Thanks Carlos, The thing is, that I did not upgrade the version of Samba - that is the next step, so the ports used would not have changed. I only updated the OS.> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha <carlos.hollow at gmail.com> wrote: > > Hi, > I have same problem after update for samba. > I allow new ports in firewall. > > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage > > Regards > > > On Wed, Mar 21, 2018, 00:15 David Minard via samba <samba at lists.samba.org> wrote: > G'day All, > > I have 4 DCs on Centos 7.1. Everything was working really well for > years, including replication. > > Then I decided that the OS needed updating. Did the yum update on one > of the DCs, rebooted. That server is now running Centos 7.4. Samba > seemed to start okay. > > However, samba-tool drs showrepl gives this error on all 3 of the other > DCs, and shows success on the updated DC. > > DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au > Default-First-Site-Name\SAMBA4-10 via RPC > DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084 > > Last attempt @ Wed Mar 21 12:58:13 2018 AEDT failed, result 58 > (WERR_BAD_NET_RESP) > > 10623 consecutive failure(s). > Last success @ Thu Mar 8 14:34:14 2018 AEDT > > > Any thoughts on why this DC is now not replicating properly? Any > thoughts on how to remedy this? > > > -- > > Cheers, > David Minard. > Ph: 0247 360 155 > Fax: 0247 360 770 > > ITDS - ACE - SSTaRS > Western Sydney University > Building Y - Penrith Campus (Kingswood) > Locked bag 1797 > Penrith NSW 2751 > > [Sometimes waking up just isn't worth the insult of the day to come.] > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean.Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 3/21/2018 7:32 AM, David Minard via samba wrote:> Thanks Carlos, > > The thing is, that I did not upgrade the version of Samba - that is the next step, so the ports used would not have changed. I only updated the OS. > > >> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha <carlos.hollow at gmail.com> wrote: >> >> Hi, >> I have same problem after update for samba. >> I allow new ports in firewall. >> >> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >> >> Regards >> >> >> On Wed, Mar 21, 2018, 00:15 David Minard via samba <samba at lists.samba.org> wrote: >> G'day All, >> >> I have 4 DCs on Centos 7.1. Everything was working really well for >> years, including replication. >> >> Then I decided that the OS needed updating. Did the yum update on one >> of the DCs, rebooted. That server is now running Centos 7.4. Samba >> seemed to start okay. >> >> However, samba-tool drs showrepl gives this error on all 3 of the other >> DCs, and shows success on the updated DC. >> >> DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au >> Default-First-Site-Name\SAMBA4-10 via RPC >> DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084 >> >> Last attempt @ Wed Mar 21 12:58:13 2018 AEDT failed, result 58 >> (WERR_BAD_NET_RESP) >> >> 10623 consecutive failure(s). >> Last success @ Thu Mar 8 14:34:14 2018 AEDT >> >> >> Any thoughts on why this DC is now not replicating properly? Any >> thoughts on how to remedy this? >> >> >> -- >> >> Cheers, >> David Minard. >> Ph: 0247 360 155 >> Fax: 0247 360 770 >> >> ITDS - ACE - SSTaRS >> Western Sydney University >> Building Y - Penrith Campus (Kingswood) >> Locked bag 1797 >> Penrith NSW 2751 >> >> [Sometimes waking up just isn't worth the insult of the day to come.] >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. > > Cheers, > David Minard. > Ph: 0247 360 155 > Fax: 0247 360 770 > > School of Computing, Engineering, and Mathematics > Building Y - Penrith Campus (Kingswood) > Locked bag 1797 > Penrith South DC > NSW 1797 > > [Sometimes waking up just isn't worth the insult of the day to come.] > >You most likely will need to turn up the samba log level to get additional information but you can start with running 'yum history list all' and post results. This might help identify the changes that were made to the OS. Are you using bind or the internal DNS? -- -- James
