samba - May 2018 - unexplained Replication failures...?

Hi all,

I'm running in circles trying to debug replication failures on samba 
4.7.6:

dc00 : is a VM on KVM host (attached to a bridge on local LAN)
dc01 : is a similarly configured VM on another KVM host.

I've forcibly demoted and re-promoted dc01 but I still cannot get 
automatic replication to work:

root at dc00 ~]# samba-tool drs showrepl
Krynn\DC00
DSA Options: 0x00000001
DSA object GUID: 204cb904-754b-4457-af09-9347f8714006
DSA invocationId: b72fc409-bf9a-45e2-a623-0e668386536a

==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=lasthome,DC=solace,DC=krynn
         Krynn\DC01 via RPC
                 DSA object GUID: 9ac5b74a-383a-4336-9c5d-978b45bad9c9
                 Last attempt @ Thu May  3 18:50:52 2018 EDT failed, result 87
(WERR_INVALID_PARAMETER)
                 4 consecutive failure(s).
                 Last success @ NTTIME(0)

All of these show 'Last success @ NTTIME(0)'.

I can force replication manually just fine but automatic replication 
doesn't seem to work.

[root at dc00 ~]# samba-tool dbcheck
Checking 351 objects
Checked 351 objects (0 errors)
[root at dc00 ~]# samba-tool drs replicate DC01 DC00
dc=ad,dc=lasthome,dc=solace,dc=krynn --sync-forced --full-sync
Replicate from DC00 to DC01 was successful.

Any ideas?

Vincent

Hi Vincent,
> I'm running in circles trying to debug replication failures on samba
4.7.6:
>
> dc00 : is a VM on KVM host (attached to a bridge on local LAN)
> dc01 : is a similarly configured VM on another KVM host.
>
> I've forcibly demoted and re-promoted dc01 but I still cannot get
> automatic replication to work:
>
> root at dc00 ~]# samba-tool drs showrepl
> Krynn\DC00
> DSA Options: 0x00000001
> DSA object GUID: 204cb904-754b-4457-af09-9347f8714006
> DSA invocationId: b72fc409-bf9a-45e2-a623-0e668386536a
>
> ==== INBOUND NEIGHBORS ===>
> DC=ForestDnsZones,DC=ad,DC=lasthome,DC=solace,DC=krynn
>         Krynn\DC01 via RPC
>                 DSA object GUID: 9ac5b74a-383a-4336-9c5d-978b45bad9c9
>                 Last attempt @ Thu May  3 18:50:52 2018 EDT failed,
> result 87 (WERR_INVALID_PARAMETER)
>                 4 consecutive failure(s).
>                 Last success @ NTTIME(0)
>
> All of these show 'Last success @ NTTIME(0)'.
>
> I can force replication manually just fine but automatic replication
> doesn't seem to work.
>
> [root at dc00 ~]# samba-tool dbcheck
> Checking 351 objects
> Checked 351 objects (0 errors)
> [root at dc00 ~]# samba-tool drs replicate DC01 DC00
> dc=ad,dc=lasthome,dc=solace,dc=krynn --sync-forced --full-sync
> Replicate from DC00 to DC01 was successful.
if you need a --sync-forced --full-sync to have replication working, 
then actually it is not working. Try to restart samba with "log level = 
9" in smb.conf and look for the few last message of the replication 
process, it should give you a bit more information about the issue.

Cheers,

Denis
>
> Any ideas?
>
> Vincent
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

Hi Denis,
Thanks for taking the time to answer.

Yes, I may have been wrong with --forced-sync and --full-sync since the 
start but in fact I wanted to make sure to force replication between the 
servers.

Here is what I have noticed:

- replication works from dc00 -> dc00 but not from dc01 -> dc00:

[root at dc00 ~]# samba-tool drs replicate DC01 DC00 
dc=ad,dc=lasthome,dc=solace,dc=krynn --sync-forced --full-sync
Replicate from DC00 to DC01 was successful.
[root at dc00 ~]# samba-tool drs replicate DC00 DC01 
dc=ad,dc=lasthome,dc=solace,dc=krynn --sync-forced --full-sync
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (87, 'WERR_INVALID_PARAMETER')
[...]

Here's what I have noticed:

# samba-tool ldapcmp ldap://dc00 ldap://dc01 domain 
--filter=msDS-NcType,serverState

* Comparing [DOMAIN] context...

