further there is no "servicePrincipalName" for last added DC. Using samba_spnupdate on FSMO owner or on newly added DC has no effect. I'm about to create these servicePrincipalName by hand to see if it could solve my little issue. Cheers, mathias 2015-11-16 14:40 GMT+01:00 mathias dufresne <infractory at gmail.com>:> Hi all, > > I have 3 DCs running Samba 4.3.1 in the same domain. They seem to work > quiet well with coherent databases on each of them. > > After rebuilding my RPM to include systemd units, I've joined a Samba > 4.3.1 today, using --domain-critical-only. The join was successful, the > replication was not. This DC has only 146 objects in the DB when it should > have a bit less than 50000 objects. > > As I was suspecting the newly built RPMs, I set up another DC using same > RPMs as the ones used to prepare first 3 DC. I joined that 5th DC to the > domain, successfully, but replication does not work too. > > Finally I installed 4.2.5 sernet's version, join it to the domain and > still replication does not work. > > In log.samba from newly added DC there are lines: > [2015/11/16 14:25:05.966500, 0] > ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit) > ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit > of transaction: operations error at > ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 > [2015/11/16 14:25:05.968151, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:770(dreplsrv_op_pull_source_apply_changes_trigger) > Failed to commit objects: > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > Coming repetitively. > > One important thing is I changed FSMO owner on that domain once I switched > from 4.3.0 to 4.3.1. > As already discussed seizing FSMO does not modify DNS entry for SOA so I'd > modified that manually plus lot of others entries to remove traces of old > DCs. There is no more LDAP entry for these old DCs. > > If someone has some idea to solve that, he would be welcomed :) > > Cheers, > > mathias > >
On 16/11/15 14:33, mathias dufresne wrote:> Another error coming often: > [2015/11/16 15:11:07.592598, 0] > ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv) > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:10.156.248.219[1024,seal,krb5,target_hostname=231cc777-1ab8-4b15-be6c-dcd218df48e9._msdcs.samba.domain.tld,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.156.248.221] > NT_STATUS_INVALID_PARAMETER > > Digging a bit further there is no "servicePrincipalName" for last added DC. > Using samba_spnupdate on FSMO owner or on newly added DC has no effect. > > I'm about to create these servicePrincipalName by hand to see if it could > solve my little issue. > > Cheers, > > mathias > > > 2015-11-16 14:40 GMT+01:00 mathias dufresne <infractory at gmail.com>: > >> Hi all, >> >> I have 3 DCs running Samba 4.3.1 in the same domain. They seem to work >> quiet well with coherent databases on each of them. >> >> After rebuilding my RPM to include systemd units, I've joined a Samba >> 4.3.1 today, using --domain-critical-only. The join was successful, the >> replication was not. This DC has only 146 objects in the DB when it should >> have a bit less than 50000 objects. >> >> As I was suspecting the newly built RPMs, I set up another DC using same >> RPMs as the ones used to prepare first 3 DC. I joined that 5th DC to the >> domain, successfully, but replication does not work too. >> >> Finally I installed 4.2.5 sernet's version, join it to the domain and >> still replication does not work. >> >> In log.samba from newly added DC there are lines: >> [2015/11/16 14:25:05.966500, 0] >> ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit) >> ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit >> of transaction: operations error at >> ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 >> [2015/11/16 14:25:05.968151, 0] >> ../source4/dsdb/repl/drepl_out_helpers.c:770(dreplsrv_op_pull_source_apply_changes_trigger) >> Failed to commit objects: >> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE >> >> Coming repetitively. >> >> One important thing is I changed FSMO owner on that domain once I switched >> from 4.3.0 to 4.3.1. >> As already discussed seizing FSMO does not modify DNS entry for SOA so I'd >> modified that manually plus lot of others entries to remove traces of old >> DCs. There is no more LDAP entry for these old DCs. >> >> If someone has some idea to solve that, he would be welcomed :) >> >> Cheers, >> >> mathias >> >>Have a look here: https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins