samba - Apr 2018 - AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Hi,

there is no firewall, all DCs are in the same subnet.

here ist the output of a test, you can see, the CNAME guid entries in
the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
second DCs, SAMBA3 was added at last.

ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-ncs
objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net
objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net
objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be

# record 3
dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net
objectGUID: c01a335e-1794-4997-9c7e-553be77fba04

# returned 3 records
# 3 entries
# 0 referrals

host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net DC1
9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
dc2.test.net.

host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net DC2
9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
dc2.test.net.

host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
SAMBA3
9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
dc2.test.net.

host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net DC1
9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
dc1.test.net.

host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net DC2
9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
dc1.test.net.

host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
SAMBA3
9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
dc1.test.net.

host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net DC1
c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
SAMBA3.test.net.

host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net DC2
c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
SAMBA3.test.net.

host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
SAMBA3
c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
SAMBA3.test.net.


Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis
Cardon:
> Hi Heinz,
> 
> > i have the same problem on samba 4.7.3 and 4.7.4.
> > I start with 2 DCs and the sync works fine. After the join of a
> > third
> > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
> > times.
> > 
> > in my case i have:
> > DC1 (with any FSMO Roles)
> > DC2
> > 
> > new join as DC:
> > DC3
> > 
> > After the join, the sync from DC2 to DC3 fails.
> > 
> > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
> > samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
> > samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
> > samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
> > samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
> > samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
> 
> like Rowland pointed you earlier, it is often an issue with missing
> DNS 
> entries. Be sure to check that samba_dnsupdate on both servers is
> happy, 
> especially with the CNAME guid entries in the _msdcs zone.
> 
> Another case I saw was that firewall had not been disable (or at
> least 
> the port opening was not done right).
> 
> Cheers,
> 
> Denis
> 
> > 
> > 
> > 
> > p.s. DC3 is a new server witch newer was member in the ADS.
> > 
> > 
> > regards,
> > heinz
> > 
> > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-
> > Ulrich
> > Menzebach via samba:
> > > Rowland,
> > > 
> > > - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing
the Sites
> > > and
> > > Services console to each of them).
> > > - I also checked that "samba-tool dbcheck" completes
w/o showing
> > > errors.
> > > - the objectGUID DNS aliases of all DCs are resolvable against
> > > all 3
> > > DCs' builtin DNS
> > > - I forced a full sync from the FSMO holder (dcge1) to the 2
> > > other
> > > DCs
> > > which finished w/o errors.
> > > - after that, sync and also full sync dcdo1-->dcnh1 failed
> > > exactly
> > > as
> > > earlier.
> > > 
> > > I'm wondering whether this is related to
> > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
> > > running
> > > 4.7.4 and the domain had been created under 4.7.3 (based on the
> > > Samba
> > > Wiki). Apart from the sync issue I'm VERY happy with
Samba4/AD.
> > > 
> > > Many thanks,
> > > 
> > > Uli
> > > 
> > > 
> > > 
> > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
> > > > On Wed, 27 Dec 2017 13:00:05 +0100
> > > > "Dr. Johannes-Ulrich Menzebach via samba"
<samba at lists.samba.or
> > > > g>
> > > > wrote:
> > > > 
> > > > > There is additional info in the logs of the source DC
(dcdo1,
> > > > > log
> > > > > level 2, manually triggered another replication):
> > > > > ===================> > > > > [2017/12/27
12:31:29.695121,  2]
> > > > >
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchange
> > > > > s_co
> > > > > llect_objects)
> > > > >     ../source4/rpc_server/drsuapi/getncchanges.c:1731:
> > > > > getncchanges on
> > > > > DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
> > > > > [2017/12/27 12:31:29.698828,  2]
> > > > >
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsu
> > > > > api_
> > > > > DsGetNCChanges)
> > > > >     DsGetNCChanges with uSNChanged >= 5415 flags
0x80000064
> > > > > on
> > > > >
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
> > > > > 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as
> > > > > S-1-5-21-454945863-777199239-1595221609-1112))
> > > > > [2017/12/27 12:31:29.733157,  1]
> > > > >
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
> > > > >     ../source4/dsdb/common/util.c:4807: Failed to find
> > > > > account dn
> > > > > (serverReference) for
> > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> > > > > parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-
> > > > > a0771bb6fb76,
> > > > > sid S-1-5-21-454945863-777199239-1595221609-1112
> > > > > [2017/12/27 12:31:29.733198,  0]
> > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi
> > > > > _DsR
> > > > > eplicaUpdateRefs)
> > > > >     ../source4/rpc_server/drsuapi/updaterefs.c:374:
Refusing
> > > > > DsReplicaUpdateRefs for sid
> > > > > S-1-5-21-454945863-777199239-1595221609-1112 with GUID
> > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > 
> > > > > According to what I see in the "Sites and
Services" RSAT
> > > > > console
> > > > > the
> > > > > DN for
> > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > seems to exist.
> > > > > 
> > > > > Any ideas?
> > > > > 
> > > > > Thanks,
> > > > > 
> > > > >       Uli
> > > > > 
> > > > > 
> > > > > 
> > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach
via
> > > > > samba
> > > > > wrote:
> > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled from
> > > > > > source,internal
> > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds
all FSMO
> > > > > > roles.
> > > > > > The 3 ADCs are on different locations connected
via IPSec
> > > > > > based
> > > > > > VPN. No traffic is filtered out.
> > > > > > 
> > > > > > All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
> > > > > > 
> > > > > > [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
> > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > > > > > ERROR(<class
'samba.drs_utils.drsException'>):
> > > > > > DsReplicaSync
> > > > > > failed
> > > > > > - drsException: DsReplicaSync failed (8453,
> > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File
> > > > > >
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> > > > > > line
> > > > > > 386,
> > > > > > in run drs_utils.sendDsReplicaSync(server_bind,
> > > > > > server_bind_handle,
> > > > > > source_dsa_guid, NC, req_options)
> > > > > >    File "/usr/lib64/python2.7/site-
> > > > > > packages/samba/drs_utils.py",
> > > > > > line 85, in sendDsReplicaSync
> > > > > >      raise drsException("DsReplicaSync failed
%s" % estr)
> > > > > > 
> > > > > > Log on dcdo1:
> > > > > > =============> > > > > >
[2017/12/27 08:20:56.335895,  0]
> > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
> > > > > > pi_D
> > > > > > sReplicaUpdateRefs)
> > > > > >    ../source4/rpc_server/drsuapi/updaterefs.c:374:
Refusing
> > > > > > DsReplicaUpdateRefs for sid
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
> > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > 
> > > > > > Log on target DC dcnh1:
> > > > > > =============> > > > > >
[2017/12/27 08:20:55.278559,  5]
> > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_rea
> > > > > > dabl
> > > > > > e)
> > > > > >    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user
[NT
> > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27
Dec 2017
> > > > > > 08:20:55.278538 CET] Remote host
> > > > > > [ipv4:192.168.172.14:36196]
> > > > > > local
> > > > > > host [ipv4:192.168.152.15:135]
> > > > > > [2017/12/27 08:20:55.278641,  5]
> > > > > > ../auth/auth_log.c:220(log_json)
> > > > > >    JSON Authorization: {"timestamp":
> > > > > > "2017-12-27T08:20:55.278587+0100",
"type": "Authorization",
> > > > > > "Authorization": {"version":
{"major": 1, "minor": 0},
> > > > > > "localAddress":
"ipv4:192.168.152.15:135", "remoteAddress":
> > > > > > "ipv4:192.168.172.14:36196",
"serviceDescription":
> > > > > > "DCE/RPC",
> > > > > > "authType": "ncacn_ip_tcp",
"domain": "NT AUTHORITY",
> > > > > > "account":
> > > > > > "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
> > > > > > "DCNH1",
> > > > > > "transportProtection": "NONE",
"accountFlags":
> > > > > > "0x00000010"}}
> > > > > > [2017/12/27 08:20:55.278660,
> > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > registered
> > > > > > on
> > > > > > the message bus to send JSON authentication events
to:
> > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > 08:20:55.337740,
> > > > > > 3]
> > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_connec
> > > > > > tion
> > > > > > )
> > > > > >    Terminating connection - 'dcesrv:
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
> > > > > > 08:20:55.337873,  3]
> > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > >    single_terminate: reason[dcesrv:
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
> > > > > > 08:20:55.506117,  3]
> > > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > >    ldb_wrap open of secrets.ldb
> > > > > > [2017/12/27 08:20:55.506420,  5]
> > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > >    Starting GENSEC mechanism spnego
> > > > > > [2017/12/27 08:20:55.506501,  5]
> > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > [2017/12/27 08:20:55.536259,  5]
> > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_up
> > > > > > date
> > > > > > _internal)
> > > > > >    gensec_gssapi: credentials were delegated
> > > > > > [2017/12/27 08:20:55.536320,  5]
> > > > > >
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_up
> > > > > > date
> > > > > > _internal)
> > > > > >    GSSAPI Connection will be cryptographically
sealed
> > > > > > [2017/12/27 08:20:55.538591,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_T\04\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.538644,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_\04\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.538712,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_<\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.538762,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.538819,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.538864,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.538909,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.538967,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 ->
> > > > > > 0
> > > > > > [2017/12/27 08:20:55.539029,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00
> > > > > > -> 1
> > > > > > [2017/12/27 08:20:55.539087,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.539289,  4]
> > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_rea
> > > > > > dabl
> > > > > > e)
> > > > > >    Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
> > > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at
[Wed, 27
> > > > > > Dec
> > > > > > 2017
> > > > > > 08:20:55.539277 CET] Remote host
> > > > > > [ipv4:192.168.172.14:57364]
> > > > > > local
> > > > > > host [ipv4:192.168.152.15:49152]
> > > > > > [2017/12/27 08:20:55.539359,  4]
> > > > > > ../auth/auth_log.c:220(log_json)
> > > > > >    JSON Authorization: {"timestamp":
> > > > > > "2017-12-27T08:20:55.539334+0100",
"type": "Authorization",
> > > > > > "Authorization": {"version":
{"major": 1, "minor": 0},
> > > > > > "localAddress":
"ipv4:192.168.152.15:49152",
> > > > > > "remoteAddress":
> > > > > > "ipv4:192.168.172.14:57364",
"serviceDescription":
> > > > > > "DCE/RPC",
> > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > "sid":
> > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > "logonServer":
> > > > > > "DCDO1",
"transportProtection": "SEAL", "accountFlags":
> > > > > > "0x00002100"}} [2017/12/27
08:20:55.539398,
> > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > registered
> > > > > > on
> > > > > > the message bus to send JSON authentication events
to:
> > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > 08:20:55.568937,
> > > > > > 3]
> > > > > >
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_dr
> > > > > > suap
> > > > > > i_DsBind)
> > > > > >   
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing
> > > > > > DsBind
> > > > > > with system_session
> > > > > > [2017/12/27 08:20:55.641297,  3]
> > > > > > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > >    ldb_wrap open of secrets.ldb
> > > > > > [2017/12/27 08:20:55.644257,  5]
> > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq
> > > > > > uest
> > > > > > )
> > > > > >    ldb_request BASE dn> > > > >
> filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27
> > > > > > 08:20:55.706421,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.706573,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.706777,  3]
> > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de
> > > > > > bug_
> > > > > > wrapper)
> > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kdu.
> > > > > > COM
> > > > > > [canonicalize] [2017/12/27 08:20:55.708186,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.708670,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.708795,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.709594,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.710027,  3]
> > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de
> > > > > > bug_
> > > > > > wrapper)
> > > > > >    Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54
> > > > > > starttime:
> > > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54
renew
> > > > > > till:
> > > > > > unset
> > > > > > [2017/12/27 08:20:55.740222,  3]
> > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_connec
> > > > > > tion
> > > > > > )
> > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > [2017/12/27 08:20:55.740440,  3]
> > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > >    single_terminate: reason[kdc_tcp_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > [2017/12/27 08:20:55.770764,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.771034,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.771283,  3]
> > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de
> > > > > > bug_
> > > > > > wrapper)
> > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at
AD.kdu.COM
> > > > > > [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.771786,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.772103,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.772257,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.773194,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL ->
1
> > > > > > [2017/12/27 08:20:55.773691,  3]
> > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_de
> > > > > > bug_
> > > > > > wrapper)
> > > > > >    Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54
> > > > > > starttime:
> > > > > > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54
renew
> > > > > > till:
> > > > > > unset
> > > > > > [2017/12/27 08:20:55.804565,  3]
> > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_connec
> > > > > > tion
> > > > > > )
> > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > [2017/12/27 08:20:55.804774,  3]
> > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > >    single_terminate: reason[kdc_tcp_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > [2017/12/27 08:20:55.806137,  5]
> > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > >    Starting GENSEC mechanism spnego
> > > > > > [2017/12/27 08:20:55.806296,  5]
> > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > [2017/12/27 08:20:55.807170,  5]
> > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_up
> > > > > > date
> > > > > > _internal)
> > > > > >    gensec_gssapi: credentials were delegated
> > > > > > [2017/12/27 08:20:55.807242,  5]
> > > > > >
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_up
> > > > > > date
> > > > > > _internal)
> > > > > >    GSSAPI Connection will be cryptographically
signed
> > > > > > [2017/12/27 08:20:55.810168,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_T\04\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.810265,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_\04\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.810353,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87
> > > > > > \1ES
> > > > > > .i\26\15_<\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.810428,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.810507,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.810582,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.810674,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
-> 0
> > > > > > [2017/12/27 08:20:55.810745,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 ->
> > > > > > 0
> > > > > > [2017/12/27 08:20:55.810826,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00
> > > > > > -> 1
> > > > > > [2017/12/27 08:20:55.810901,  6]
> > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > >    gendb_search_v: NULL
> > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00
> > > > > > -> 0
> > > > > > [2017/12/27 08:20:55.811125,  4]
> > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_rea
> > > > > > dabl
> > > > > > e)
> > > > > >    Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
> > > > > > [S-1-5-21-454945863-777199239-1595221609-1108] at
[Wed, 27
> > > > > > Dec
> > > > > > 2017
> > > > > > 08:20:55.811108 CET] Remote host
> > > > > > [ipv4:192.168.172.14:56798]
> > > > > > local
> > > > > > host [ipv4:192.168.152.15:389]
> > > > > > [2017/12/27 08:20:55.811301,  4]
> > > > > > ../auth/auth_log.c:220(log_json)
> > > > > >    JSON Authorization: {"timestamp":
> > > > > > "2017-12-27T08:20:55.811228+0100",
"type": "Authorization",
> > > > > > "Authorization": {"version":
{"major": 1, "minor": 0},
> > > > > > "localAddress":
"ipv4:192.168.152.15:389", "remoteAddress":
> > > > > > "ipv4:192.168.172.14:56798",
"serviceDescription": "LDAP",
> > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > "sid":
> > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > "logonServer":
> > > > > > "DCDO1",
"transportProtection": "SIGN", "accountFlags":
> > > > > > "0x00002100"}} [2017/12/27
08:20:55.811385,
> > > > > > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > registered
> > > > > > on
> > > > > > the message bus to send JSON authentication events
to:
> > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > 08:20:55.841539,
> > > > > > 5]
> > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq
> > > > > > uest
> > > > > > )
> > > > > >    ldb_request BASE dn= filter=(objectClass=*)
> > > > > > [2017/12/27 08:20:55.871177,  5]
> > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq
> > > > > > uest
> > > > > > )
> > > > > >    ldb_request SUB
dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > >
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(d
> > > > > > NSHo
> > > > > > stName=dcdo1.ad.kdu.com)))
> > > > > > [2017/12/27 08:20:55.902579,  5]
> > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchReq
> > > > > > uest
> > > > > > )
> > > > > >    ldb_request ONE
> > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
> > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > >
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO)
> > > > > > )
> > > > > > [2017/12/27 08:20:55.932550,  5]
> > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispa
> > > > > > tch)
> > > > > >    function drsuapi_DsReplicaSync will reply async
> > > > > > [2017/12/27 08:20:55.932676,  3]
> > > > > >
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_re
> > > > > > plic
> > > > > > ation)
> > > > > >    _drepl_schedule_replication: forcing sync of
partition
> > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
dc=ad,dc=kdu,dc=com,
> > > > > >
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > > > > > [2017/12/27 08:20:55.932697,  4]
> > > > > >
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingo
> > > > > > ps_s
> > > > > > chedule)
> > > > > >    dreplsrv_pending_schedule(1) scheduled for: Wed
Dec 27
> > > > > > 08:20:57
> > > > > > 2017 CET
> > > > > > [2017/12/27 08:20:56.971645,  4]
> > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(rep
> > > > > > lmd_
> > > > > > extended_replicated_objects)
> > > > > >    linked_attributes_count=0
> > > > > > [2017/12/27 08:20:56.971966,  4]
> > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(rep
> > > > > > lmd_
> > > > > > replicated_uptodate_modify)
> > > > > >    DRS replication uptodate modify message:
> > > > > >    dn: DC=ad,DC=kdu,DC=com
> > > > > >    changetype: modify
> > > > > >    replace: replUpToDateVector
> > > > > >    replUpToDateVector::
> > > > > >
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > > > > >
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrz
> > > > > > S7KY
> > > > > > P2wnvCZRbBYAAA
> > > > > > 
> > > > > >     AAAAAAgD7V3rGdAQ=> > > > > >
-
> > > > > >    replace: repsFrom
> > > > > >    repsFrom::
> > > > > >
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB
> > > > > > 0AAA
> > > > > > AERE
> > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > ERER
> > > > > > ERERERERERERER
> > > > > > 
> > > > > >
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAAB
> > > > > > rFgA
> > > > > > AAAAAAKQMPrx0t
> > > > > > 
> > > > > >
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoA
> > > > > > AABi
> > > > > > YzNlMGNhNC1iNT
> > > > > > 
> > > > > >
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb
> > > > > > 20A
> > > > > >    repsFrom::
> > > > > >
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAAB
> > > > > > kAAA
> > > > > > AERE
> > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > ERER
> > > > > > ERERERERERERER
> > > > > > 
> > > > > >
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD
> > > > > > 4FAA
> > > > > > AAAAAABNWUx36g
> > > > > > 
> > > > > >
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoA
> > > > > > AAAx
> > > > > > ZDUzNTYxMy04MW
> > > > > > 
> > > > > >
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb
> > > > > > 20A
> > > > > >    -
> > > > > > 
> > > > > > 
> > > > > > [2017/12/27 08:20:56.974912,  2]
> > > > > >
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replica
> > > > > > ted_
> > > > > > objects_commit)
> > > > > >    Replicated 0 objects (0 linked attributes) for
> > > > > > DC=ad,DC=kdu,DC=com
> > > > > > [2017/12/27 08:20:57.004974,  0]
> > > > > >
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_upda
> > > > > > te_r
> > > > > > efs_done)
> > > > > >    UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT code
> > > > > > 0xc0002105 for
> > > > > >
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > > > > > DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 
4]
> > > > > >
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_
> > > > > > op_c
> > > > > > allback)
> > > > > >   
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > > > > > DC=ad,DC=kdu,DC=com
> > > > > > [2017/12/27 08:20:57.009507,  5]
> > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_repl
> > > > > > y)
> > > > > >    function drsuapi_DsReplicaSync replied async
> > > > > > [2017/12/27 08:20:57.053246,  3]
> > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_connec
> > > > > > tion
> > > > > > )
> > > > > >    Terminating connection - 'dcesrv:
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27
> > > > > > 08:20:57.053478,  3]
> > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > >    single_terminate: reason[dcesrv:
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
> > > > > > 08:20:57.053528,  3]
> > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_connec
> > > > > > tion
> > > > > > )
> > > > > >    Terminating connection -
'ldapsrv_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > [2017/12/27 08:20:57.053760,  2]
> > > > > >
../source4/smbd/process_standard.c:473(standard_terminate)
> > > > > >    standard_terminate: reason[ldapsrv_call_loop:
> > > > > > tstream_read_pdu_blob_recv() -
> > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > [2017/12/27 08:20:57.057842,  2]
> > > > > >
../source4/smbd/process_standard.c:157(standard_child_pipe_
> > > > > > hand
> > > > > > ler)
> > > > > >    Child 900 () exited with status 0
> > > > > > 
> > > > > > Any hints/ideas very much appreciated ...
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > > Uli
> > > > > > 
> > > > > > 
> > > > 
> > > > Couple of thoughts, try reading this:
> > > > 
> > > >
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DN
> > > > S_Re
> > > > cord
> > > > 
> > > > and this:
> > > > 
> > > >
https://wiki.samba.org/index.php/Manually_Replicating_Directory
> > > > _Par
> > > > titions
> > > > 
> > > > Does the missing 'CN' exist on the other two DCs ?
> > > > 
> > > > Rowland
> > > > 
> > > 
> > > 
> 
>

on DC2 in the log i found:

./source4/dsdb/common/util.c:4807: Failed to find account dn
(serverReference) for CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net, parent of DSA with
objectGUID c01a335e-1794-4997-9c7e-553be77fba04, sid S-1-5-21-
1608159440-4144762864-1017073214-18962
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
DsReplicaUpdateRefs for sid S-1-5-21-1608159440-4144762864-1017073214-
18962 with GUID c01a335e-1794-4997-9c7e-553be77fba04


then i did the following test:

samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --
filter=CN,DC,member CONFIGURATION

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1622

Comparing:
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC1]
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    serverReference
ERROR: Compare failed: -1




after a full sync from dc1 to dc2 (samba-tool drs replicate dc2 dc1
dc=gvcc,dc=net --full-sync --local) same result, serverReference on
CN=SAMBA3,CN=Servers,CN=Default-First-Site-
name,CN=Sites,CN=Configuration,DC=test,DC=net exists only on DC1


how can i fix this?



Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via
samba:
> Hi,
> 
> there is no firewall, all DCs are in the same subnet.
> 
> here ist the output of a test, you can see, the CNAME guid entries in
> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
> second DCs, SAMBA3 was added at last.
> 
> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-
> ncs
> objectguid
> # record 1
> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
> 
> # record 2
> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
> 
> # record 3
> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC1
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC2
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> SAMBA3
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC1
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC2
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> SAMBA3
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC1
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC2
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> SAMBA3
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> 
> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
> > Hi Heinz,
> > 
> > > i have the same problem on samba 4.7.3 and 4.7.4.
> > > I start with 2 DCs and the sync works fine. After the join of a
> > > third
> > > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
> > > times.
> > > 
> > > in my case i have:
> > > DC1 (with any FSMO Roles)
> > > DC2
> > > 
> > > new join as DC:
> > > DC3
> > > 
> > > After the join, the sync from DC2 to DC3 fails.
> > > 
> > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
> > 
> > like Rowland pointed you earlier, it is often an issue with missing
> > DNS 
> > entries. Be sure to check that samba_dnsupdate on both servers is
> > happy, 
> > especially with the CNAME guid entries in the _msdcs zone.
> > 
> > Another case I saw was that firewall had not been disable (or at
> > least 
> > the port opening was not done right).
> > 
> > Cheers,
> > 
> > Denis
> > 
> > > 
> > > 
> > > 
> > > p.s. DC3 is a new server witch newer was member in the ADS.
> > > 
> > > 
> > > regards,
> > > heinz
> > > 
> > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-
> > > Ulrich
> > > Menzebach via samba:
> > > > Rowland,
> > > > 
> > > > - the DN "CN=DCNH1,..." exists on all 3 DCs
(pointing the Sites
> > > > and
> > > > Services console to each of them).
> > > > - I also checked that "samba-tool dbcheck"
completes w/o
> > > > showing
> > > > errors.
> > > > - the objectGUID DNS aliases of all DCs are resolvable
against
> > > > all 3
> > > > DCs' builtin DNS
> > > > - I forced a full sync from the FSMO holder (dcge1) to the 2
> > > > other
> > > > DCs
> > > > which finished w/o errors.
> > > > - after that, sync and also full sync dcdo1-->dcnh1
failed
> > > > exactly
> > > > as
> > > > earlier.
> > > > 
> > > > I'm wondering whether this is related to
> > > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
> > > > running
> > > > 4.7.4 and the domain had been created under 4.7.3 (based on
the
> > > > Samba
> > > > Wiki). Apart from the sync issue I'm VERY happy with
Samba4/AD.
> > > > 
> > > > Many thanks,
> > > > 
> > > > Uli
> > > > 
> > > > 
> > > > 
> > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
> > > > > On Wed, 27 Dec 2017 13:00:05 +0100
> > > > > "Dr. Johannes-Ulrich Menzebach via samba"
<samba at lists.samba.
> > > > > or
> > > > > g>
> > > > > wrote:
> > > > > 
> > > > > > There is additional info in the logs of the source
DC
> > > > > > (dcdo1,
> > > > > > log
> > > > > > level 2, manually triggered another replication):
> > > > > > ===================> > > > > >
[2017/12/27 12:31:29.695121,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
> > > > > > ge
> > > > > > s_co
> > > > > > llect_objects)
> > > > > >    
../source4/rpc_server/drsuapi/getncchanges.c:1731:
> > > > > > getncchanges on
> > > > > > DC=ad,DC=kdu,DC=com using filter
(uSNChanged>=5415)
> > > > > > [2017/12/27 12:31:29.698828,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
> > > > > > su
> > > > > > api_
> > > > > > DsGetNCChanges)
> > > > > >     DsGetNCChanges with uSNChanged >= 5415
flags 0x80000064
> > > > > > on
> > > > > >
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
> > > > > >
454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> > > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112))
> > > > > > [2017/12/27 12:31:29.733157,  1]
> > > > > >
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
> > > > > >     ../source4/dsdb/common/util.c:4807: Failed to
find
> > > > > > account dn
> > > > > > (serverReference) for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> > > > > > parent of DSA with objectGUID
0acce4bc-1193-4609-8e4d-
> > > > > > a0771bb6fb76,
> > > > > > sid S-1-5-21-454945863-777199239-1595221609-1112
> > > > > > [2017/12/27 12:31:29.733198,  0]
> > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
> > > > > > pi
> > > > > > _DsR
> > > > > > eplicaUpdateRefs)
> > > > > >    
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > Refusing
> > > > > > DsReplicaUpdateRefs for sid
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
> > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > 
> > > > > > According to what I see in the "Sites and
Services" RSAT
> > > > > > console
> > > > > > the
> > > > > > DN for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > seems to exist.
> > > > > > 
> > > > > > Any ideas?
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > >       Uli
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich
Menzebach via
> > > > > > samba
> > > > > > wrote:
> > > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled
from
> > > > > > > source,internal
> > > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1
holds all
> > > > > > > FSMO
> > > > > > > roles.
> > > > > > > The 3 ADCs are on different locations
connected via IPSec
> > > > > > > based
> > > > > > > VPN. No traffic is filtered out.
> > > > > > > 
> > > > > > > All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
> > > > > > > 
> > > > > > > [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
> > > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > > > > > > ERROR(<class
'samba.drs_utils.drsException'>):
> > > > > > > DsReplicaSync
> > > > > > > failed
> > > > > > > - drsException: DsReplicaSync failed (8453,
> > > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File
> > > > > > >
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> > > > > > > line
> > > > > > > 386,
> > > > > > > in run
drs_utils.sendDsReplicaSync(server_bind,
> > > > > > > server_bind_handle,
> > > > > > > source_dsa_guid, NC, req_options)
> > > > > > >    File "/usr/lib64/python2.7/site-
> > > > > > > packages/samba/drs_utils.py",
> > > > > > > line 85, in sendDsReplicaSync
> > > > > > >      raise drsException("DsReplicaSync
failed %s" % estr)
> > > > > > > 
> > > > > > > Log on dcdo1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:56.335895,  0]
> > > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
> > > > > > > ua
> > > > > > > pi_D
> > > > > > > sReplicaUpdateRefs)
> > > > > > >   
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > > Refusing
> > > > > > > DsReplicaUpdateRefs for sid
> > > > > > > S-1-5-21-454945863-777199239-1595221609-1112
with GUID
> > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > > 
> > > > > > > Log on target DC dcnh1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:55.278559,  5]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp]
user [NT
> > > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at
[Wed, 27 Dec
> > > > > > > 2017
> > > > > > > 08:20:55.278538 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:36196]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:135]
> > > > > > > [2017/12/27 08:20:55.278641,  5]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.278587+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:135",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:36196",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType":
"ncacn_ip_tcp", "domain": "NT AUTHORITY",
> > > > > > > "account":
> > > > > > > "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
> > > > > > > "DCNH1",
> > > > > > > "transportProtection":
"NONE", "accountFlags":
> > > > > > > "0x00000010"}}
> > > > > > > [2017/12/27 08:20:55.278660,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.337740,
> > > > > > > 3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:55.337873,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:55.506117,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.506420,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.506501,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.536259,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.536320,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically sealed
> > > > > > > [2017/12/27 08:20:55.538591,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538644,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538712,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538762,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538819,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538864,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538909,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538967,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.539029,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.539087,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.539289,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.539277 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:57364]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:49152]
> > > > > > > [2017/12/27 08:20:55.539359,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.539334+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:49152",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:57364",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SEAL", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.539398,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.568937,
> > > > > > > 3]
> > > > > > >
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
> > > > > > > dr
> > > > > > > suap
> > > > > > > i_DsBind)
> > > > > > >   
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
> > > > > > > doing
> > > > > > > DsBind
> > > > > > > with system_session
> > > > > > > [2017/12/27 08:20:55.641297,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.644257,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn> > > >
> > > filter=(|(objectClass=*)(distinguishedName=*))
> > > > > > > [2017/12/27
> > > > > > > 08:20:55.706421,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706573,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706777,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kd
> > > > > > > u.
> > > > > > > COM
> > > > > > > [canonicalize] [2017/12/27 08:20:55.708186, 
6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708670,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708795,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.709594,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.710027,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.740222,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.740440,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.770764,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771034,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771283,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48488 for
krbtgt/AD.kdu.COM at AD.kdu.CO
> > > > > > > M
> > > > > > > [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771786,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772103,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772257,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773194,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773691,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.804565,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.804774,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.806137,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.806296,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.807170,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.807242,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically signed
> > > > > > > [2017/12/27 08:20:55.810168,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810265,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810353,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810428,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810507,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810582,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810674,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810745,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.810826,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.810901,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.811125,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.811108 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:56798]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:389]
> > > > > > > [2017/12/27 08:20:55.811301,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.811228+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:389",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:56798",
"serviceDescription":
> > > > > > > "LDAP",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SIGN", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.811385,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.841539,
> > > > > > > 5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn=
filter=(objectClass=*)
> > > > > > > [2017/12/27 08:20:55.871177,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request SUB
> > > > > > > dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
> > > > > > > (d
> > > > > > > NSHo
> > > > > > > stName=dcdo1.ad.kdu.com)))
> > > > > > > [2017/12/27 08:20:55.902579,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request ONE
> > > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
> > > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
> > > > > > > O)
> > > > > > > )
> > > > > > > [2017/12/27 08:20:55.932550,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
> > > > > > > pa
> > > > > > > tch)
> > > > > > >    function drsuapi_DsReplicaSync will reply
async
> > > > > > > [2017/12/27 08:20:55.932676,  3]
> > > > > > >
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
> > > > > > > re
> > > > > > > plic
> > > > > > > ation)
> > > > > > >    _drepl_schedule_replication: forcing sync
of partition
> > > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
> > > > > > > dc=ad,dc=kdu,dc=com,
> > > > > > >
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > > > > > > [2017/12/27 08:20:55.932697,  4]
> > > > > > >
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
> > > > > > > go
> > > > > > > ps_s
> > > > > > > chedule)
> > > > > > >    dreplsrv_pending_schedule(1) scheduled
for: Wed Dec 27
> > > > > > > 08:20:57
> > > > > > > 2017 CET
> > > > > > > [2017/12/27 08:20:56.971645,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > extended_replicated_objects)
> > > > > > >    linked_attributes_count=0
> > > > > > > [2017/12/27 08:20:56.971966,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > replicated_uptodate_modify)
> > > > > > >    DRS replication uptodate modify message:
> > > > > > >    dn: DC=ad,DC=kdu,DC=com
> > > > > > >    changetype: modify
> > > > > > >    replace: replUpToDateVector
> > > > > > >    replUpToDateVector::
> > > > > > >
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > > > > > >
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
> > > > > > > rz
> > > > > > > S7KY
> > > > > > > P2wnvCZRbBYAAA
> > > > > > > 
> > > > > > >     AAAAAAgD7V3rGdAQ=> > > > >
> >    -
> > > > > > >    replace: repsFrom
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > 0AAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
> > > > > > > AB
> > > > > > > rFgA
> > > > > > > AAAAAAKQMPrx0t
> > > > > > > 
> > > > > > >
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AABi
> > > > > > > YzNlMGNhNC1iNT
> > > > > > > 
> > > > > > >
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > kAAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
> > > > > > > AD
> > > > > > > 4FAA
> > > > > > > AAAAAABNWUx36g
> > > > > > > 
> > > > > > >
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AAAx
> > > > > > > ZDUzNTYxMy04MW
> > > > > > > 
> > > > > > >
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    -
> > > > > > > 
> > > > > > > 
> > > > > > > [2017/12/27 08:20:56.974912,  2]
> > > > > > >
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
> > > > > > > ca
> > > > > > > ted_
> > > > > > > objects_commit)
> > > > > > >    Replicated 0 objects (0 linked attributes)
for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.004974,  0]
> > > > > > >
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
> > > > > > > da
> > > > > > > te_r
> > > > > > > efs_done)
> > > > > > >    UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT
> > > > > > > code
> > > > > > > 0xc0002105 for
> > > > > > >
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > > > > > > DC=ad,DC=kdu,DC=com [2017/12/27
08:20:57.005468,  4]
> > > > > > >
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
> > > > > > > g_
> > > > > > > op_c
> > > > > > > allback)
> > > > > > >   
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.009507,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
> > > > > > > pl
> > > > > > > y)
> > > > > > >    function drsuapi_DsReplicaSync replied
async
> > > > > > > [2017/12/27 08:20:57.053246,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:57.053478,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:57.053528,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:57.053760,  2]
> > > > > > >
../source4/smbd/process_standard.c:473(standard_terminate
> > > > > > > )
> > > > > > >    standard_terminate:
reason[ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:57.057842,  2]
> > > > > > >
../source4/smbd/process_standard.c:157(standard_child_pip
> > > > > > > e_
> > > > > > > hand
> > > > > > > ler)
> > > > > > >    Child 900 () exited with status 0
> > > > > > > 
> > > > > > > Any hints/ideas very much appreciated ...
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > 
> > > > > > > Uli
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > Couple of thoughts, try reading this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
> > > > > DN
> > > > > S_Re
> > > > > cord
> > > > > 
> > > > > and this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Manually_Replicating_Directo
> > > > > ry
> > > > > _Par
> > > > > titions
> > > > > 
> > > > > Does the missing 'CN' exist on the other two
DCs ?
> > > > > 
> > > > > Rowland
> > > > > 
> > > > 
> > > > 
> > 
> >

no, it seems to work!!!


i did a ldapmodify on DC2:

ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W  -f
serverReference.ldif

serverReference.ldif:
dn: CN=SAMBA3,CN=Servers,CN=Default-First-
SiteName,CN=Sites,CN=Configuration,DC=test,DC=net
changetype: modify
add: serverReference
serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net
-


now the question:
Why the attribut serverReference was missing on DC2 after the join?

Is it a bug?




Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via
samba:
> Hi,
> 
> there is no firewall, all DCs are in the same subnet.
> 
> here ist the output of a test, you can see, the CNAME guid entries in
> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
> second DCs, SAMBA3 was added at last.
> 
> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-
> ncs
> objectguid
> # record 1
> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
> 
> # record 2
> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
> 
> # record 3
> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC1
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC2
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> SAMBA3
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
> dc2.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC1
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC2
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> SAMBA3
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
> dc1.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC1
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC2
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> SAMBA3
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
> SAMBA3.test.net.
> 
> 
> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
> > Hi Heinz,
> > 
> > > i have the same problem on samba 4.7.3 and 4.7.4.
> > > I start with 2 DCs and the sync works fine. After the join of a
> > > third
> > > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10
> > > times.
> > > 
> > > in my case i have:
> > > DC1 (with any FSMO Roles)
> > > DC2
> > > 
> > > new join as DC:
> > > DC3
> > > 
> > > After the join, the sync from DC2 to DC3 fails.
> > > 
> > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
> > > samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
> > 
> > like Rowland pointed you earlier, it is often an issue with missing
> > DNS 
> > entries. Be sure to check that samba_dnsupdate on both servers is
> > happy, 
> > especially with the CNAME guid entries in the _msdcs zone.
> > 
> > Another case I saw was that firewall had not been disable (or at
> > least 
> > the port opening was not done right).
> > 
> > Cheers,
> > 
> > Denis
> > 
> > > 
> > > 
> > > 
> > > p.s. DC3 is a new server witch newer was member in the ADS.
> > > 
> > > 
> > > regards,
> > > heinz
> > > 
> > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-
> > > Ulrich
> > > Menzebach via samba:
> > > > Rowland,
> > > > 
> > > > - the DN "CN=DCNH1,..." exists on all 3 DCs
(pointing the Sites
> > > > and
> > > > Services console to each of them).
> > > > - I also checked that "samba-tool dbcheck"
completes w/o
> > > > showing
> > > > errors.
> > > > - the objectGUID DNS aliases of all DCs are resolvable
against
> > > > all 3
> > > > DCs' builtin DNS
> > > > - I forced a full sync from the FSMO holder (dcge1) to the 2
> > > > other
> > > > DCs
> > > > which finished w/o errors.
> > > > - after that, sync and also full sync dcdo1-->dcnh1
failed
> > > > exactly
> > > > as
> > > > earlier.
> > > > 
> > > > I'm wondering whether this is related to
> > > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
> > > > running
> > > > 4.7.4 and the domain had been created under 4.7.3 (based on
the
> > > > Samba
> > > > Wiki). Apart from the sync issue I'm VERY happy with
Samba4/AD.
> > > > 
> > > > Many thanks,
> > > > 
> > > > Uli
> > > > 
> > > > 
> > > > 
> > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
> > > > > On Wed, 27 Dec 2017 13:00:05 +0100
> > > > > "Dr. Johannes-Ulrich Menzebach via samba"
<samba at lists.samba.
> > > > > or
> > > > > g>
> > > > > wrote:
> > > > > 
> > > > > > There is additional info in the logs of the source
DC
> > > > > > (dcdo1,
> > > > > > log
> > > > > > level 2, manually triggered another replication):
> > > > > > ===================> > > > > >
[2017/12/27 12:31:29.695121,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
> > > > > > ge
> > > > > > s_co
> > > > > > llect_objects)
> > > > > >    
../source4/rpc_server/drsuapi/getncchanges.c:1731:
> > > > > > getncchanges on
> > > > > > DC=ad,DC=kdu,DC=com using filter
(uSNChanged>=5415)
> > > > > > [2017/12/27 12:31:29.698828,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
> > > > > > su
> > > > > > api_
> > > > > > DsGetNCChanges)
> > > > > >     DsGetNCChanges with uSNChanged >= 5415
flags 0x80000064
> > > > > > on
> > > > > >
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
> > > > > >
454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> > > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112))
> > > > > > [2017/12/27 12:31:29.733157,  1]
> > > > > >
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
> > > > > >     ../source4/dsdb/common/util.c:4807: Failed to
find
> > > > > > account dn
> > > > > > (serverReference) for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> > > > > > parent of DSA with objectGUID
0acce4bc-1193-4609-8e4d-
> > > > > > a0771bb6fb76,
> > > > > > sid S-1-5-21-454945863-777199239-1595221609-1112
> > > > > > [2017/12/27 12:31:29.733198,  0]
> > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
> > > > > > pi
> > > > > > _DsR
> > > > > > eplicaUpdateRefs)
> > > > > >    
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > Refusing
> > > > > > DsReplicaUpdateRefs for sid
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
> > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > 
> > > > > > According to what I see in the "Sites and
Services" RSAT
> > > > > > console
> > > > > > the
> > > > > > DN for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > seems to exist.
> > > > > > 
> > > > > > Any ideas?
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > >       Uli
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich
Menzebach via
> > > > > > samba
> > > > > > wrote:
> > > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled
from
> > > > > > > source,internal
> > > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1
holds all
> > > > > > > FSMO
> > > > > > > roles.
> > > > > > > The 3 ADCs are on different locations
connected via IPSec
> > > > > > > based
> > > > > > > VPN. No traffic is filtered out.
> > > > > > > 
> > > > > > > All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
> > > > > > > 
> > > > > > > [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
> > > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > > > > > > ERROR(<class
'samba.drs_utils.drsException'>):
> > > > > > > DsReplicaSync
> > > > > > > failed
> > > > > > > - drsException: DsReplicaSync failed (8453,
> > > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File
> > > > > > >
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> > > > > > > line
> > > > > > > 386,
> > > > > > > in run
drs_utils.sendDsReplicaSync(server_bind,
> > > > > > > server_bind_handle,
> > > > > > > source_dsa_guid, NC, req_options)
> > > > > > >    File "/usr/lib64/python2.7/site-
> > > > > > > packages/samba/drs_utils.py",
> > > > > > > line 85, in sendDsReplicaSync
> > > > > > >      raise drsException("DsReplicaSync
failed %s" % estr)
> > > > > > > 
> > > > > > > Log on dcdo1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:56.335895,  0]
> > > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
> > > > > > > ua
> > > > > > > pi_D
> > > > > > > sReplicaUpdateRefs)
> > > > > > >   
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > > Refusing
> > > > > > > DsReplicaUpdateRefs for sid
> > > > > > > S-1-5-21-454945863-777199239-1595221609-1112
with GUID
> > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > > 
> > > > > > > Log on target DC dcnh1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:55.278559,  5]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp]
user [NT
> > > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at
[Wed, 27 Dec
> > > > > > > 2017
> > > > > > > 08:20:55.278538 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:36196]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:135]
> > > > > > > [2017/12/27 08:20:55.278641,  5]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.278587+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:135",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:36196",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType":
"ncacn_ip_tcp", "domain": "NT AUTHORITY",
> > > > > > > "account":
> > > > > > > "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
> > > > > > > "DCNH1",
> > > > > > > "transportProtection":
"NONE", "accountFlags":
> > > > > > > "0x00000010"}}
> > > > > > > [2017/12/27 08:20:55.278660,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.337740,
> > > > > > > 3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:55.337873,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:55.506117,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.506420,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.506501,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.536259,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.536320,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically sealed
> > > > > > > [2017/12/27 08:20:55.538591,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538644,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538712,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538762,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538819,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538864,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538909,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538967,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.539029,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.539087,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.539289,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.539277 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:57364]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:49152]
> > > > > > > [2017/12/27 08:20:55.539359,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.539334+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:49152",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:57364",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SEAL", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.539398,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.568937,
> > > > > > > 3]
> > > > > > >
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
> > > > > > > dr
> > > > > > > suap
> > > > > > > i_DsBind)
> > > > > > >   
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
> > > > > > > doing
> > > > > > > DsBind
> > > > > > > with system_session
> > > > > > > [2017/12/27 08:20:55.641297,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.644257,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn> > > >
> > > filter=(|(objectClass=*)(distinguishedName=*))
> > > > > > > [2017/12/27
> > > > > > > 08:20:55.706421,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706573,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706777,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kd
> > > > > > > u.
> > > > > > > COM
> > > > > > > [canonicalize] [2017/12/27 08:20:55.708186, 
6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708670,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708795,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.709594,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.710027,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.740222,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.740440,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.770764,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771034,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771283,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48488 for
krbtgt/AD.kdu.COM at AD.kdu.CO
> > > > > > > M
> > > > > > > [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771786,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772103,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772257,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773194,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773691,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.804565,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.804774,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.806137,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.806296,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.807170,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.807242,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically signed
> > > > > > > [2017/12/27 08:20:55.810168,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810265,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810353,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810428,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810507,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810582,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810674,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810745,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.810826,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.810901,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.811125,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.811108 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:56798]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:389]
> > > > > > > [2017/12/27 08:20:55.811301,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.811228+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:389",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:56798",
"serviceDescription":
> > > > > > > "LDAP",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SIGN", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.811385,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.841539,
> > > > > > > 5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn=
filter=(objectClass=*)
> > > > > > > [2017/12/27 08:20:55.871177,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request SUB
> > > > > > > dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
> > > > > > > (d
> > > > > > > NSHo
> > > > > > > stName=dcdo1.ad.kdu.com)))
> > > > > > > [2017/12/27 08:20:55.902579,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request ONE
> > > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
> > > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
> > > > > > > O)
> > > > > > > )
> > > > > > > [2017/12/27 08:20:55.932550,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
> > > > > > > pa
> > > > > > > tch)
> > > > > > >    function drsuapi_DsReplicaSync will reply
async
> > > > > > > [2017/12/27 08:20:55.932676,  3]
> > > > > > >
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
> > > > > > > re
> > > > > > > plic
> > > > > > > ation)
> > > > > > >    _drepl_schedule_replication: forcing sync
of partition
> > > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
> > > > > > > dc=ad,dc=kdu,dc=com,
> > > > > > >
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > > > > > > [2017/12/27 08:20:55.932697,  4]
> > > > > > >
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
> > > > > > > go
> > > > > > > ps_s
> > > > > > > chedule)
> > > > > > >    dreplsrv_pending_schedule(1) scheduled
for: Wed Dec 27
> > > > > > > 08:20:57
> > > > > > > 2017 CET
> > > > > > > [2017/12/27 08:20:56.971645,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > extended_replicated_objects)
> > > > > > >    linked_attributes_count=0
> > > > > > > [2017/12/27 08:20:56.971966,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > replicated_uptodate_modify)
> > > > > > >    DRS replication uptodate modify message:
> > > > > > >    dn: DC=ad,DC=kdu,DC=com
> > > > > > >    changetype: modify
> > > > > > >    replace: replUpToDateVector
> > > > > > >    replUpToDateVector::
> > > > > > >
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > > > > > >
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
> > > > > > > rz
> > > > > > > S7KY
> > > > > > > P2wnvCZRbBYAAA
> > > > > > > 
> > > > > > >     AAAAAAgD7V3rGdAQ=> > > > >
> >    -
> > > > > > >    replace: repsFrom
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > 0AAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
> > > > > > > AB
> > > > > > > rFgA
> > > > > > > AAAAAAKQMPrx0t
> > > > > > > 
> > > > > > >
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AABi
> > > > > > > YzNlMGNhNC1iNT
> > > > > > > 
> > > > > > >
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > kAAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
> > > > > > > AD
> > > > > > > 4FAA
> > > > > > > AAAAAABNWUx36g
> > > > > > > 
> > > > > > >
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AAAx
> > > > > > > ZDUzNTYxMy04MW
> > > > > > > 
> > > > > > >
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    -
> > > > > > > 
> > > > > > > 
> > > > > > > [2017/12/27 08:20:56.974912,  2]
> > > > > > >
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
> > > > > > > ca
> > > > > > > ted_
> > > > > > > objects_commit)
> > > > > > >    Replicated 0 objects (0 linked attributes)
for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.004974,  0]
> > > > > > >
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
> > > > > > > da
> > > > > > > te_r
> > > > > > > efs_done)
> > > > > > >    UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT
> > > > > > > code
> > > > > > > 0xc0002105 for
> > > > > > >
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > > > > > > DC=ad,DC=kdu,DC=com [2017/12/27
08:20:57.005468,  4]
> > > > > > >
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
> > > > > > > g_
> > > > > > > op_c
> > > > > > > allback)
> > > > > > >   
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.009507,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
> > > > > > > pl
> > > > > > > y)
> > > > > > >    function drsuapi_DsReplicaSync replied
async
> > > > > > > [2017/12/27 08:20:57.053246,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:57.053478,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:57.053528,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:57.053760,  2]
> > > > > > >
../source4/smbd/process_standard.c:473(standard_terminate
> > > > > > > )
> > > > > > >    standard_terminate:
reason[ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:57.057842,  2]
> > > > > > >
../source4/smbd/process_standard.c:157(standard_child_pip
> > > > > > > e_
> > > > > > > hand
> > > > > > > ler)
> > > > > > >    Child 900 () exited with status 0
> > > > > > > 
> > > > > > > Any hints/ideas very much appreciated ...
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > 
> > > > > > > Uli
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > Couple of thoughts, try reading this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
> > > > > DN
> > > > > S_Re
> > > > > cord
> > > > > 
> > > > > and this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Manually_Replicating_Directo
> > > > > ry
> > > > > _Par
> > > > > titions
> > > > > 
> > > > > Does the missing 'CN' exist on the other two
DCs ?
> > > > > 
> > > > > Rowland
> > > > > 
> > > > 
> > > > 
> > 
> >

Heinz,

I had exactly the same problem, and used ldbedit to apply the fix.
Thanks for digging into this!

Now I'm interested in the root cause as well ...


Uli



Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba:
> no, it seems to work!!!
>
>
> i did a ldapmodify on DC2:
>
> ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W  -f
> serverReference.ldif
>
> serverReference.ldif:
> dn: CN=SAMBA3,CN=Servers,CN=Default-First-
> SiteName,CN=Sites,CN=Configuration,DC=test,DC=net
> changetype: modify
> add: serverReference
> serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net
> -
>
>
> now the question:
> Why the attribut serverReference was missing on DC2 after the join?
>
> Is it a bug?
>
>
>
>
> Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via samba:
>> Hi,
>>
>> there is no firewall, all DCs are in the same subnet.
>>
>> here ist the output of a test, you can see, the CNAME guid entries in
>> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and
>> second DCs, SAMBA3 was added at last.
>>
>> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)'
--cross-
>> ncs
>> objectguid
>> # record 1
>> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
>>
>> # record 2
>> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
>>
>> # record 3
>> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=test,DC=net
>> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
>>
>> # returned 3 records
>> # 3 entries
>> # 0 referrals
>>
>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>> DC1
>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>> dc2.test.net.
>>
>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>> DC2
>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>> dc2.test.net.
>>
>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
>> SAMBA3
>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for
>> dc2.test.net.
>>
>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>> DC1
>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>> dc1.test.net.
>>
>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>> DC2
>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>> dc1.test.net.
>>
>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
>> SAMBA3
>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for
>> dc1.test.net.
>>
>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>> DC1
>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>> SAMBA3.test.net.
>>
>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>> DC2
>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>> SAMBA3.test.net.
>>
>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
>> SAMBA3
>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for
>> SAMBA3.test.net.
>>
>>
>> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
>>> Hi Heinz,
>>>
>>>> i have the same problem on samba 4.7.3 and 4.7.4.
>>>> I start with 2 DCs and the sync works fine. After the join of a
>>>> third
>>>> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for
10
>>>> times.
>>>>
>>>> in my case i have:
>>>> DC1 (with any FSMO Roles)
>>>> DC2
>>>>
>>>> new join as DC:
>>>> DC3
>>>>
>>>> After the join, the sync from DC2 to DC3 fails.
>>>>
>>>> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK
>>>> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK
>>>> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK
>>>> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK
>>>> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK
>>>> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK
>>> like Rowland pointed you earlier, it is often an issue with missing
>>> DNS
>>> entries. Be sure to check that samba_dnsupdate on both servers is
>>> happy,
>>> especially with the CNAME guid entries in the _msdcs zone.
>>>
>>> Another case I saw was that firewall had not been disable (or at
>>> least
>>> the port opening was not done right).
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>>
>>>>
>>>> p.s. DC3 is a new server witch newer was member in the ADS.
>>>>
>>>>
>>>> regards,
>>>> heinz
>>>>
>>>> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes-
>>>> Ulrich
>>>> Menzebach via samba:
>>>>> Rowland,
>>>>>
>>>>> - the DN "CN=DCNH1,..." exists on all 3 DCs
(pointing the Sites
>>>>> and
>>>>> Services console to each of them).
>>>>> - I also checked that "samba-tool dbcheck"
completes w/o
>>>>> showing
>>>>> errors.
>>>>> - the objectGUID DNS aliases of all DCs are resolvable
against
>>>>> all 3
>>>>> DCs' builtin DNS
>>>>> - I forced a full sync from the FSMO holder (dcge1) to the
2
>>>>> other
>>>>> DCs
>>>>> which finished w/o errors.
>>>>> - after that, sync and also full sync dcdo1-->dcnh1
failed
>>>>> exactly
>>>>> as
>>>>> earlier.
>>>>>
>>>>> I'm wondering whether this is related to
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
>>>>> running
>>>>> 4.7.4 and the domain had been created under 4.7.3 (based on
the
>>>>> Samba
>>>>> Wiki). Apart from the sync issue I'm VERY happy with
Samba4/AD.
>>>>>
>>>>> Many thanks,
>>>>>
>>>>> Uli
>>>>>
>>>>>
>>>>>
>>>>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
>>>>>> On Wed, 27 Dec 2017 13:00:05 +0100
>>>>>> "Dr. Johannes-Ulrich Menzebach via samba"
<samba at lists.samba.
>>>>>> or
>>>>>> g>
>>>>>> wrote:
>>>>>>
>>>>>>> There is additional info in the logs of the source
DC
>>>>>>> (dcdo1,
>>>>>>> log
>>>>>>> level 2, manually triggered another replication):
>>>>>>> ===================>>>>>>>
[2017/12/27 12:31:29.695121,  2]
>>>>>>>
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
>>>>>>> ge
>>>>>>> s_co
>>>>>>> llect_objects)
>>>>>>>     
../source4/rpc_server/drsuapi/getncchanges.c:1731:
>>>>>>> getncchanges on
>>>>>>> DC=ad,DC=kdu,DC=com using filter
(uSNChanged>=5415)
>>>>>>> [2017/12/27 12:31:29.698828,  2]
>>>>>>>
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
>>>>>>> su
>>>>>>> api_
>>>>>>> DsGetNCChanges)
>>>>>>>      DsGetNCChanges with uSNChanged >= 5415
flags 0x80000064
>>>>>>> on
>>>>>>>
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
>>>>>>>
454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
>>>>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as
>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112))
>>>>>>> [2017/12/27 12:31:29.733157,  1]
>>>>>>>
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
>>>>>>>      ../source4/dsdb/common/util.c:4807: Failed to
find
>>>>>>> account dn
>>>>>>> (serverReference) for
>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
>>>>>>> parent of DSA with objectGUID
0acce4bc-1193-4609-8e4d-
>>>>>>> a0771bb6fb76,
>>>>>>> sid S-1-5-21-454945863-777199239-1595221609-1112
>>>>>>> [2017/12/27 12:31:29.733198,  0]
>>>>>>>
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
>>>>>>> pi
>>>>>>> _DsR
>>>>>>> eplicaUpdateRefs)
>>>>>>>     
../source4/rpc_server/drsuapi/updaterefs.c:374:
>>>>>>> Refusing
>>>>>>> DsReplicaUpdateRefs for sid
>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>>>>
>>>>>>> According to what I see in the "Sites and
Services" RSAT
>>>>>>> console
>>>>>>> the
>>>>>>> DN for
>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site-
>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>> seems to exist.
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>>        Uli
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich
Menzebach via
>>>>>>> samba
>>>>>>> wrote:
>>>>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled
from
>>>>>>>> source,internal
>>>>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1
holds all
>>>>>>>> FSMO
>>>>>>>> roles.
>>>>>>>> The 3 ADCs are on different locations connected
via IPSec
>>>>>>>> based
>>>>>>>> VPN. No traffic is filtered out.
>>>>>>>>
>>>>>>>> All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
>>>>>>>>
>>>>>>>> [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
>>>>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
>>>>>>>> ERROR(<class
'samba.drs_utils.drsException'>):
>>>>>>>> DsReplicaSync
>>>>>>>> failed
>>>>>>>> - drsException: DsReplicaSync failed (8453,
>>>>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File
>>>>>>>>
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
>>>>>>>> line
>>>>>>>> 386,
>>>>>>>> in run drs_utils.sendDsReplicaSync(server_bind,
>>>>>>>> server_bind_handle,
>>>>>>>> source_dsa_guid, NC, req_options)
>>>>>>>>     File "/usr/lib64/python2.7/site-
>>>>>>>> packages/samba/drs_utils.py",
>>>>>>>> line 85, in sendDsReplicaSync
>>>>>>>>       raise drsException("DsReplicaSync
failed %s" % estr)
>>>>>>>>
>>>>>>>> Log on dcdo1:
>>>>>>>> =============>>>>>>>>
[2017/12/27 08:20:56.335895,  0]
>>>>>>>>
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
>>>>>>>> ua
>>>>>>>> pi_D
>>>>>>>> sReplicaUpdateRefs)
>>>>>>>>    
../source4/rpc_server/drsuapi/updaterefs.c:374:
>>>>>>>> Refusing
>>>>>>>> DsReplicaUpdateRefs for sid
>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112
with GUID
>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>>>>>>
>>>>>>>> Log on target DC dcnh1:
>>>>>>>> =============>>>>>>>>
[2017/12/27 08:20:55.278559,  5]
>>>>>>>>
../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>> ea
>>>>>>>> dabl
>>>>>>>> e)
>>>>>>>>     Successful AuthZ: [DCE/RPC,ncacn_ip_tcp]
user [NT
>>>>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed,
27 Dec
>>>>>>>> 2017
>>>>>>>> 08:20:55.278538 CET] Remote host
>>>>>>>> [ipv4:192.168.172.14:36196]
>>>>>>>> local
>>>>>>>> host [ipv4:192.168.152.15:135]
>>>>>>>> [2017/12/27 08:20:55.278641,  5]
>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>> "2017-12-27T08:20:55.278587+0100",
"type":
>>>>>>>> "Authorization",
>>>>>>>> "Authorization":
{"version": {"major": 1, "minor": 0},
>>>>>>>> "localAddress":
"ipv4:192.168.152.15:135",
>>>>>>>> "remoteAddress":
>>>>>>>> "ipv4:192.168.172.14:36196",
"serviceDescription":
>>>>>>>> "DCE/RPC",
>>>>>>>> "authType": "ncacn_ip_tcp",
"domain": "NT AUTHORITY",
>>>>>>>> "account":
>>>>>>>> "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
>>>>>>>> "DCNH1",
>>>>>>>> "transportProtection":
"NONE", "accountFlags":
>>>>>>>> "0x00000010"}}
>>>>>>>> [2017/12/27 08:20:55.278660,
>>>>>>>> 3]
../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>> get_auth_event_server: Failed to find
'auth_event'
>>>>>>>> registered
>>>>>>>> on
>>>>>>>> the message bus to send JSON authentication
events to:
>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>> 08:20:55.337740,
>>>>>>>> 3]
>>>>>>>>
../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>> ec
>>>>>>>> tion
>>>>>>>> )
>>>>>>>>     Terminating connection - 'dcesrv:
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
>>>>>>>> 08:20:55.337873,  3]
>>>>>>>>
../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>     single_terminate: reason[dcesrv:
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>>>>> 08:20:55.506117,  3]
>>>>>>>>
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>>>>>     ldb_wrap open of secrets.ldb
>>>>>>>> [2017/12/27 08:20:55.506420,  5]
>>>>>>>>
../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>     Starting GENSEC mechanism spnego
>>>>>>>> [2017/12/27 08:20:55.506501,  5]
>>>>>>>>
../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>     Starting GENSEC submechanism gssapi_krb5
>>>>>>>> [2017/12/27 08:20:55.536259,  5]
>>>>>>>>
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
>>>>>>>> up
>>>>>>>> date
>>>>>>>> _internal)
>>>>>>>>     gensec_gssapi: credentials were delegated
>>>>>>>> [2017/12/27 08:20:55.536320,  5]
>>>>>>>>
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
>>>>>>>> up
>>>>>>>> date
>>>>>>>> _internal)
>>>>>>>>     GSSAPI Connection will be cryptographically
sealed
>>>>>>>> [2017/12/27 08:20:55.538591,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_T\04\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.538644,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_\04\02\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.538712,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_<\02\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.538762,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.538819,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.538864,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.538909,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.538967,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
>>>>>>>> ->
>>>>>>>> 0
>>>>>>>> [2017/12/27 08:20:55.539029,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
>>>>>>>> 0
>>>>>>>> -> 1
>>>>>>>> [2017/12/27 08:20:55.539087,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
>>>>>>>> 0
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.539289,  4]
>>>>>>>>
../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>> ea
>>>>>>>> dabl
>>>>>>>> e)
>>>>>>>>     Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108]
at [Wed,
>>>>>>>> 27
>>>>>>>> Dec
>>>>>>>> 2017
>>>>>>>> 08:20:55.539277 CET] Remote host
>>>>>>>> [ipv4:192.168.172.14:57364]
>>>>>>>> local
>>>>>>>> host [ipv4:192.168.152.15:49152]
>>>>>>>> [2017/12/27 08:20:55.539359,  4]
>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>> "2017-12-27T08:20:55.539334+0100",
"type":
>>>>>>>> "Authorization",
>>>>>>>> "Authorization":
{"version": {"major": 1, "minor": 0},
>>>>>>>> "localAddress":
"ipv4:192.168.152.15:49152",
>>>>>>>> "remoteAddress":
>>>>>>>> "ipv4:192.168.172.14:57364",
"serviceDescription":
>>>>>>>> "DCE/RPC",
>>>>>>>> "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
>>>>>>>> "sid":
>>>>>>>>
"S-1-5-21-454945863-777199239-1595221609-1108",
>>>>>>>> "logonServer":
>>>>>>>> "DCDO1",
"transportProtection": "SEAL", "accountFlags":
>>>>>>>> "0x00002100"}} [2017/12/27
08:20:55.539398,
>>>>>>>> 3]
../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>> get_auth_event_server: Failed to find
'auth_event'
>>>>>>>> registered
>>>>>>>> on
>>>>>>>> the message bus to send JSON authentication
events to:
>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>> 08:20:55.568937,
>>>>>>>> 3]
>>>>>>>>
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
>>>>>>>> dr
>>>>>>>> suap
>>>>>>>> i_DsBind)
>>>>>>>>    
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
>>>>>>>> doing
>>>>>>>> DsBind
>>>>>>>> with system_session
>>>>>>>> [2017/12/27 08:20:55.641297,  3]
>>>>>>>>
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>>>>>>     ldb_wrap open of secrets.ldb
>>>>>>>> [2017/12/27 08:20:55.644257,  5]
>>>>>>>>
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>> eq
>>>>>>>> uest
>>>>>>>> )
>>>>>>>>     ldb_request BASE
dn>>>>>>>>
filter=(|(objectClass=*)(distinguishedName=*))
>>>>>>>> [2017/12/27
>>>>>>>> 08:20:55.706421,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.706573,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.706777,  3]
>>>>>>>>
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>> de
>>>>>>>> bug_
>>>>>>>> wrapper)
>>>>>>>>     Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>>>>> ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kd
>>>>>>>> u.
>>>>>>>> COM
>>>>>>>> [canonicalize] [2017/12/27 08:20:55.708186,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.708670,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.708795,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.709594,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.710027,  3]
>>>>>>>>
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>> de
>>>>>>>> bug_
>>>>>>>> wrapper)
>>>>>>>>     Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
>>>>>>>> starttime:
>>>>>>>> 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
>>>>>>>> till:
>>>>>>>> unset
>>>>>>>> [2017/12/27 08:20:55.740222,  3]
>>>>>>>>
../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>> ec
>>>>>>>> tion
>>>>>>>> )
>>>>>>>>     Terminating connection -
'kdc_tcp_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>> [2017/12/27 08:20:55.740440,  3]
>>>>>>>>
../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>     single_terminate: reason[kdc_tcp_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>> [2017/12/27 08:20:55.770764,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.771034,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.771283,  3]
>>>>>>>>
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>> de
>>>>>>>> bug_
>>>>>>>> wrapper)
>>>>>>>>     Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>>>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM
at AD.kdu.CO
>>>>>>>> M
>>>>>>>> [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.771786,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.772103,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.772257,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.773194,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
>>>>>>>> [2017/12/27 08:20:55.773691,  3]
>>>>>>>>
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
>>>>>>>> de
>>>>>>>> bug_
>>>>>>>> wrapper)
>>>>>>>>     Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
>>>>>>>> starttime:
>>>>>>>> 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
>>>>>>>> till:
>>>>>>>> unset
>>>>>>>> [2017/12/27 08:20:55.804565,  3]
>>>>>>>>
../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>> ec
>>>>>>>> tion
>>>>>>>> )
>>>>>>>>     Terminating connection -
'kdc_tcp_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>> [2017/12/27 08:20:55.804774,  3]
>>>>>>>>
../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>     single_terminate: reason[kdc_tcp_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>> [2017/12/27 08:20:55.806137,  5]
>>>>>>>>
../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>     Starting GENSEC mechanism spnego
>>>>>>>> [2017/12/27 08:20:55.806296,  5]
>>>>>>>>
../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>>>>>>     Starting GENSEC submechanism gssapi_krb5
>>>>>>>> [2017/12/27 08:20:55.807170,  5]
>>>>>>>>
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
>>>>>>>> up
>>>>>>>> date
>>>>>>>> _internal)
>>>>>>>>     gensec_gssapi: credentials were delegated
>>>>>>>> [2017/12/27 08:20:55.807242,  5]
>>>>>>>>
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
>>>>>>>> up
>>>>>>>> date
>>>>>>>> _internal)
>>>>>>>>     GSSAPI Connection will be cryptographically
signed
>>>>>>>> [2017/12/27 08:20:55.810168,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_T\04\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.810265,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_\04\02\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.810353,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
>>>>>>>> 87
>>>>>>>> \1ES
>>>>>>>> .i\26\15_<\02\00\00
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.810428,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.810507,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.810582,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.810674,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
-> 0
>>>>>>>> [2017/12/27 08:20:55.810745,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
>>>>>>>> ->
>>>>>>>> 0
>>>>>>>> [2017/12/27 08:20:55.810826,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
>>>>>>>> 0
>>>>>>>> -> 1
>>>>>>>> [2017/12/27 08:20:55.810901,  6]
>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>>>>>>     gendb_search_v: NULL
>>>>>>>>
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
>>>>>>>> 0
>>>>>>>> -> 0
>>>>>>>> [2017/12/27 08:20:55.811125,  4]
>>>>>>>>
../auth/auth_log.c:860(log_successful_authz_event_human_r
>>>>>>>> ea
>>>>>>>> dabl
>>>>>>>> e)
>>>>>>>>     Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108]
at [Wed,
>>>>>>>> 27
>>>>>>>> Dec
>>>>>>>> 2017
>>>>>>>> 08:20:55.811108 CET] Remote host
>>>>>>>> [ipv4:192.168.172.14:56798]
>>>>>>>> local
>>>>>>>> host [ipv4:192.168.152.15:389]
>>>>>>>> [2017/12/27 08:20:55.811301,  4]
>>>>>>>> ../auth/auth_log.c:220(log_json)
>>>>>>>>     JSON Authorization: {"timestamp":
>>>>>>>> "2017-12-27T08:20:55.811228+0100",
"type":
>>>>>>>> "Authorization",
>>>>>>>> "Authorization":
{"version": {"major": 1, "minor": 0},
>>>>>>>> "localAddress":
"ipv4:192.168.152.15:389",
>>>>>>>> "remoteAddress":
>>>>>>>> "ipv4:192.168.172.14:56798",
"serviceDescription":
>>>>>>>> "LDAP",
>>>>>>>> "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
>>>>>>>> "sid":
>>>>>>>>
"S-1-5-21-454945863-777199239-1595221609-1108",
>>>>>>>> "logonServer":
>>>>>>>> "DCDO1",
"transportProtection": "SIGN", "accountFlags":
>>>>>>>> "0x00002100"}} [2017/12/27
08:20:55.811385,
>>>>>>>> 3]
../auth/auth_log.c:139(get_auth_event_server)
>>>>>>>> get_auth_event_server: Failed to find
'auth_event'
>>>>>>>> registered
>>>>>>>> on
>>>>>>>> the message bus to send JSON authentication
events to:
>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
>>>>>>>> 08:20:55.841539,
>>>>>>>> 5]
>>>>>>>>
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>> eq
>>>>>>>> uest
>>>>>>>> )
>>>>>>>>     ldb_request BASE dn= filter=(objectClass=*)
>>>>>>>> [2017/12/27 08:20:55.871177,  5]
>>>>>>>>
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>> eq
>>>>>>>> uest
>>>>>>>> )
>>>>>>>>     ldb_request SUB
>>>>>>>> dn=CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>>>
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
>>>>>>>> (d
>>>>>>>> NSHo
>>>>>>>> stName=dcdo1.ad.kdu.com)))
>>>>>>>> [2017/12/27 08:20:55.902579,  5]
>>>>>>>>
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
>>>>>>>> eq
>>>>>>>> uest
>>>>>>>> )
>>>>>>>>     ldb_request ONE
>>>>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
>>>>>>>>
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>>>>>>>
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
>>>>>>>> O)
>>>>>>>> )
>>>>>>>> [2017/12/27 08:20:55.932550,  5]
>>>>>>>>
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
>>>>>>>> pa
>>>>>>>> tch)
>>>>>>>>     function drsuapi_DsReplicaSync will reply
async
>>>>>>>> [2017/12/27 08:20:55.932676,  3]
>>>>>>>>
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
>>>>>>>> re
>>>>>>>> plic
>>>>>>>> ation)
>>>>>>>>     _drepl_schedule_replication: forcing sync
of partition
>>>>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
>>>>>>>> dc=ad,dc=kdu,dc=com,
>>>>>>>>
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
>>>>>>>> [2017/12/27 08:20:55.932697,  4]
>>>>>>>>
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
>>>>>>>> go
>>>>>>>> ps_s
>>>>>>>> chedule)
>>>>>>>>     dreplsrv_pending_schedule(1) scheduled for:
Wed Dec 27
>>>>>>>> 08:20:57
>>>>>>>> 2017 CET
>>>>>>>> [2017/12/27 08:20:56.971645,  4]
>>>>>>>>
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
>>>>>>>> ep
>>>>>>>> lmd_
>>>>>>>> extended_replicated_objects)
>>>>>>>>     linked_attributes_count=0
>>>>>>>> [2017/12/27 08:20:56.971966,  4]
>>>>>>>>
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
>>>>>>>> ep
>>>>>>>> lmd_
>>>>>>>> replicated_uptodate_modify)
>>>>>>>>     DRS replication uptodate modify message:
>>>>>>>>     dn: DC=ad,DC=kdu,DC=com
>>>>>>>>     changetype: modify
>>>>>>>>     replace: replUpToDateVector
>>>>>>>>     replUpToDateVector::
>>>>>>>>
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
>>>>>>>>
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
>>>>>>>> rz
>>>>>>>> S7KY
>>>>>>>> P2wnvCZRbBYAAA
>>>>>>>>
>>>>>>>>     
AAAAAAgD7V3rGdAQ=>>>>>>>>     -
>>>>>>>>     replace: repsFrom
>>>>>>>>     repsFrom::
>>>>>>>>
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
>>>>>>>> AB
>>>>>>>> 0AAA
>>>>>>>> AERE
>>>>>>>>
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>>>>> ER
>>>>>>>> ERER
>>>>>>>> ERERERERERERER
>>>>>>>>
>>>>>>>>
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
>>>>>>>> AB
>>>>>>>> rFgA
>>>>>>>> AAAAAAKQMPrx0t
>>>>>>>>
>>>>>>>>
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
>>>>>>>> oA
>>>>>>>> AABi
>>>>>>>> YzNlMGNhNC1iNT
>>>>>>>>
>>>>>>>>
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
>>>>>>>> jb
>>>>>>>> 20A
>>>>>>>>     repsFrom::
>>>>>>>>
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
>>>>>>>> AB
>>>>>>>> kAAA
>>>>>>>> AERE
>>>>>>>>
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>>>>>> ER
>>>>>>>> ERER
>>>>>>>> ERERERERERERER
>>>>>>>>
>>>>>>>>
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
>>>>>>>> AD
>>>>>>>> 4FAA
>>>>>>>> AAAAAABNWUx36g
>>>>>>>>
>>>>>>>>
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
>>>>>>>> oA
>>>>>>>> AAAx
>>>>>>>> ZDUzNTYxMy04MW
>>>>>>>>
>>>>>>>>
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
>>>>>>>> jb
>>>>>>>> 20A
>>>>>>>>     -
>>>>>>>>
>>>>>>>>
>>>>>>>> [2017/12/27 08:20:56.974912,  2]
>>>>>>>>
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
>>>>>>>> ca
>>>>>>>> ted_
>>>>>>>> objects_commit)
>>>>>>>>     Replicated 0 objects (0 linked attributes)
for
>>>>>>>> DC=ad,DC=kdu,DC=com
>>>>>>>> [2017/12/27 08:20:57.004974,  0]
>>>>>>>>
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
>>>>>>>> da
>>>>>>>> te_r
>>>>>>>> efs_done)
>>>>>>>>     UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT
>>>>>>>> code
>>>>>>>> 0xc0002105 for
>>>>>>>>
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
>>>>>>>> DC=ad,DC=kdu,DC=com [2017/12/27
08:20:57.005468,  4]
>>>>>>>>
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
>>>>>>>> g_
>>>>>>>> op_c
>>>>>>>> allback)
>>>>>>>>    
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
>>>>>>>> DC=ad,DC=kdu,DC=com
>>>>>>>> [2017/12/27 08:20:57.009507,  5]
>>>>>>>>
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
>>>>>>>> pl
>>>>>>>> y)
>>>>>>>>     function drsuapi_DsReplicaSync replied
async
>>>>>>>> [2017/12/27 08:20:57.053246,  3]
>>>>>>>>
../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>> ec
>>>>>>>> tion
>>>>>>>> )
>>>>>>>>     Terminating connection - 'dcesrv:
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
>>>>>>>> 08:20:57.053478,  3]
>>>>>>>>
../source4/smbd/process_single.c:114(single_terminate)
>>>>>>>>     single_terminate: reason[dcesrv:
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27
>>>>>>>> 08:20:57.053528,  3]
>>>>>>>>
../source4/smbd/service_stream.c:65(stream_terminate_conn
>>>>>>>> ec
>>>>>>>> tion
>>>>>>>> )
>>>>>>>>     Terminating connection -
'ldapsrv_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>>>>>> [2017/12/27 08:20:57.053760,  2]
>>>>>>>>
../source4/smbd/process_standard.c:473(standard_terminate
>>>>>>>> )
>>>>>>>>     standard_terminate:
reason[ldapsrv_call_loop:
>>>>>>>> tstream_read_pdu_blob_recv() -
>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>>>>>> [2017/12/27 08:20:57.057842,  2]
>>>>>>>>
../source4/smbd/process_standard.c:157(standard_child_pip
>>>>>>>> e_
>>>>>>>> hand
>>>>>>>> ler)
>>>>>>>>     Child 900 () exited with status 0
>>>>>>>>
>>>>>>>> Any hints/ideas very much appreciated ...
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Uli
>>>>>>>>
>>>>>>>>
>>>>>> Couple of thoughts, try reading this:
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
>>>>>> DN
>>>>>> S_Re
>>>>>> cord
>>>>>>
>>>>>> and this:
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Manually_Replicating_Directo
>>>>>> ry
>>>>>> _Par
>>>>>> titions
>>>>>>
>>>>>> Does the missing 'CN' exist on the other two
DCs ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>
-- 
+----------------------------------------------------------------------+
| Dr. Johannes-Ulrich Menzebach                                        |
| phone :  ++49-203-306-1765 (work) ++49-160-98930847 (cellular)       |
| eMail :  menze at dirac.ruhr.de                                         |
| GPG Key fingerprint =                                                |
|                   A36C 9660 6A1C 91E6 051E  DF1A 573A 770B DD66 9D9F |
+----------------------------------------------------------------------+

Same error here...

root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02
-Uadministrator --filter=CN,DC,member CONFIGURATION
Password for [LAURENZ\administrator]:

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1631

Comparing:
'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws'
[ldap://samba01]
'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws'
[ldap://samba02]
    Attributes found only in ldap://samba01:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://samba01:

    serverReference
ERROR: Compare failed: -1


-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Heinz Hölzl
via samba
Gesendet: Dienstag, 16. Januar 2018 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] AD replication problem
"WERR_DS_DRA_ACCESS_DENIED" - need help debugging

on DC2 in the log i found:

./source4/dsdb/common/util.c:4807: Failed to find account dn
(serverReference) for CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net, parent of DSA with objectGUID
c01a335e-1794-4997-9c7e-553be77fba04, sid S-1-5-21-
1608159440-4144762864-1017073214-18962
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for
sid S-1-5-21-1608159440-4144762864-1017073214-
18962 with GUID c01a335e-1794-4997-9c7e-553be77fba04


then i did the following test:

samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator -- filter=CN,DC,member
CONFIGURATION

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1622

Comparing:
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC1]
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    serverReference
ERROR: Compare failed: -1




after a full sync from dc1 to dc2 (samba-tool drs replicate dc2 dc1
dc=gvcc,dc=net --full-sync --local) same result, serverReference on
CN=SAMBA3,CN=Servers,CN=Default-First-Site-
name,CN=Sites,CN=Configuration,DC=test,DC=net exists only on DC1


how can i fix this?



Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via
samba:
> Hi,
> 
> there is no firewall, all DCs are in the same subnet.
> 
> here ist the output of a test, you can see, the CNAME guid entries in 
> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and 
> second DCs, SAMBA3 was added at last.
> 
> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-
> ncs objectguid # record 1
> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
> 
> # record 2
> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
> 
> # record 3
> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC1
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC2
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> SAMBA3
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC1
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC2
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> SAMBA3
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC1
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC2
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> SAMBA3
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> 
> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
> > Hi Heinz,
> > 
> > > i have the same problem on samba 4.7.3 and 4.7.4.
> > > I start with 2 DCs and the sync works fine. After the join of a 
> > > third DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it 
> > > for 10 times.
> > > 
> > > in my case i have:
> > > DC1 (with any FSMO Roles)
> > > DC2
> > > 
> > > new join as DC:
> > > DC3
> > > 
> > > After the join, the sync from DC2 to DC3 fails.
> > > 
> > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK samba-tool 
> > > drs replicate dc1 dc2 dc=gvcc,dc=net : OK samba-tool drs
replicate
> > > dc2 dc3 dc=gvcc,dc=net : OK samba-tool drs replicate dc1 dc3 
> > > dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc1 
> > > dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc2 
> > > dc=gvcc,dc=net : NOT OK
> > 
> > like Rowland pointed you earlier, it is often an issue with missing 
> > DNS entries. Be sure to check that samba_dnsupdate on both servers 
> > is happy, especially with the CNAME guid entries in the _msdcs zone.
> > 
> > Another case I saw was that firewall had not been disable (or at 
> > least the port opening was not done right).
> > 
> > Cheers,
> > 
> > Denis
> > 
> > > 
> > > 
> > > 
> > > p.s. DC3 is a new server witch newer was member in the ADS.
> > > 
> > > 
> > > regards,
> > > heinz
> > > 
> > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- 
> > > Ulrich Menzebach via samba:
> > > > Rowland,
> > > > 
> > > > - the DN "CN=DCNH1,..." exists on all 3 DCs
(pointing the Sites
> > > > and Services console to each of them).
> > > > - I also checked that "samba-tool dbcheck"
completes w/o showing
> > > > errors.
> > > > - the objectGUID DNS aliases of all DCs are resolvable
against
> > > > all 3 DCs' builtin DNS
> > > > - I forced a full sync from the FSMO holder (dcge1) to the 2
> > > > other DCs which finished w/o errors.
> > > > - after that, sync and also full sync dcdo1-->dcnh1
failed
> > > > exactly as earlier.
> > > > 
> > > > I'm wondering whether this is related to
> > > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
> > > > running
> > > > 4.7.4 and the domain had been created under 4.7.3 (based on
the
> > > > Samba Wiki). Apart from the sync issue I'm VERY happy
with
> > > > Samba4/AD.
> > > > 
> > > > Many thanks,
> > > > 
> > > > Uli
> > > > 
> > > > 
> > > > 
> > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
> > > > > On Wed, 27 Dec 2017 13:00:05 +0100 "Dr.
Johannes-Ulrich
> > > > > Menzebach via samba" <samba at lists.samba.
> > > > > or
> > > > > g>
> > > > > wrote:
> > > > > 
> > > > > > There is additional info in the logs of the source
DC
> > > > > > (dcdo1, log level 2, manually triggered another 
> > > > > > replication):
> > > > > > ===================> > > > > >
[2017/12/27 12:31:29.695121,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
> > > > > > ge
> > > > > > s_co
> > > > > > llect_objects)
> > > > > >    
../source4/rpc_server/drsuapi/getncchanges.c:1731:
> > > > > > getncchanges on
> > > > > > DC=ad,DC=kdu,DC=com using filter
(uSNChanged>=5415)
> > > > > > [2017/12/27 12:31:29.698828,  2] 
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
> > > > > > su
> > > > > > api_
> > > > > > DsGetNCChanges)
> > > > > >     DsGetNCChanges with uSNChanged >= 5415
flags 0x80000064
> > > > > > on
> > > > > >
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
> > > > > >
454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> > > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112))
> > > > > > [2017/12/27 12:31:29.733157,  1]
> > > > > >
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
> > > > > >     ../source4/dsdb/common/util.c:4807: Failed to
find
> > > > > > account dn
> > > > > > (serverReference) for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> > > > > > parent of DSA with objectGUID
0acce4bc-1193-4609-8e4d-
> > > > > > a0771bb6fb76, sid 
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112
> > > > > > [2017/12/27 12:31:29.733198,  0] 
> > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
> > > > > > pi
> > > > > > _DsR
> > > > > > eplicaUpdateRefs)
> > > > > >    
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > Refusing
> > > > > > DsReplicaUpdateRefs for sid
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
> > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > 
> > > > > > According to what I see in the "Sites and
Services" RSAT
> > > > > > console the DN for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > seems to exist.
> > > > > > 
> > > > > > Any ideas?
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > >       Uli
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich
Menzebach via
> > > > > > samba
> > > > > > wrote:
> > > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled
from
> > > > > > > source,internal
> > > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1
holds all
> > > > > > > FSMO
> > > > > > > roles.
> > > > > > > The 3 ADCs are on different locations
connected via IPSec
> > > > > > > based
> > > > > > > VPN. No traffic is filtered out.
> > > > > > > 
> > > > > > > All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
> > > > > > > 
> > > > > > > [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
> > > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > > > > > > ERROR(<class
'samba.drs_utils.drsException'>):
> > > > > > > DsReplicaSync
> > > > > > > failed
> > > > > > > - drsException: DsReplicaSync failed (8453,
> > > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File
> > > > > > >
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> > > > > > > line
> > > > > > > 386,
> > > > > > > in run
drs_utils.sendDsReplicaSync(server_bind,
> > > > > > > server_bind_handle,
> > > > > > > source_dsa_guid, NC, req_options)
> > > > > > >    File "/usr/lib64/python2.7/site-
> > > > > > > packages/samba/drs_utils.py",
> > > > > > > line 85, in sendDsReplicaSync
> > > > > > >      raise drsException("DsReplicaSync
failed %s" % estr)
> > > > > > > 
> > > > > > > Log on dcdo1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:56.335895,  0]
> > > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
> > > > > > > ua
> > > > > > > pi_D
> > > > > > > sReplicaUpdateRefs)
> > > > > > >   
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > > Refusing
> > > > > > > DsReplicaUpdateRefs for sid
> > > > > > > S-1-5-21-454945863-777199239-1595221609-1112
with GUID
> > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > > 
> > > > > > > Log on target DC dcnh1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:55.278559,  5]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp]
user [NT
> > > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at
[Wed, 27 Dec
> > > > > > > 2017
> > > > > > > 08:20:55.278538 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:36196]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:135]
> > > > > > > [2017/12/27 08:20:55.278641,  5]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.278587+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:135",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:36196",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType":
"ncacn_ip_tcp", "domain": "NT AUTHORITY",
> > > > > > > "account":
> > > > > > > "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
> > > > > > > "DCNH1",
> > > > > > > "transportProtection":
"NONE", "accountFlags":
> > > > > > > "0x00000010"}}
> > > > > > > [2017/12/27 08:20:55.278660,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.337740,
> > > > > > > 3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:55.337873,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:55.506117,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.506420,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.506501,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.536259,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.536320,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically sealed
> > > > > > > [2017/12/27 08:20:55.538591,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538644,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538712,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538762,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538819,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538864,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538909,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538967,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.539029,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.539087,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.539289,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.539277 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:57364]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:49152]
> > > > > > > [2017/12/27 08:20:55.539359,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.539334+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:49152",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:57364",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SEAL", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.539398,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.568937,
> > > > > > > 3]
> > > > > > >
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
> > > > > > > dr
> > > > > > > suap
> > > > > > > i_DsBind)
> > > > > > >   
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
> > > > > > > doing
> > > > > > > DsBind
> > > > > > > with system_session
> > > > > > > [2017/12/27 08:20:55.641297,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.644257,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn> > > >
> > > filter=(|(objectClass=*)(distinguishedName=*))
> > > > > > > [2017/12/27
> > > > > > > 08:20:55.706421,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706573,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706777,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kd
> > > > > > > u.
> > > > > > > COM
> > > > > > > [canonicalize] [2017/12/27 08:20:55.708186, 
6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708670,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708795,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.709594,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.710027,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.740222,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.740440,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.770764,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771034,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771283,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48488 for
krbtgt/AD.kdu.COM at AD.kdu.CO
> > > > > > > M
> > > > > > > [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771786,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772103,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772257,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773194,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773691,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.804565,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.804774,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.806137,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.806296,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.807170,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.807242,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically signed
> > > > > > > [2017/12/27 08:20:55.810168,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810265,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810353,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810428,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810507,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810582,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810674,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810745,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.810826,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.810901,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.811125,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.811108 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:56798]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:389]
> > > > > > > [2017/12/27 08:20:55.811301,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.811228+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:389",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:56798",
"serviceDescription":
> > > > > > > "LDAP",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SIGN", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.811385,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.841539,
> > > > > > > 5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn=
filter=(objectClass=*)
> > > > > > > [2017/12/27 08:20:55.871177,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request SUB
> > > > > > > dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
> > > > > > > (d
> > > > > > > NSHo
> > > > > > > stName=dcdo1.ad.kdu.com)))
> > > > > > > [2017/12/27 08:20:55.902579,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request ONE
> > > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
> > > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
> > > > > > > O)
> > > > > > > )
> > > > > > > [2017/12/27 08:20:55.932550,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
> > > > > > > pa
> > > > > > > tch)
> > > > > > >    function drsuapi_DsReplicaSync will reply
async
> > > > > > > [2017/12/27 08:20:55.932676,  3]
> > > > > > >
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
> > > > > > > re
> > > > > > > plic
> > > > > > > ation)
> > > > > > >    _drepl_schedule_replication: forcing sync
of partition
> > > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
> > > > > > > dc=ad,dc=kdu,dc=com,
> > > > > > >
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > > > > > > [2017/12/27 08:20:55.932697,  4]
> > > > > > >
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
> > > > > > > go
> > > > > > > ps_s
> > > > > > > chedule)
> > > > > > >    dreplsrv_pending_schedule(1) scheduled
for: Wed Dec 27
> > > > > > > 08:20:57
> > > > > > > 2017 CET
> > > > > > > [2017/12/27 08:20:56.971645,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > extended_replicated_objects)
> > > > > > >    linked_attributes_count=0
> > > > > > > [2017/12/27 08:20:56.971966,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > replicated_uptodate_modify)
> > > > > > >    DRS replication uptodate modify message:
> > > > > > >    dn: DC=ad,DC=kdu,DC=com
> > > > > > >    changetype: modify
> > > > > > >    replace: replUpToDateVector
> > > > > > >    replUpToDateVector::
> > > > > > >
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > > > > > >
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
> > > > > > > rz
> > > > > > > S7KY
> > > > > > > P2wnvCZRbBYAAA
> > > > > > > 
> > > > > > >     AAAAAAgD7V3rGdAQ=> > > > >
> >    -
> > > > > > >    replace: repsFrom
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > 0AAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
> > > > > > > AB
> > > > > > > rFgA
> > > > > > > AAAAAAKQMPrx0t
> > > > > > > 
> > > > > > >
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AABi
> > > > > > > YzNlMGNhNC1iNT
> > > > > > > 
> > > > > > >
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > kAAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
> > > > > > > AD
> > > > > > > 4FAA
> > > > > > > AAAAAABNWUx36g
> > > > > > > 
> > > > > > >
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AAAx
> > > > > > > ZDUzNTYxMy04MW
> > > > > > > 
> > > > > > >
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    -
> > > > > > > 
> > > > > > > 
> > > > > > > [2017/12/27 08:20:56.974912,  2]
> > > > > > >
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
> > > > > > > ca
> > > > > > > ted_
> > > > > > > objects_commit)
> > > > > > >    Replicated 0 objects (0 linked attributes)
for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.004974,  0]
> > > > > > >
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
> > > > > > > da
> > > > > > > te_r
> > > > > > > efs_done)
> > > > > > >    UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT
> > > > > > > code
> > > > > > > 0xc0002105 for
> > > > > > >
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > > > > > > DC=ad,DC=kdu,DC=com [2017/12/27
08:20:57.005468,  4]
> > > > > > >
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
> > > > > > > g_
> > > > > > > op_c
> > > > > > > allback)
> > > > > > >   
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.009507,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
> > > > > > > pl
> > > > > > > y)
> > > > > > >    function drsuapi_DsReplicaSync replied
async
> > > > > > > [2017/12/27 08:20:57.053246,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:57.053478,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:57.053528,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:57.053760,  2]
> > > > > > >
../source4/smbd/process_standard.c:473(standard_terminate
> > > > > > > )
> > > > > > >    standard_terminate:
reason[ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:57.057842,  2]
> > > > > > >
../source4/smbd/process_standard.c:157(standard_child_pip
> > > > > > > e_
> > > > > > > hand
> > > > > > > ler)
> > > > > > >    Child 900 () exited with status 0
> > > > > > > 
> > > > > > > Any hints/ideas very much appreciated ...
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > 
> > > > > > > Uli
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > Couple of thoughts, try reading this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
> > > > > DN
> > > > > S_Re
> > > > > cord
> > > > > 
> > > > > and this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Manually_Replicating_Directo
> > > > > ry
> > > > > _Par
> > > > > titions
> > > > > 
> > > > > Does the missing 'CN' exist on the other two
DCs ?
> > > > > 
> > > > > Rowland
> > > > > 
> > > > 
> > > > 
> > 
> > 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba