Heinz Hölzl
2018-Jan-16 09:37 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi, i have the same problem on samba 4.7.3 and 4.7.4. I start with 2 DCs and the sync works fine. After the join of a third DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 times. in my case i have: DC1 (with any FSMO Roles) DC2 new join as DC: DC3 After the join, the sync from DC2 to DC3 fails. samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK p.s. DC3 is a new server witch newer was member in the ADS. regards, heinz Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-Ulrich Menzebach via samba:> Rowland, > > - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and > Services console to each of them). > - I also checked that "samba-tool dbcheck" completes w/o showing > errors. > - the objectGUID DNS aliases of all DCs are resolvable against all 3 > DCs' builtin DNS > - I forced a full sync from the FSMO holder (dcge1) to the 2 other > DCs > which finished w/o errors. > - after that, sync and also full sync dcdo1-->dcnh1 failed exactly > as > earlier. > > I'm wondering whether this is related to > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm > running > 4.7.4 and the domain had been created under 4.7.3 (based on the > Samba > Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. > > Many thanks, > > Uli > > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: > > On Wed, 27 Dec 2017 13:00:05 +0100 > > "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org> > > wrote: > > > > > There is additional info in the logs of the source DC (dcdo1, log > > > level 2, manually triggered another replication): > > > ===================> > > [2017/12/27 12:31:29.695121, 2] > > > ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_co > > > llect_objects) > > > ../source4/rpc_server/drsuapi/getncchanges.c:1731: > > > getncchanges on > > > DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) > > > [2017/12/27 12:31:29.698828, 2] > > > ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_ > > > DsGetNCChanges) > > > DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on > > > <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- > > > 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as > > > S-1-5-21-454945863-777199239-1595221609-1112)) > > > [2017/12/27 12:31:29.733157, 1] > > > ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) > > > ../source4/dsdb/common/util.c:4807: Failed to find account dn > > > (serverReference) for > > > CN=DCNH1,CN=Servers,CN=Default-First-Site- > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, > > > parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- > > > a0771bb6fb76, > > > sid S-1-5-21-454945863-777199239-1595221609-1112 > > > [2017/12/27 12:31:29.733198, 0] > > > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsR > > > eplicaUpdateRefs) > > > ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing > > > DsReplicaUpdateRefs for sid > > > S-1-5-21-454945863-777199239-1595221609-1112 with GUID > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76 > > > > > > According to what I see in the "Sites and Services" RSAT console > > > the > > > DN for > > > CN=DCNH1,CN=Servers,CN=Default-First-Site- > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com > > > seems to exist. > > > > > > Any ideas? > > > > > > Thanks, > > > > > > Uli > > > > > > > > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba > > > wrote: > > > > We have 3 ADCs based on Samba-4.7.4 (compiled from > > > > source,internal > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO > > > > roles. > > > > The 3 ADCs are on different locations connected via IPSec based > > > > VPN. No traffic is filtered out. > > > > > > > > All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: > > > > > > > > [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com > > > > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync > > > > failed > > > > - drsException: DsReplicaSync failed (8453, > > > > 'WERR_DS_DRA_ACCESS_DENIED') File > > > > "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line > > > > 386, > > > > in run drs_utils.sendDsReplicaSync(server_bind, > > > > server_bind_handle, > > > > source_dsa_guid, NC, req_options) > > > > File "/usr/lib64/python2.7/site- > > > > packages/samba/drs_utils.py", > > > > line 85, in sendDsReplicaSync > > > > raise drsException("DsReplicaSync failed %s" % estr) > > > > > > > > Log on dcdo1: > > > > =============> > > > [2017/12/27 08:20:56.335895, 0] > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_D > > > > sReplicaUpdateRefs) > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing > > > > DsReplicaUpdateRefs for sid > > > > S-1-5-21-454945863-777199239-1595221609-1112 with GUID > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76 > > > > > > > > Log on target DC dcnh1: > > > > =============> > > > [2017/12/27 08:20:55.278559, 5] > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_readabl > > > > e) > > > > Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017 > > > > 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] > > > > local > > > > host [ipv4:192.168.152.15:135] > > > > [2017/12/27 08:20:55.278641, 5] > > > > ../auth/auth_log.c:220(log_json) > > > > JSON Authorization: {"timestamp": > > > > "2017-12-27T08:20:55.278587+0100", "type": "Authorization", > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > "localAddress": "ipv4:192.168.152.15:135", "remoteAddress": > > > > "ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC", > > > > "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", > > > > "account": > > > > "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1", > > > > "transportProtection": "NONE", "accountFlags": "0x00000010"}} > > > > [2017/12/27 08:20:55.278660, > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > get_auth_event_server: Failed to find 'auth_event' registered > > > > on > > > > the message bus to send JSON authentication events to: > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.337740, > > > > 3] > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connection > > > > ) > > > > Terminating connection - 'dcesrv: > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 > > > > 08:20:55.337873, 3] > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > single_terminate: reason[dcesrv: > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 > > > > 08:20:55.506117, 3] > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) > > > > ldb_wrap open of secrets.ldb > > > > [2017/12/27 08:20:55.506420, 5] > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > Starting GENSEC mechanism spnego > > > > [2017/12/27 08:20:55.506501, 5] > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > Starting GENSEC submechanism gssapi_krb5 > > > > [2017/12/27 08:20:55.536259, 5] > > > > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update > > > > _internal) > > > > gensec_gssapi: credentials were delegated > > > > [2017/12/27 08:20:55.536320, 5] > > > > ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update > > > > _internal) > > > > GSSAPI Connection will be cryptographically sealed > > > > [2017/12/27 08:20:55.538591, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_T\04\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.538644, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_\04\02\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.538712, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_<\02\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.538762, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.538819, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.538864, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.538909, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.538967, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0 > > > > [2017/12/27 08:20:55.539029, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1 > > > > [2017/12/27 08:20:55.539087, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0 > > > > [2017/12/27 08:20:55.539289, 4] > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_readabl > > > > e) > > > > Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec > > > > 2017 > > > > 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] > > > > local > > > > host [ipv4:192.168.152.15:49152] > > > > [2017/12/27 08:20:55.539359, 4] > > > > ../auth/auth_log.c:220(log_json) > > > > JSON Authorization: {"timestamp": > > > > "2017-12-27T08:20:55.539334+0100", "type": "Authorization", > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > "localAddress": "ipv4:192.168.152.15:49152", "remoteAddress": > > > > "ipv4:192.168.172.14:57364", "serviceDescription": "DCE/RPC", > > > > "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid": > > > > "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer": > > > > "DCDO1", "transportProtection": "SEAL", "accountFlags": > > > > "0x00002100"}} [2017/12/27 08:20:55.539398, > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > get_auth_event_server: Failed to find 'auth_event' registered > > > > on > > > > the message bus to send JSON authentication events to: > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.568937, > > > > 3] > > > > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuap > > > > i_DsBind) > > > > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing > > > > DsBind > > > > with system_session > > > > [2017/12/27 08:20:55.641297, 3] > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) > > > > ldb_wrap open of secrets.ldb > > > > [2017/12/27 08:20:55.644257, 5] > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest > > > > ) > > > > ldb_request BASE dn> > > > filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27 > > > > 08:20:55.706421, 6] ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.706573, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.706777, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ > > > > wrapper) > > > > Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from > > > > ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kdu.COM > > > > [canonicalize] [2017/12/27 08:20:55.708186, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.708670, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.708795, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.709594, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.710027, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ > > > > wrapper) > > > > Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime: > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: > > > > unset > > > > [2017/12/27 08:20:55.740222, 3] > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connection > > > > ) > > > > Terminating connection - 'kdc_tcp_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > [2017/12/27 08:20:55.740440, 3] > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > single_terminate: reason[kdc_tcp_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > [2017/12/27 08:20:55.770764, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.771034, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.771283, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ > > > > wrapper) > > > > Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from > > > > ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.COM > > > > [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.771786, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.772103, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.772257, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.773194, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > [2017/12/27 08:20:55.773691, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ > > > > wrapper) > > > > Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime: > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: > > > > unset > > > > [2017/12/27 08:20:55.804565, 3] > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connection > > > > ) > > > > Terminating connection - 'kdc_tcp_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > [2017/12/27 08:20:55.804774, 3] > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > single_terminate: reason[kdc_tcp_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > [2017/12/27 08:20:55.806137, 5] > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > Starting GENSEC mechanism spnego > > > > [2017/12/27 08:20:55.806296, 5] > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > Starting GENSEC submechanism gssapi_krb5 > > > > [2017/12/27 08:20:55.807170, 5] > > > > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update > > > > _internal) > > > > gensec_gssapi: credentials were delegated > > > > [2017/12/27 08:20:55.807242, 5] > > > > ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update > > > > _internal) > > > > GSSAPI Connection will be cryptographically signed > > > > [2017/12/27 08:20:55.810168, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_T\04\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.810265, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_\04\02\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.810353, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES > > > > .i\26\15_<\02\00\00 > > > > -> 0 > > > > [2017/12/27 08:20:55.810428, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.810507, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.810582, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.810674, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 > > > > [2017/12/27 08:20:55.810745, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0 > > > > [2017/12/27 08:20:55.810826, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1 > > > > [2017/12/27 08:20:55.810901, 6] > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > gendb_search_v: NULL > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0 > > > > [2017/12/27 08:20:55.811125, 4] > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_readabl > > > > e) > > > > Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec > > > > 2017 > > > > 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] > > > > local > > > > host [ipv4:192.168.152.15:389] > > > > [2017/12/27 08:20:55.811301, 4] > > > > ../auth/auth_log.c:220(log_json) > > > > JSON Authorization: {"timestamp": > > > > "2017-12-27T08:20:55.811228+0100", "type": "Authorization", > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > "localAddress": "ipv4:192.168.152.15:389", "remoteAddress": > > > > "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP", > > > > "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid": > > > > "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer": > > > > "DCDO1", "transportProtection": "SIGN", "accountFlags": > > > > "0x00002100"}} [2017/12/27 08:20:55.811385, > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > get_auth_event_server: Failed to find 'auth_event' registered > > > > on > > > > the message bus to send JSON authentication events to: > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.841539, > > > > 5] > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest > > > > ) > > > > ldb_request BASE dn= filter=(objectClass=*) > > > > [2017/12/27 08:20:55.871177, 5] > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest > > > > ) > > > > ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com > > > > filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHo > > > > stName=dcdo1.ad.kdu.com))) > > > > [2017/12/27 08:20:55.902579, 5] > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest > > > > ) > > > > ldb_request ONE > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com > > > > filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO)) > > > > [2017/12/27 08:20:55.932550, 5] > > > > default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch) > > > > function drsuapi_DsReplicaSync will reply async > > > > [2017/12/27 08:20:55.932676, 3] > > > > ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replic > > > > ation) > > > > _drepl_schedule_replication: forcing sync of partition > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com, > > > > 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) > > > > [2017/12/27 08:20:55.932697, 4] > > > > ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_s > > > > chedule) > > > > dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 > > > > 08:20:57 > > > > 2017 CET > > > > [2017/12/27 08:20:56.971645, 4] > > > > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_ > > > > extended_replicated_objects) > > > > linked_attributes_count=0 > > > > [2017/12/27 08:20:56.971966, 4] > > > > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_ > > > > replicated_uptodate_modify) > > > > DRS replication uptodate modify message: > > > > dn: DC=ad,DC=kdu,DC=com > > > > changetype: modify > > > > replace: replUpToDateVector > > > > replUpToDateVector:: > > > > AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP > > > > tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KY > > > > P2wnvCZRbBYAAA > > > > > > > > AAAAAAgD7V3rGdAQ=> > > > - > > > > replace: repsFrom > > > > repsFrom:: > > > > AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAA > > > > AERE > > > > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER > > > > ERERERERERERER > > > > > > > > ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgA > > > > AAAAAAKQMPrx0t > > > > > > > > UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABi > > > > YzNlMGNhNC1iNT > > > > > > > > c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A > > > > repsFrom:: > > > > AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAA > > > > AERE > > > > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER > > > > ERERERERERERER > > > > > > > > ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAA > > > > AAAAAABNWUx36g > > > > > > > > V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAx > > > > ZDUzNTYxMy04MW > > > > > > > > ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A > > > > - > > > > > > > > > > > > [2017/12/27 08:20:56.974912, 2] > > > > ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_ > > > > objects_commit) > > > > Replicated 0 objects (0 linked attributes) for > > > > DC=ad,DC=kdu,DC=com > > > > [2017/12/27 08:20:57.004974, 0] > > > > ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_r > > > > efs_done) > > > > UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code > > > > 0xc0002105 for > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com > > > > DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] > > > > ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_c > > > > allback) > > > > dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for > > > > DC=ad,DC=kdu,DC=com > > > > [2017/12/27 08:20:57.009507, 5] > > > > default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply) > > > > function drsuapi_DsReplicaSync replied async > > > > [2017/12/27 08:20:57.053246, 3] > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connection > > > > ) > > > > Terminating connection - 'dcesrv: > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 > > > > 08:20:57.053478, 3] > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > single_terminate: reason[dcesrv: > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 > > > > 08:20:57.053528, 3] > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connection > > > > ) > > > > Terminating connection - 'ldapsrv_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > [2017/12/27 08:20:57.053760, 2] > > > > ../source4/smbd/process_standard.c:473(standard_terminate) > > > > standard_terminate: reason[ldapsrv_call_loop: > > > > tstream_read_pdu_blob_recv() - > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > [2017/12/27 08:20:57.057842, 2] > > > > ../source4/smbd/process_standard.c:157(standard_child_pipe_hand > > > > ler) > > > > Child 900 () exited with status 0 > > > > > > > > Any hints/ideas very much appreciated ... > > > > > > > > Thanks, > > > > > > > > Uli > > > > > > > > > > > > Couple of thoughts, try reading this: > > > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Re > > cord > > > > and this: > > > > https://wiki.samba.org/index.php/Manually_Replicating_Directory_Par > > titions > > > > Does the missing 'CN' exist on the other two DCs ? > > > > Rowland > > > >
Denis Cardon
2018-Jan-16 11:10 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi Heinz,> i have the same problem on samba 4.7.3 and 4.7.4. > I start with 2 DCs and the sync works fine. After the join of a third > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 > times. > > in my case i have: > DC1 (with any FSMO Roles) > DC2 > > new join as DC: > DC3 > > After the join, the sync from DC2 to DC3 fails. > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK > samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK > samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK > samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK > samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK > samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OKlike Rowland pointed you earlier, it is often an issue with missing DNS entries. Be sure to check that samba_dnsupdate on both servers is happy, especially with the CNAME guid entries in the _msdcs zone. Another case I saw was that firewall had not been disable (or at least the port opening was not done right). Cheers, Denis> > > > p.s. DC3 is a new server witch newer was member in the ADS. > > > regards, > heinz > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-Ulrich > Menzebach via samba: >> Rowland, >> >> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and >> Services console to each of them). >> - I also checked that "samba-tool dbcheck" completes w/o showing >> errors. >> - the objectGUID DNS aliases of all DCs are resolvable against all 3 >> DCs' builtin DNS >> - I forced a full sync from the FSMO holder (dcge1) to the 2 other >> DCs >> which finished w/o errors. >> - after that, sync and also full sync dcdo1-->dcnh1 failed exactly >> as >> earlier. >> >> I'm wondering whether this is related to >> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm >> running >> 4.7.4 and the domain had been created under 4.7.3 (based on the >> Samba >> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. >> >> Many thanks, >> >> Uli >> >> >> >> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: >>> On Wed, 27 Dec 2017 13:00:05 +0100 >>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org> >>> wrote: >>> >>>> There is additional info in the logs of the source DC (dcdo1, log >>>> level 2, manually triggered another replication): >>>> ===================>>>> [2017/12/27 12:31:29.695121, 2] >>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_co >>>> llect_objects) >>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731: >>>> getncchanges on >>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) >>>> [2017/12/27 12:31:29.698828, 2] >>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_ >>>> DsGetNCChanges) >>>> DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on >>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- >>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com >>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as >>>> S-1-5-21-454945863-777199239-1595221609-1112)) >>>> [2017/12/27 12:31:29.733157, 1] >>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) >>>> ../source4/dsdb/common/util.c:4807: Failed to find account dn >>>> (serverReference) for >>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, >>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- >>>> a0771bb6fb76, >>>> sid S-1-5-21-454945863-777199239-1595221609-1112 >>>> [2017/12/27 12:31:29.733198, 0] >>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsR >>>> eplicaUpdateRefs) >>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing >>>> DsReplicaUpdateRefs for sid >>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>> >>>> According to what I see in the "Sites and Services" RSAT console >>>> the >>>> DN for >>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>> seems to exist. >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> >>>> Uli >>>> >>>> >>>> >>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba >>>> wrote: >>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from >>>>> source,internal >>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO >>>>> roles. >>>>> The 3 ADCs are on different locations connected via IPSec based >>>>> VPN. No traffic is filtered out. >>>>> >>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: >>>>> >>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com >>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com >>>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync >>>>> failed >>>>> - drsException: DsReplicaSync failed (8453, >>>>> 'WERR_DS_DRA_ACCESS_DENIED') File >>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line >>>>> 386, >>>>> in run drs_utils.sendDsReplicaSync(server_bind, >>>>> server_bind_handle, >>>>> source_dsa_guid, NC, req_options) >>>>> File "/usr/lib64/python2.7/site- >>>>> packages/samba/drs_utils.py", >>>>> line 85, in sendDsReplicaSync >>>>> raise drsException("DsReplicaSync failed %s" % estr) >>>>> >>>>> Log on dcdo1: >>>>> =============>>>>> [2017/12/27 08:20:56.335895, 0] >>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_D >>>>> sReplicaUpdateRefs) >>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing >>>>> DsReplicaUpdateRefs for sid >>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>> >>>>> Log on target DC dcnh1: >>>>> =============>>>>> [2017/12/27 08:20:55.278559, 5] >>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl >>>>> e) >>>>> Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT >>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017 >>>>> 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] >>>>> local >>>>> host [ipv4:192.168.152.15:135] >>>>> [2017/12/27 08:20:55.278641, 5] >>>>> ../auth/auth_log.c:220(log_json) >>>>> JSON Authorization: {"timestamp": >>>>> "2017-12-27T08:20:55.278587+0100", "type": "Authorization", >>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>> "localAddress": "ipv4:192.168.152.15:135", "remoteAddress": >>>>> "ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC", >>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", >>>>> "account": >>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1", >>>>> "transportProtection": "NONE", "accountFlags": "0x00000010"}} >>>>> [2017/12/27 08:20:55.278660, >>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>> get_auth_event_server: Failed to find 'auth_event' registered >>>>> on >>>>> the message bus to send JSON authentication events to: >>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.337740, >>>>> 3] >>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection >>>>> ) >>>>> Terminating connection - 'dcesrv: >>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>> 08:20:55.337873, 3] >>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>> single_terminate: reason[dcesrv: >>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>> 08:20:55.506117, 3] >>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>> ldb_wrap open of secrets.ldb >>>>> [2017/12/27 08:20:55.506420, 5] >>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>> Starting GENSEC mechanism spnego >>>>> [2017/12/27 08:20:55.506501, 5] >>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>> Starting GENSEC submechanism gssapi_krb5 >>>>> [2017/12/27 08:20:55.536259, 5] >>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update >>>>> _internal) >>>>> gensec_gssapi: credentials were delegated >>>>> [2017/12/27 08:20:55.536320, 5] >>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update >>>>> _internal) >>>>> GSSAPI Connection will be cryptographically sealed >>>>> [2017/12/27 08:20:55.538591, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_T\04\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.538644, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_\04\02\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.538712, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_<\02\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.538762, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.538819, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.538864, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.538909, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.538967, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0 >>>>> [2017/12/27 08:20:55.539029, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1 >>>>> [2017/12/27 08:20:55.539087, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0 >>>>> [2017/12/27 08:20:55.539289, 4] >>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl >>>>> e) >>>>> Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] >>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec >>>>> 2017 >>>>> 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] >>>>> local >>>>> host [ipv4:192.168.152.15:49152] >>>>> [2017/12/27 08:20:55.539359, 4] >>>>> ../auth/auth_log.c:220(log_json) >>>>> JSON Authorization: {"timestamp": >>>>> "2017-12-27T08:20:55.539334+0100", "type": "Authorization", >>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>> "localAddress": "ipv4:192.168.152.15:49152", "remoteAddress": >>>>> "ipv4:192.168.172.14:57364", "serviceDescription": "DCE/RPC", >>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid": >>>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer": >>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags": >>>>> "0x00002100"}} [2017/12/27 08:20:55.539398, >>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>> get_auth_event_server: Failed to find 'auth_event' registered >>>>> on >>>>> the message bus to send JSON authentication events to: >>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.568937, >>>>> 3] >>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuap >>>>> i_DsBind) >>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing >>>>> DsBind >>>>> with system_session >>>>> [2017/12/27 08:20:55.641297, 3] >>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>> ldb_wrap open of secrets.ldb >>>>> [2017/12/27 08:20:55.644257, 5] >>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest >>>>> ) >>>>> ldb_request BASE dn>>>>> filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27 >>>>> 08:20:55.706421, 6] ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.706573, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.706777, 3] >>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ >>>>> wrapper) >>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kdu.COM >>>>> [canonicalize] [2017/12/27 08:20:55.708186, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.708670, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.708795, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.709594, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.710027, 3] >>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ >>>>> wrapper) >>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime: >>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: >>>>> unset >>>>> [2017/12/27 08:20:55.740222, 3] >>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection >>>>> ) >>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>> [2017/12/27 08:20:55.740440, 3] >>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>> [2017/12/27 08:20:55.770764, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.771034, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.771283, 3] >>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ >>>>> wrapper) >>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.COM >>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.771786, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.772103, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.772257, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.773194, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>> [2017/12/27 08:20:55.773691, 3] >>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_ >>>>> wrapper) >>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime: >>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: >>>>> unset >>>>> [2017/12/27 08:20:55.804565, 3] >>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection >>>>> ) >>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>> [2017/12/27 08:20:55.804774, 3] >>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>> [2017/12/27 08:20:55.806137, 5] >>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>> Starting GENSEC mechanism spnego >>>>> [2017/12/27 08:20:55.806296, 5] >>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>> Starting GENSEC submechanism gssapi_krb5 >>>>> [2017/12/27 08:20:55.807170, 5] >>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update >>>>> _internal) >>>>> gensec_gssapi: credentials were delegated >>>>> [2017/12/27 08:20:55.807242, 5] >>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update >>>>> _internal) >>>>> GSSAPI Connection will be cryptographically signed >>>>> [2017/12/27 08:20:55.810168, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_T\04\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.810265, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_\04\02\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.810353, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES >>>>> .i\26\15_<\02\00\00 >>>>> -> 0 >>>>> [2017/12/27 08:20:55.810428, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.810507, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.810582, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.810674, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>> [2017/12/27 08:20:55.810745, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0 >>>>> [2017/12/27 08:20:55.810826, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1 >>>>> [2017/12/27 08:20:55.810901, 6] >>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>> gendb_search_v: NULL >>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0 >>>>> [2017/12/27 08:20:55.811125, 4] >>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readabl >>>>> e) >>>>> Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] >>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec >>>>> 2017 >>>>> 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] >>>>> local >>>>> host [ipv4:192.168.152.15:389] >>>>> [2017/12/27 08:20:55.811301, 4] >>>>> ../auth/auth_log.c:220(log_json) >>>>> JSON Authorization: {"timestamp": >>>>> "2017-12-27T08:20:55.811228+0100", "type": "Authorization", >>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>> "localAddress": "ipv4:192.168.152.15:389", "remoteAddress": >>>>> "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP", >>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid": >>>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer": >>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags": >>>>> "0x00002100"}} [2017/12/27 08:20:55.811385, >>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>> get_auth_event_server: Failed to find 'auth_event' registered >>>>> on >>>>> the message bus to send JSON authentication events to: >>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.841539, >>>>> 5] >>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest >>>>> ) >>>>> ldb_request BASE dn= filter=(objectClass=*) >>>>> [2017/12/27 08:20:55.871177, 5] >>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest >>>>> ) >>>>> ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com >>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHo >>>>> stName=dcdo1.ad.kdu.com))) >>>>> [2017/12/27 08:20:55.902579, 5] >>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest >>>>> ) >>>>> ldb_request ONE >>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- >>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO)) >>>>> [2017/12/27 08:20:55.932550, 5] >>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch) >>>>> function drsuapi_DsReplicaSync will reply async >>>>> [2017/12/27 08:20:55.932676, 3] >>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replic >>>>> ation) >>>>> _drepl_schedule_replication: forcing sync of partition >>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com, >>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) >>>>> [2017/12/27 08:20:55.932697, 4] >>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_s >>>>> chedule) >>>>> dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 >>>>> 08:20:57 >>>>> 2017 CET >>>>> [2017/12/27 08:20:56.971645, 4] >>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_ >>>>> extended_replicated_objects) >>>>> linked_attributes_count=0 >>>>> [2017/12/27 08:20:56.971966, 4] >>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_ >>>>> replicated_uptodate_modify) >>>>> DRS replication uptodate modify message: >>>>> dn: DC=ad,DC=kdu,DC=com >>>>> changetype: modify >>>>> replace: replUpToDateVector >>>>> replUpToDateVector:: >>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP >>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KY >>>>> P2wnvCZRbBYAAA >>>>> >>>>> AAAAAAgD7V3rGdAQ=>>>>> - >>>>> replace: repsFrom >>>>> repsFrom:: >>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAA >>>>> AERE >>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>> ERERERERERERER >>>>> >>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgA >>>>> AAAAAAKQMPrx0t >>>>> >>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABi >>>>> YzNlMGNhNC1iNT >>>>> >>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A >>>>> repsFrom:: >>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAA >>>>> AERE >>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>> ERERERERERERER >>>>> >>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAA >>>>> AAAAAABNWUx36g >>>>> >>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAx >>>>> ZDUzNTYxMy04MW >>>>> >>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A >>>>> - >>>>> >>>>> >>>>> [2017/12/27 08:20:56.974912, 2] >>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_ >>>>> objects_commit) >>>>> Replicated 0 objects (0 linked attributes) for >>>>> DC=ad,DC=kdu,DC=com >>>>> [2017/12/27 08:20:57.004974, 0] >>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_r >>>>> efs_done) >>>>> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code >>>>> 0xc0002105 for >>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com >>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] >>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_c >>>>> allback) >>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for >>>>> DC=ad,DC=kdu,DC=com >>>>> [2017/12/27 08:20:57.009507, 5] >>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply) >>>>> function drsuapi_DsReplicaSync replied async >>>>> [2017/12/27 08:20:57.053246, 3] >>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection >>>>> ) >>>>> Terminating connection - 'dcesrv: >>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>> 08:20:57.053478, 3] >>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>> single_terminate: reason[dcesrv: >>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>> 08:20:57.053528, 3] >>>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection >>>>> ) >>>>> Terminating connection - 'ldapsrv_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>> [2017/12/27 08:20:57.053760, 2] >>>>> ../source4/smbd/process_standard.c:473(standard_terminate) >>>>> standard_terminate: reason[ldapsrv_call_loop: >>>>> tstream_read_pdu_blob_recv() - >>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>> [2017/12/27 08:20:57.057842, 2] >>>>> ../source4/smbd/process_standard.c:157(standard_child_pipe_hand >>>>> ler) >>>>> Child 900 () exited with status 0 >>>>> >>>>> Any hints/ideas very much appreciated ... >>>>> >>>>> Thanks, >>>>> >>>>> Uli >>>>> >>>>> >>> >>> Couple of thoughts, try reading this: >>> >>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Re >>> cord >>> >>> and this: >>> >>> https://wiki.samba.org/index.php/Manually_Replicating_Directory_Par >>> titions >>> >>> Does the missing 'CN' exist on the other two DCs ? >>> >>> Rowland >>> >> >>-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Heinz Hölzl
2018-Jan-16 14:54 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi, there is no firewall, all DCs are in the same subnet. here ist the output of a test, you can see, the CNAME guid entries in the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and second DCs, SAMBA3 was added at last. ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=test,DC=net objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f # record 2 dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=test,DC=net objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be # record 3 dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=test,DC=net objectGUID: c01a335e-1794-4997-9c7e-553be77fba04 # returned 3 records # 3 entries # 0 referrals host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net DC1 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for dc2.test.net. host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net DC2 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for dc2.test.net. host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net SAMBA3 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for dc2.test.net. host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net DC1 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for dc1.test.net. host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net DC2 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for dc1.test.net. host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net SAMBA3 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for dc1.test.net. host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net DC1 c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for SAMBA3.test.net. host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net DC2 c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for SAMBA3.test.net. host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net SAMBA3 c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for SAMBA3.test.net. Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:> Hi Heinz, > > > i have the same problem on samba 4.7.3 and 4.7.4. > > I start with 2 DCs and the sync works fine. After the join of a > > third > > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 > > times. > > > > in my case i have: > > DC1 (with any FSMO Roles) > > DC2 > > > > new join as DC: > > DC3 > > > > After the join, the sync from DC2 to DC3 fails. > > > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK > > samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK > > samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK > > samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK > > samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK > > samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK > > like Rowland pointed you earlier, it is often an issue with missing > DNS > entries. Be sure to check that samba_dnsupdate on both servers is > happy, > especially with the CNAME guid entries in the _msdcs zone. > > Another case I saw was that firewall had not been disable (or at > least > the port opening was not done right). > > Cheers, > > Denis > > > > > > > > > p.s. DC3 is a new server witch newer was member in the ADS. > > > > > > regards, > > heinz > > > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- > > Ulrich > > Menzebach via samba: > > > Rowland, > > > > > > - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites > > > and > > > Services console to each of them). > > > - I also checked that "samba-tool dbcheck" completes w/o showing > > > errors. > > > - the objectGUID DNS aliases of all DCs are resolvable against > > > all 3 > > > DCs' builtin DNS > > > - I forced a full sync from the FSMO holder (dcge1) to the 2 > > > other > > > DCs > > > which finished w/o errors. > > > - after that, sync and also full sync dcdo1-->dcnh1 failed > > > exactly > > > as > > > earlier. > > > > > > I'm wondering whether this is related to > > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm > > > running > > > 4.7.4 and the domain had been created under 4.7.3 (based on the > > > Samba > > > Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. > > > > > > Many thanks, > > > > > > Uli > > > > > > > > > > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: > > > > On Wed, 27 Dec 2017 13:00:05 +0100 > > > > "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.or > > > > g> > > > > wrote: > > > > > > > > > There is additional info in the logs of the source DC (dcdo1, > > > > > log > > > > > level 2, manually triggered another replication): > > > > > ===================> > > > > [2017/12/27 12:31:29.695121, 2] > > > > > ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchange > > > > > s_co > > > > > llect_objects) > > > > > ../source4/rpc_server/drsuapi/getncchanges.c:1731: > > > > > getncchanges on > > > > > DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) > > > > > [2017/12/27 12:31:29.698828, 2] > > > > > ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsu > > > > > api_ > > > > > DsGetNCChanges) > > > > > DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 > > > > > on > > > > > <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- > > > > > 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com > > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as > > > > > S-1-5-21-454945863-777199239-1595221609-1112)) > > > > > [2017/12/27 12:31:29.733157, 1] > > > > > ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) > > > > > ../source4/dsdb/common/util.c:4807: Failed to find > > > > > account dn > > > > > (serverReference) for > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site- > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, > > > > > parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- > > > > > a0771bb6fb76, > > > > > sid S-1-5-21-454945863-777199239-1595221609-1112 > > > > > [2017/12/27 12:31:29.733198, 0] > > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi > > > > > _DsR > > > > > eplicaUpdateRefs) > > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing > > > > > DsReplicaUpdateRefs for sid > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with GUID > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76 > > > > > > > > > > According to what I see in the "Sites and Services" RSAT > > > > > console > > > > > the > > > > > DN for > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site- > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com > > > > > seems to exist. > > > > > > > > > > Any ideas? > > > > > > > > > > Thanks, > > > > > > > > > > Uli > > > > > > > > > > > > > > > > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via > > > > > samba > > > > > wrote: > > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled from > > > > > > source,internal > > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO > > > > > > roles. > > > > > > The 3 ADCs are on different locations connected via IPSec > > > > > > based > > > > > > VPN. No traffic is filtered out. > > > > > > > > > > > > All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: > > > > > > > > > > > > [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com > > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com > > > > > > ERROR(<class 'samba.drs_utils.drsException'>): > > > > > > DsReplicaSync > > > > > > failed > > > > > > - drsException: DsReplicaSync failed (8453, > > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File > > > > > > "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", > > > > > > line > > > > > > 386, > > > > > > in run drs_utils.sendDsReplicaSync(server_bind, > > > > > > server_bind_handle, > > > > > > source_dsa_guid, NC, req_options) > > > > > > File "/usr/lib64/python2.7/site- > > > > > > packages/samba/drs_utils.py", > > > > > > line 85, in sendDsReplicaSync > > > > > > raise drsException("DsReplicaSync failed %s" % estr) > > > > > > > > > > > > Log on dcdo1: > > > > > > =============> > > > > > [2017/12/27 08:20:56.335895, 0] > > > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua > > > > > > pi_D > > > > > > sReplicaUpdateRefs) > > > > > > ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing > > > > > > DsReplicaUpdateRefs for sid > > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with GUID > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76 > > > > > > > > > > > > Log on target DC dcnh1: > > > > > > =============> > > > > > [2017/12/27 08:20:55.278559, 5] > > > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_rea > > > > > > dabl > > > > > > e) > > > > > > Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT > > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017 > > > > > > 08:20:55.278538 CET] Remote host > > > > > > [ipv4:192.168.172.14:36196] > > > > > > local > > > > > > host [ipv4:192.168.152.15:135] > > > > > > [2017/12/27 08:20:55.278641, 5] > > > > > > ../auth/auth_log.c:220(log_json) > > > > > > JSON Authorization: {"timestamp": > > > > > > "2017-12-27T08:20:55.278587+0100", "type": "Authorization", > > > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > > > "localAddress": "ipv4:192.168.152.15:135", "remoteAddress": > > > > > > "ipv4:192.168.172.14:36196", "serviceDescription": > > > > > > "DCE/RPC", > > > > > > "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", > > > > > > "account": > > > > > > "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": > > > > > > "DCNH1", > > > > > > "transportProtection": "NONE", "accountFlags": > > > > > > "0x00000010"}} > > > > > > [2017/12/27 08:20:55.278660, > > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > > > get_auth_event_server: Failed to find 'auth_event' > > > > > > registered > > > > > > on > > > > > > the message bus to send JSON authentication events to: > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 > > > > > > 08:20:55.337740, > > > > > > 3] > > > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connec > > > > > > tion > > > > > > ) > > > > > > Terminating connection - 'dcesrv: > > > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 > > > > > > 08:20:55.337873, 3] > > > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > > > single_terminate: reason[dcesrv: > > > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 > > > > > > 08:20:55.506117, 3] > > > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) > > > > > > ldb_wrap open of secrets.ldb > > > > > > [2017/12/27 08:20:55.506420, 5] > > > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > > > Starting GENSEC mechanism spnego > > > > > > [2017/12/27 08:20:55.506501, 5] > > > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > > > Starting GENSEC submechanism gssapi_krb5 > > > > > > [2017/12/27 08:20:55.536259, 5] > > > > > > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_up > > > > > > date > > > > > > _internal) > > > > > > gensec_gssapi: credentials were delegated > > > > > > [2017/12/27 08:20:55.536320, 5] > > > > > > ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_up > > > > > > date > > > > > > _internal) > > > > > > GSSAPI Connection will be cryptographically sealed > > > > > > [2017/12/27 08:20:55.538591, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_T\04\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.538644, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_\04\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.538712, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_<\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.538762, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.538819, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.538864, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.538909, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.538967, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> > > > > > > 0 > > > > > > [2017/12/27 08:20:55.539029, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 > > > > > > -> 1 > > > > > > [2017/12/27 08:20:55.539087, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.539289, 4] > > > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_rea > > > > > > dabl > > > > > > e) > > > > > > Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] > > > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 > > > > > > Dec > > > > > > 2017 > > > > > > 08:20:55.539277 CET] Remote host > > > > > > [ipv4:192.168.172.14:57364] > > > > > > local > > > > > > host [ipv4:192.168.152.15:49152] > > > > > > [2017/12/27 08:20:55.539359, 4] > > > > > > ../auth/auth_log.c:220(log_json) > > > > > > JSON Authorization: {"timestamp": > > > > > > "2017-12-27T08:20:55.539334+0100", "type": "Authorization", > > > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > > > "localAddress": "ipv4:192.168.152.15:49152", > > > > > > "remoteAddress": > > > > > > "ipv4:192.168.172.14:57364", "serviceDescription": > > > > > > "DCE/RPC", > > > > > > "authType": "krb5", "domain": "AD", "account": "DCDO1$", > > > > > > "sid": > > > > > > "S-1-5-21-454945863-777199239-1595221609-1108", > > > > > > "logonServer": > > > > > > "DCDO1", "transportProtection": "SEAL", "accountFlags": > > > > > > "0x00002100"}} [2017/12/27 08:20:55.539398, > > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > > > get_auth_event_server: Failed to find 'auth_event' > > > > > > registered > > > > > > on > > > > > > the message bus to send JSON authentication events to: > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 > > > > > > 08:20:55.568937, > > > > > > 3] > > > > > > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_dr > > > > > > suap > > > > > > i_DsBind) > > > > > > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing > > > > > > DsBind > > > > > > with system_session > > > > > > [2017/12/27 08:20:55.641297, 3] > > > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) > > > > > > ldb_wrap open of secrets.ldb > > > > > > [2017/12/27 08:20:55.644257, 5] > > > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq > > > > > > uest > > > > > > ) > > > > > > ldb_request BASE dn> > > > > > filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27 > > > > > > 08:20:55.706421, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.706573, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.706777, 3] > > > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de > > > > > > bug_ > > > > > > wrapper) > > > > > > Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from > > > > > > ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kdu. > > > > > > COM > > > > > > [canonicalize] [2017/12/27 08:20:55.708186, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.708670, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.708795, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.709594, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.710027, 3] > > > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de > > > > > > bug_ > > > > > > wrapper) > > > > > > Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 > > > > > > starttime: > > > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew > > > > > > till: > > > > > > unset > > > > > > [2017/12/27 08:20:55.740222, 3] > > > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connec > > > > > > tion > > > > > > ) > > > > > > Terminating connection - 'kdc_tcp_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > > > [2017/12/27 08:20:55.740440, 3] > > > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > > > single_terminate: reason[kdc_tcp_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > > > [2017/12/27 08:20:55.770764, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.771034, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.771283, 3] > > > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de > > > > > > bug_ > > > > > > wrapper) > > > > > > Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from > > > > > > ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.COM > > > > > > [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.771786, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.772103, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.772257, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.773194, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 > > > > > > [2017/12/27 08:20:55.773691, 3] > > > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de > > > > > > bug_ > > > > > > wrapper) > > > > > > Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 > > > > > > starttime: > > > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew > > > > > > till: > > > > > > unset > > > > > > [2017/12/27 08:20:55.804565, 3] > > > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connec > > > > > > tion > > > > > > ) > > > > > > Terminating connection - 'kdc_tcp_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > > > [2017/12/27 08:20:55.804774, 3] > > > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > > > single_terminate: reason[kdc_tcp_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > > > [2017/12/27 08:20:55.806137, 5] > > > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > > > Starting GENSEC mechanism spnego > > > > > > [2017/12/27 08:20:55.806296, 5] > > > > > > ../auth/gensec/gensec_start.c:739(gensec_start_mech) > > > > > > Starting GENSEC submechanism gssapi_krb5 > > > > > > [2017/12/27 08:20:55.807170, 5] > > > > > > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_up > > > > > > date > > > > > > _internal) > > > > > > gensec_gssapi: credentials were delegated > > > > > > [2017/12/27 08:20:55.807242, 5] > > > > > > ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_up > > > > > > date > > > > > > _internal) > > > > > > GSSAPI Connection will be cryptographically signed > > > > > > [2017/12/27 08:20:55.810168, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_T\04\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.810265, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_\04\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.810353, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87 > > > > > > \1ES > > > > > > .i\26\15_<\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.810428, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.810507, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.810582, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.810674, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 > > > > > > [2017/12/27 