* Objects to be compared: 304

Comparing:
'CN=DC01,OU=Domain Controllers,DC=ad,DC=lasthome,DC=solace,DC=krynn' 
[ldap://dc00]
'CN=DC01,OU=Domain Controllers,DC=ad,DC=lasthome,DC=solace,DC=krynn' 
[ldap://dc01]
     Difference in attribute values:
         servicePrincipalName =>
['E3514235-4B06-11D1-AB04-00C04FC2DCD2/9075aec2-bbc6-4f87-9246-aa75689b86d4/ad.lasthome.solace.krynn',
'GC/dc01.ad.lasthome.solace.krynn/ad.lasthome.solace.krynn',
'HOST/DC01',
'HOST/dc01.ad.lasthome.solace.krynn']
['E3514235-4B06-11D1-AB04-00C04FC2DCD2/9075aec2-bbc6-4f87-9246-aa75689b86d4/ad.lasthome.solace.krynn',
'GC/dc01.ad.lasthome.solace.krynn/ad.lasthome.solace.krynn',
'HOST/DC01',
'HOST/dc01.ad.lasthome.solace.krynn', 
'HOST/dc01.ad.lasthome.solace.krynn/KRYNN_AD', 
'HOST/dc01.ad.lasthome.solace.krynn/ad.lasthome.solace.krynn', 
'RestrictedKrbHost/DC01', 
'RestrictedKrbHost/dc01.ad.lasthome.solace.krynn', 
'ldap/9075aec2-bbc6-4f87-9246-aa75689b86d4._msdcs.ad.lasthome.solace.krynn',
'ldap/DC01', 'ldap/dc01.ad.lasthome.solace.krynn', 
'ldap/dc01.ad.lasthome.solace.krynn/DomainDnsZones.ad.lasthome.solace.krynn',
'ldap/dc01.ad.lasthome.solace.krynn/ForestDnsZones.ad.lasthome.solace.krynn',
'ldap/dc01.ad.lasthome.solace.krynn/KRYNN_AD', 
'ldap/dc01.ad.lasthome.solace.krynn/ad.lasthome.solace.krynn']
     FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes with different values:

     servicePrincipalName
ERROR: Compare failed: -1

Any ideas?

I will set the log level to '9' to see if I can pinpoint the issue more 
precisely..

Thanks,

,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project.
_.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique.
_.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page
_.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at
NOSPAM4cojot.name

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost



On Fri, 4 May 2018, Denis Cardon via samba wrote:
> Hi Vincent,
>
>>  I'm running in circles trying to debug replication failures on
samba
>>  4.7.6:
>>
>>  dc00 : is a VM on KVM host (attached to a bridge on local LAN)
>>  dc01 : is a similarly configured VM on another KVM host.
>>
>>  I've forcibly demoted and re-promoted dc01 but I still cannot get
>>  automatic replication to work:
>>
>>  root at dc00 ~]# samba-tool drs showrepl
>>  Krynn\DC00
>>  DSA Options: 0x00000001
>>  DSA object GUID: 204cb904-754b-4457-af09-9347f8714006
>>  DSA invocationId: b72fc409-bf9a-45e2-a623-0e668386536a
>>
>>  ==== INBOUND NEIGHBORS ===>>
>>  DC=ForestDnsZones,DC=ad,DC=lasthome,DC=solace,DC=krynn
>>          Krynn\DC01 via RPC
>>                  DSA object GUID: 9ac5b74a-383a-4336-9c5d-978b45bad9c9
>>                  Last attempt @ Thu May  3 18:50:52 2018 EDT failed,
>>  result 87 (WERR_INVALID_PARAMETER)
>>                  4 consecutive failure(s).
>>                  Last success @ NTTIME(0)
>>
>>  All of these show 'Last success @ NTTIME(0)'.
>>
>>  I can force replication manually just fine but automatic replication
>>  doesn't seem to work.
>>
>>  [root at dc00 ~]# samba-tool dbcheck
>>  Checking 351 objects
>>  Checked 351 objects (0 errors)
>>  [root at dc00 ~]# samba-tool drs replicate DC01 DC00
>>  dc=ad,dc=lasthome,dc=solace,dc=krynn --sync-forced --full-sync
>>  Replicate from DC00 to DC01 was successful.
>
> if you need a --sync-forced --full-sync to have replication working, then 
> actually it is not working. Try to restart samba with "log level =
9" in
> smb.conf and look for the few last message of the replication process, it 
> should give you a bit more information about the issue.
>
> Cheers,
>
> Denis
>
>>
>>  Any ideas?
>>
>>  Vincent
>> 
>
> -- 
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil.it
>
> Samba install wiki for Frenchies : https://dev.tranquil.it
> WAPT, software deployment made easy : https://wapt.fr
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>