G'day All, Will replay to all messages so far in this one to keep it all together. On 21/03/18 22:52, lingpanda101 wrote:> On 3/21/2018 7:32 AM, David Minard via samba wrote: >> Thanks Carlos, >> >> The thing is, that I did not upgrade the version of Samba - that is >> the next step, so the ports used would not have changed. I only >> updated the OS. >> >> >>> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha >>> <carlos.hollow at gmail.com> wrote: >>> >>> Hi, >>> I have same problem after update for samba. >>> I allow new ports in firewall. >>> >>> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >>> >>> Regards >>> >>> >>> On Wed, Mar 21, 2018, 00:15 David Minard via samba >>> <samba at lists.samba.org> wrote: >>> G'day All, >>> >>> I have 4 DCs on Centos 7.1. Everything was working really >>> well for >>> years, including replication. >>> >>> Then I decided that the OS needed updating. Did the yum >>> update on one >>> of the DCs, rebooted. That server is now running Centos 7.4. Samba >>> seemed to start okay. >>> >>> However, samba-tool drs showrepl gives this error on all 3 >>> of the other >>> DCs, and shows success on the updated DC. >>> >>> DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au >>> Default-First-Site-Name\SAMBA4-10 via RPC >>> DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084 >>> >>> Last attempt @ Wed Mar 21 12:58:13 2018 AEDT failed, >>> result 58 >>> (WERR_BAD_NET_RESP) >>> >>> 10623 consecutive failure(s). >>> Last success @ Thu Mar 8 14:34:14 2018 AEDT >>> >>> >>> Any thoughts on why this DC is now not replicating properly? >>> Any >>> thoughts on how to remedy this? >>> >>>>> > You most likely will need to turn up the samba log level to get > additional information but you can start with running 'yum history list > all' and post results. This might help identify the changes that were > made to the OS. Are you using bind or the internal DNS? > >I will turn up the logs and test it out. I use Bind-9.9.4-51 (before update 9.9.4-18) yum history shows 348 packages that got updated... Bind being one. Will sift through them. My firewall is very lose. All ports are open for the subnets on which the samba servers need to talk. eg: -A INPUT -s 172.20.0.0/16 -p tcp -m state --state NEW -m tcp -j ACCEPT -A INPUT -s 172.20.0.0/16 -p udp -m state --state NEW -m udp -j ACCEPT When I first set this up with 4.0.0-a2 (or whatever it was right at the beginning), I was not able to work out what ports exactly were needed, hence the lose rules. Now I see they are documented clearly on the Samba site, I will tighten them up, but not until the issue is resolved. My samba is complied from source. I am currently running 4.3.2. It's been running flawlessly so no urgency to update, until the huge security hole was announced the other week. Now I've got to get it done, but want the ailing server going right first - or should I just do the updates and then worry about the ailing server? Smb.conf: # Global parameters [global] workgroup = SCEM_AD realm = samba4.scem.westernsydney.edu.au netbios name = SAMBA4-10 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate # log level = 1 auth:2 # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 0 [netlogon] path = /usr/local/samba/var/locks/sysvol/samba4.scem.westernsydney.edu.au/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No It is the out of the box config from the original provision. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
> G'day All, > > Will replay to all messages so far in this one to keep it all together. > > On 21/03/18 22:52, lingpanda101 wrote:> On 3/21/2018 7:32 AM, David Minard via samba wrote: >>> Thanks Carlos, >>> >>> The thing is, that I did not upgrade the version of Samba - that is >>> the next step, so the ports used would not have changed. I only >>> updated the OS. >>> >>> >>>> On 21/03/2018, at 10:04 PM, Carlos Alberto Panozzo Cunha >>>> <carlos.hollow at gmail.com> wrote: >>>> >>>> Hi, >>>> I have same problem after update for samba. >>>> I allow new ports in firewall. >>>> >>>> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage >>>> >>>> Regards >>>> >>>> >>>> On Wed, Mar 21, 2018, 00:15 David Minard via samba >>>> <samba at lists.samba.org> wrote: >>>> G'day All, >>>> >>>> I have 4 DCs on Centos 7.1. Everything was working really >>>> well for >>>> years, including replication. >>>> >>>> Then I decided that the OS needed updating. Did the yum >>>> update on one >>>> of the DCs, rebooted. That server is now running Centos 7.4. Samba >>>> seemed to start okay. >>>> >>>> However, samba-tool drs showrepl gives this error on all 3 >>>> of the other >>>> DCs, and shows success on the updated DC. >>>> >>>> DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au >>>> Default-First-Site-Name\SAMBA4-10 via RPC >>>> DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084 >>>> >>>> Last attempt @ Wed Mar 21 12:58:13 2018 AEDT failed, >>>> result 58 >>>> (WERR_BAD_NET_RESP) >>>> >>>> 10623 consecutive failure(s). >>>> Last success @ Thu Mar 8 14:34:14 2018 AEDT >>>> >>>> >>>> Any thoughts on why this DC is now not replicating properly? >>>> Any >>>> thoughts on how to remedy this? >>>> >>>> > >>> >> You most likely will need to turn up the samba log level to get >> additional information but you can start with running 'yum history list >> all' and post results. This might help identify the changes that were >> made to the OS. Are you using bind or the internal DNS? >> >> > I will turn up the logs and test it out. > > I use Bind-9.9.4-51 (before update 9.9.4-18) > > yum history shows 348 packages that got updated... Bind being one. Will sift through them. > > My firewall is very lose. All ports are open for the subnets on which the samba servers need to talk. eg: > > -A INPUT -s 172.20.0.0/16 -p tcp -m state --state NEW -m tcp -j ACCEPT > -A INPUT -s 172.20.0.0/16 -p udp -m state --state NEW -m udp -j ACCEPT > > When I first set this up with 4.0.0-a2 (or whatever it was right at the beginning), I was not able to work out what ports exactly were needed, hence the lose rules. Now I see they are documented clearly on the Samba site, I will tighten them up, but not until the issue is resolved. > > My samba is complied from source. I am currently running 4.3.2. It's been running flawlessly so no urgency to update, until the huge security hole was announced the other week. Now I've got to get it done, but want the ailing server going right first - or should I just do the updates and then worry about the ailing server? > > Smb.conf: > > # Global parameters > [global] > workgroup = SCEM_AD > realm = samba4.scem.westernsydney.edu.au > netbios name = SAMBA4-10 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > # log level = 1 auth:2 > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 0 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samba4.scem.westernsydney.edu.au/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > It is the out of the box config from the original provision. >Results of: samba-tool drs showrepl -d9 from a non-OS updated server. [Snip] array: struct drsuapi_DsReplicaNeighbour naming_context_dn : * naming_context_dn : 'DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au' source_dsa_obj_dn : * source_dsa_obj_dn : 'CN=NTDS Settings,CN=SAMBA4-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au' source_dsa_address : * source_dsa_address : '7fa7fc88-8d99-4217-b329-7e82324ec084._msdcs.samba4.scem.westernsydney.edu.au' transport_obj_dn : NULL replica_flags : 0x00000074 (116) 0: DRSUAPI_DRS_ASYNC_OP 0: DRSUAPI_DRS_GETCHG_CHECK 0: DRSUAPI_DRS_UPDATE_NOTIFICATION 1: DRSUAPI_DRS_ADD_REF 0: DRSUAPI_DRS_SYNC_ALL 0: DRSUAPI_DRS_DEL_REF 1: DRSUAPI_DRS_WRIT_REP 1: DRSUAPI_DRS_INIT_SYNC 1: DRSUAPI_DRS_PER_SYNC 0: DRSUAPI_DRS_MAIL_REP 0: DRSUAPI_DRS_ASYNC_REP 0: DRSUAPI_DRS_IGNORE_ERROR 0: DRSUAPI_DRS_TWOWAY_SYNC 0: DRSUAPI_DRS_CRITICAL_ONLY 0: DRSUAPI_DRS_GET_ANC 0: DRSUAPI_DRS_GET_NC_SIZE 0: DRSUAPI_DRS_LOCAL_ONLY 0: DRSUAPI_DRS_NONGC_RO_REP 0: DRSUAPI_DRS_SYNC_BYNAME 0: DRSUAPI_DRS_REF_OK 0: DRSUAPI_DRS_FULL_SYNC_NOW 0: DRSUAPI_DRS_NO_SOURCE 0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS 0: DRSUAPI_DRS_FULL_SYNC_PACKET 0: DRSUAPI_DRS_SYNC_REQUEUE 0: DRSUAPI_DRS_SYNC_URGENT 0: DRSUAPI_DRS_REF_GCSPN 0: DRSUAPI_DRS_NO_DISCARD 0: DRSUAPI_DRS_NEVER_SYNCED 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING 0: DRSUAPI_DRS_INIT_SYNC_NOW 0: DRSUAPI_DRS_PREEMPTED 0: DRSUAPI_DRS_SYNC_FORCED 0: DRSUAPI_DRS_DISABLE_AUTO_SYNC 0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC 0: DRSUAPI_DRS_USE_COMPRESSION 0: DRSUAPI_DRS_NEVER_NOTIFY 0: DRSUAPI_DRS_SYNC_PAS 0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP reserved : 0x00000000 (0) naming_context_obj_guid : 4622e665-ebbd-4a20-959b-66fd1a304bb7 source_dsa_obj_guid : 7fa7fc88-8d99-4217-b329-7e82324ec084 source_dsa_invocation_id : 9cf9d50a-40b3-4a82-af55-6e821bdcbdb6 transport_obj_guid : 00000000-0000-0000-0000-000000000000 tmp_highest_usn : 0x00000000001e688c (1992844) highest_usn : 0x00000000001e688c (1992844) last_success : Thu Mar 8 14:34:28 2018 AEDT last_attempt : Fri Mar 23 16:31:07 2018 AEDT result_last_attempt : WERR_BAD_NET_RESP consecutive_sync_failures: 0x00005af3 (23283) [Snip] Seems to be saying I can't talk to the OS updated server. This happens whether I have firewalls on or off. (drats. I meant to send this one off before I went home for the weekend!) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.