08:20:55.810745, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> > > > > > > 0 > > > > > > [2017/12/27 08:20:55.810826, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 > > > > > > -> 1 > > > > > > [2017/12/27 08:20:55.810901, 6] > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v) > > > > > > gendb_search_v: NULL > > > > > > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 > > > > > > -> 0 > > > > > > [2017/12/27 08:20:55.811125, 4] > > > > > > ../auth/auth_log.c:860(log_successful_authz_event_human_rea > > > > > > dabl > > > > > > e) > > > > > > Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] > > > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 > > > > > > Dec > > > > > > 2017 > > > > > > 08:20:55.811108 CET] Remote host > > > > > > [ipv4:192.168.172.14:56798] > > > > > > local > > > > > > host [ipv4:192.168.152.15:389] > > > > > > [2017/12/27 08:20:55.811301, 4] > > > > > > ../auth/auth_log.c:220(log_json) > > > > > > JSON Authorization: {"timestamp": > > > > > > "2017-12-27T08:20:55.811228+0100", "type": "Authorization", > > > > > > "Authorization": {"version": {"major": 1, "minor": 0}, > > > > > > "localAddress": "ipv4:192.168.152.15:389", "remoteAddress": > > > > > > "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP", > > > > > > "authType": "krb5", "domain": "AD", "account": "DCDO1$", > > > > > > "sid": > > > > > > "S-1-5-21-454945863-777199239-1595221609-1108", > > > > > > "logonServer": > > > > > > "DCDO1", "transportProtection": "SIGN", "accountFlags": > > > > > > "0x00002100"}} [2017/12/27 08:20:55.811385, > > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server) > > > > > > get_auth_event_server: Failed to find 'auth_event' > > > > > > registered > > > > > > on > > > > > > the message bus to send JSON authentication events to: > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 > > > > > > 08:20:55.841539, > > > > > > 5] > > > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq > > > > > > uest > > > > > > ) > > > > > > ldb_request BASE dn= filter=(objectClass=*) > > > > > > [2017/12/27 08:20:55.871177, 5] > > > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq > > > > > > uest > > > > > > ) > > > > > > ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com > > > > > > filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(d > > > > > > NSHo > > > > > > stName=dcdo1.ad.kdu.com))) > > > > > > [2017/12/27 08:20:55.902579, 5] > > > > > > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq > > > > > > uest > > > > > > ) > > > > > > ldb_request ONE > > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- > > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com > > > > > > filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO) > > > > > > ) > > > > > > [2017/12/27 08:20:55.932550, 5] > > > > > > default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispa > > > > > > tch) > > > > > > function drsuapi_DsReplicaSync will reply async > > > > > > [2017/12/27 08:20:55.932676, 3] > > > > > > ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_re > > > > > > plic > > > > > > ation) > > > > > > _drepl_schedule_replication: forcing sync of partition > > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com, > > > > > > 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) > > > > > > [2017/12/27 08:20:55.932697, 4] > > > > > > ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingo > > > > > > ps_s > > > > > > chedule) > > > > > > dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 > > > > > > 08:20:57 > > > > > > 2017 CET > > > > > > [2017/12/27 08:20:56.971645, 4] > > > > > > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(rep > > > > > > lmd_ > > > > > > extended_replicated_objects) > > > > > > linked_attributes_count=0 > > > > > > [2017/12/27 08:20:56.971966, 4] > > > > > > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(rep > > > > > > lmd_ > > > > > > replicated_uptodate_modify) > > > > > > DRS replication uptodate modify message: > > > > > > dn: DC=ad,DC=kdu,DC=com > > > > > > changetype: modify > > > > > > replace: replUpToDateVector > > > > > > replUpToDateVector:: > > > > > > AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP > > > > > > tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrz > > > > > > S7KY > > > > > > P2wnvCZRbBYAAA > > > > > > > > > > > > AAAAAAgD7V3rGdAQ=> > > > > > - > > > > > > replace: repsFrom > > > > > > repsFrom:: > > > > > > AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB > > > > > > 0AAA > > > > > > AERE > > > > > > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERER > > > > > > ERER > > > > > > ERERERERERERER > > > > > > > > > > > > ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAAB > > > > > > rFgA > > > > > > AAAAAAKQMPrx0t > > > > > > > > > > > > UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoA > > > > > > AABi > > > > > > YzNlMGNhNC1iNT > > > > > > > > > > > > c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb > > > > > > 20A > > > > > > repsFrom:: > > > > > > AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAAB > > > > > > kAAA > > > > > > AERE > > > > > > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERER > > > > > > ERER > > > > > > ERERERERERERER > > > > > > > > > > > > ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD > > > > > > 4FAA > > > > > > AAAAAABNWUx36g > > > > > > > > > > > > V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoA > > > > > > AAAx > > > > > > ZDUzNTYxMy04MW > > > > > > > > > > > > ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb > > > > > > 20A > > > > > > - > > > > > > > > > > > > > > > > > > [2017/12/27 08:20:56.974912, 2] > > > > > > ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replica > > > > > > ted_ > > > > > > objects_commit) > > > > > > Replicated 0 objects (0 linked attributes) for > > > > > > DC=ad,DC=kdu,DC=com > > > > > > [2017/12/27 08:20:57.004974, 0] > > > > > > ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_upda > > > > > > te_r > > > > > > efs_done) > > > > > > UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code > > > > > > 0xc0002105 for > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com > > > > > > DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] > > > > > > ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_ > > > > > > op_c > > > > > > allback) > > > > > > dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for > > > > > > DC=ad,DC=kdu,DC=com > > > > > > [2017/12/27 08:20:57.009507, 5] > > > > > > default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_repl > > > > > > y) > > > > > > function drsuapi_DsReplicaSync replied async > > > > > > [2017/12/27 08:20:57.053246, 3] > > > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connec > > > > > > tion > > > > > > ) > > > > > > Terminating connection - 'dcesrv: > > > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 > > > > > > 08:20:57.053478, 3] > > > > > > ../source4/smbd/process_single.c:114(single_terminate) > > > > > > single_terminate: reason[dcesrv: > > > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 > > > > > > 08:20:57.053528, 3] > > > > > > ../source4/smbd/service_stream.c:65(stream_terminate_connec > > > > > > tion > > > > > > ) > > > > > > Terminating connection - 'ldapsrv_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED' > > > > > > [2017/12/27 08:20:57.053760, 2] > > > > > > ../source4/smbd/process_standard.c:473(standard_terminate) > > > > > > standard_terminate: reason[ldapsrv_call_loop: > > > > > > tstream_read_pdu_blob_recv() - > > > > > > NT_STATUS_CONNECTION_DISCONNECTED] > > > > > > [2017/12/27 08:20:57.057842, 2] > > > > > > ../source4/smbd/process_standard.c:157(standard_child_pipe_ > > > > > > hand > > > > > > ler) > > > > > > Child 900 () exited with status 0 > > > > > > > > > > > > Any hints/ideas very much appreciated ... > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Uli > > > > > > > > > > > > > > > > > > > > Couple of thoughts, try reading this: > > > > > > > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DN > > > > S_Re > > > > cord > > > > > > > > and this: > > > > > > > > https://wiki.samba.org/index.php/Manually_Replicating_Directory > > > > _Par > > > > titions > > > > > > > > Does the missing 'CN' exist on the other two DCs ? > > > > > > > > Rowland > > > > > > > > > > > >
Reasonably Related Threads
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging