Martin Krämer
2019-Apr-06 08:58 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hello everyone, I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns backend. Both are running Samba 4.5.16 - I know it is already very old version but this is the default one coming with debian stretch repo. (I will upgrade to Debian buster - and with this to newer Samba version - as soon as it is released stable and I could test the upgrade correctly :) ) location-000001.domain.de is one of the DCs hosting all FSMO Roles.location-000002.domain.de is the second one. Both are in different subnets but can reach each other. Unfortunately replication only works from location-000001.domain.de to location-000002.domain.de. The other way round I always end up with error: ---------- ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') ---------- Additionally within journalctl I see: ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] NT_STATUS_LOGON_FAILURE ---------- I already searched the web etc. but unfortunately I did not find really useful hints. It seems most of errors "NT_STATUS_LOGON_FAILURE" are related to Windows client trying to access samba shares - not replication between two samba DC's. Below I tried to capture all possible relevant information. If further information is required please let me know. Thanks for any hint pointing me into the right direction. Maybe you know which log file I should check etc. Kind Regards mk-maddin --------ADDITIONAL DETAILS-------- root at location-000001.domain.de: samba-setup-checkup.sh Check hostnames : Ok Checking detected host ipnumbers from resolv.conf and default gateway Ping gateway ip : 192.168.13.254 : Ok Warning, no ping to gateway, this might be firewalled. check you internet connection, AD DNS might need it. Check ping google dns : 8.8.8.8 : Ok Warning, no ping to internet dns 8.8.8.8, this might be firewalled. Check you internet connection, AD DNS might need it. Checking file owner.. -rw-r--r-- root root /etc/samba/smb.conf Checking file owner.. -rw-r--r-- root root /etc/samba/lmhosts Checking file owner.. -rw-r--r-- root root /etc/samba/smbpasswd drwxr-xr-x root root /usr/bin drwxr-xr-x root root /var/cache/samba drwxr-xr-x root root /usr/lib/x86_64-linux-gnu drwxr-xr-x root root /var/run/samba drwxr-x--- root adm /var/log/samba drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba drwxr-xr-x root root /var/run/samba drwxr-xr-x root root /var/lib/samba/private drwxr-xr-x root root /usr/sbin drwxr-xr-x root root /var/lib/samba DCS location-000001.domain.delocation-000002.domain.de DC1 location-000001.domain.de DC2 location-000002.domain.de Samba AD DC info: = detected (command and where to look) This server hostname = location-000001 (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = location-000001.domain.de (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = domain.de (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 192.168.13.251 Only one interface detected (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = LOCATION-000001 (samba-tool fsmo show) The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show) The Default Naming Context = DC=domain,DC=de (samba-tool fsmo show) The Kerberos REALM name used = DOMAIN.DE (kinit and /etc/krb5.conf and resolving) The Ipadres of DC location-000001.domain.de = 192.168.13.251 The Ipadres of DC location-000002.domain.de = 192.168.30.251 SAMBA_SERVER_ROLE: active directory domain controller SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserverroot at location-000001.domain.de: samba-collect-debug-info.sh Password for Administrator at DOMAIN.DE: Please wait, collecting debug info. Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] NT_STATUS_LOGON_FAILURE ERROR: Connecting to DNS RPC server location-000001.domain.de failed with (-1073741715, 'Logon failure') Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] NT_STATUS_LOGON_FAILURE ERROR: Connecting to DNS RPC server location-000001.domain.de failed with (-1073741715, 'Logon failure') The debug info about your system can be found in this file: /tmp/samba-debug-info.txt Please check this and if required, sanitise it. Then copy & paste it into an email to the samba list Do not attach it to the email, the Samba mailing list strips attachments.root at location-000001.domain.de: cat /tmp/samba-debug-info.txt Collected config --- 2019-04-06-08:30 ----------- Hostname: location-000001 DNS Domain: domain.de FQDN: location-000001.domain.de ipaddress: 192.168.13.251 ----------- Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 9.8 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:04:58:c9 brd ff:ff:ff:ff:ff:ff inet 192.168.13.251/24 brd 192.168.13.255 scope global eth0 inet6 fe80::5054:ff:fe04:58c9/64 scope link ----------- Checking file: /etc/hosts ##--FAI default hosts file 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.13.251 location-000001.domain.de location-000001 192.168.30.251 location-000002.domain.de location-000002 ----------- Checking file: /etc/resolv.conf # fai installation resolve.conf #nameserver 127.0.0.1 nameserver 192.168.13.251 nameserver 192.168.30.251 nameserver 8.8.4.4 nameserver 192.168.13.254 domain domain.de search domain.de ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = DOMAIN.DE dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss ----------- Checking file: /etc/samba/smb.conf ## FAI generated smb.conf ## do not manually edit this file - changes might be overwritten [global] server services = -dns ldap server require strong auth = no tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls keyfile = tls/key.pem tls enabled = yes idmap_ldb:use rfc2307 = yes server role = active directory domain controller usershare allow guests = No realm = DOMAIN.DE kerberos method = secrets and keytab client use spnego = yes client signing = yes workgroup = DOMAIN [netlogon] read only = no path = /var/lib/samba/sysvol/domain.de/Scripts [sysvol] read only = no path = /var/lib/samba/sysvol ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options options { tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; allow-recursion { all-networks; 127.0.0.1/32; }; allow-query { all-networks; 127.0.0.1/32; }; empty-zones-enable no; notify no; listen-on port 53 { thisserverip; 127.0.0.1; }; forwarders { 192.168.30.251; 8.8.4.4; 192.168.13.254; }; version "0.0.7"; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation no; auth-nxdomain yes; # conform to RFC1035=no but we are the Authoritive server listen-on-v6 { none; }; }; acl thisserverip { 192.168.13.251; }; acl all-networks { 192.168.13.0/24; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/var/lib/samba/private/named.conf"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: Samba DNS zone list Automated check : Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libfile-lchown-perl 0.02-2+b2 amd64 module to modify attributes of symlinks without dereferencing them ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libsmbclient:amd64 2:4.5.16+dfsg-1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.5.16+dfsg-1 amd64 Samba winbind client library ii python-samba 2:4.5.16+dfsg-1 amd64 Python bindings for Samba ii samba 2:4.5.16+dfsg-1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.16+dfsg-1 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.16+dfsg-1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.16+dfsg-1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.5.16+dfsg-1 amd64 Samba core libraries ii samba-vfs-modules 2:4.5.16+dfsg-1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.5.16+dfsg-1 amd64 command-line SMB/CIFS clients for Unix ii sssd-krb5 1.15.0-3 amd64 System Security Services Daemon -- Kerberos back end ii sssd-krb5-common 1.15.0-3 amd64 System Security Services Daemon -- Kerberos helpers ii winbind 2:4.5.16+dfsg-1 amd64 service to resolve user and group information from Windows NT servers -----------root at location-000001.domain.de: kinit -k -i "LOCATION-000001$"root at location-000001.domain.de: klist Ticket cache: FILE:/tmp/krb5cc_1334401137_DLDYzd Default principal: LOCATION-000001$@DOMAIN.DE Valid starting Expires Service principal 04/06/2019 08:30:26 04/06/2019 18:30:26 krbtgt/DOMAIN.DE at DOMAIN.DE renew until 04/07/2019 08:30:26root at location-000001.domain.de: 192.168.13.251 251.13.168.192.in-addr.arpa domain name pointer location-000001.domain.de.root at location-000001.domain.de: host location-000001.domain.delocation-000001.domain.de has address 192.168.13.251root at location-000001.domain.de: host 192.168.30.251 251.30.168.192.in-addr.arpa domain name pointer location-000002.domain.de.root at location-000001.domain.de: host location-000002.domain.delocation-000002.domain.de has address 192.168.30.251root at location-000001.domain.de: host -t CNAME 2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de 2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de is an alias for location-000001.domain.de.root at location-000001.domain.de: host -t CNAME 1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de 1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de is an alias for location-000002.domain.de.root at location-000001.domain.de: samba-tool drs replicate -k yes location-000001.domain.de location-000002.domain.de DC=domain,DC=de ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr)root at location-000001.domain.de: samba-tool drs replicate -k yes location-000002.domain.de location-000001.domain.de DC=domain,DC=de Replicate from location-000001.domain.de to location-000002.domain.de was successful.root at location-000001.domain.de: samba-tool drs showrepl -k yes Default-First-Site-Name\LOCATION-000001 DSA Options: 0x00000001 DSA object GUID: 2cb772ba-41ef-450f-bd04-706c5e21fbc7 DSA invocationId: 6726b0b3-edc3-46ea-9d97-a1aea14b20ec ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 160 consecutive failure(s). Last success @ Fri Apr 5 19:47:00 2019 UTC DC=DomainDnsZones,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 168 consecutive failure(s). Last success @ Fri Apr 5 19:47:00 2019 UTC DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:30:27 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 191 consecutive failure(s). Last success @ Fri Apr 5 19:47:00 2019 UTC CN=Schema,CN=Configuration,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 159 consecutive failure(s). Last success @ Fri Apr 5 19:47:00 2019 UTC CN=Configuration,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 159 consecutive failure(s). Last success @ Fri Apr 5 19:47:00 2019 UTC ==== OUTBOUND NEIGHBORS === DC=ForestDnsZones,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=domain,DC=de Default-First-Site-Name\LOCATION-000002 via RPC DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03 Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326 (WERR_LOGON_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: 68b39459-45f1-4221-ba3e-bc096201023c Enabled : TRUE Server DNS name : location-000002.domain.de Server DN name : CN=NTDS Settings,CN=LOCATION-000002,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=de TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
Rowland Penny
2019-Apr-06 12:31 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Sat, 6 Apr 2019 10:58:15 +0200 Martin Krämer via samba <samba at lists.samba.org> wrote:> Hello everyone, > > I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns > backend. Both are running Samba 4.5.16 - I know it is already very > old version but this is the default one coming with debian stretch > repo. (I will upgrade to Debian buster - and with this to newer Samba > version - as soon as it is released stable and I could test the > upgrade correctly :) )See here: http://apt.van-belle.nl/> > location-000001.domain.de is one of the DCs hosting all FSMO > Roles.location-000002.domain.de is the second one. > Both are in different subnets but can reach each other. > Unfortunately replication only works from location-000001.domain.de to > location-000002.domain.de. > The other way round I always end up with error: > ---------- > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') > ---------- > > Additionally within journalctl I see: > ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > for > ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] > NT_STATUS_LOGON_FAILURE ----------Try reading and following this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record> > Checking file: /etc/resolv.conf > > # fai installation resolve.conf > > #nameserver 127.0.0.1 > nameserver 192.168.13.251 > nameserver 192.168.30.251 > nameserver 8.8.4.4 > nameserver 192.168.13.254 > domain domain.de > search domain.de >Why all the nameservers ? You only need the DC itself> > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss > group: compat sss > shadow: compat sssWhy are you using sssd ? You do not seem to be using the DC as a fileserver.> > Checking file: /etc/samba/smb.conf > > ## FAI generated smb.conf > ## do not manually edit this file - changes might be overwrittenOH yes, definitely manually edit this by removing the rubbish FAI added (what is FAI ?) : [global] realm = DOMAIN.DE server role = active directory domain controller server services = -dns workgroup = DOMAIN idmap_ldb:use rfc2307 = yes ldap server require strong auth = no [netlogon] read only = no path = /var/lib/samba/sysvol/domain.de/Scripts [sysvol] read only = no path = /var/lib/samba/sysvol Rowland
Martin Krämer
2019-Apr-06 15:21 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hello Rowland, thanks for your help. Below my comments Am Sa., 6. Apr. 2019 um 14:32 Uhr schrieb Rowland Penny via samba < samba at lists.samba.org>:> On Sat, 6 Apr 2019 10:58:15 +0200 > Martin Krämer via samba <samba at lists.samba.org> wrote: > > > Hello everyone, > > > > I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns > > backend. Both are running Samba 4.5.16 - I know it is already very > > old version but this is the default one coming with debian stretch > > repo. (I will upgrade to Debian buster - and with this to newer Samba > > version - as soon as it is released stable and I could test the > > upgrade correctly :) ) > > See here: > > http://apt.van-belle.nl/ > > >From stability point of view I always had the best experience by sayingwith the debian default repository. Additionally as you have seen blow I am using ssds (more on this later) "PACKAGES ARE NOT COMPATIBLE WITH SSSD"> > > > location-000001.domain.de is one of the DCs hosting all FSMO > > Roles.location-000002.domain.de is the second one. > > Both are in different subnets but can reach each other. > > Unfortunately replication only works from location-000001.domain.de to > > location-000002.domain.de. > > The other way round I always end up with error: > > ---------- > > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > > drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') > > ---------- > > > > Additionally within journalctl I see: > > ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > > for > > ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname> location-000001.domain.de > ,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] > > NT_STATUS_LOGON_FAILURE ---------- > > Try reading and following this: > > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_RecordI know that article. - But how does it help here? Both <DC objectGUID>._msdcs.domain.de CNAMES already exist. An none of the both objectGUIDs I recieve from: ldbsearch -H "/var/lib/samba/private/sam.ldb" '(invocationId=*)' --cross-ncs objectguid does match to the uuid I recieve the error about. Should I (additionally to the objectGUIDs recieve from ldbsearch) register the error uuid "50abc2a4-574d-40b3-9d66-ee4fd5fba076" ? If yes, should I register a CNAME to location-000001(192.168.13.251) or location-000002(192.168.30.251) dc?> > > > > Checking file: /etc/resolv.conf > > > > # fai installation resolve.conf > > > > #nameserver 127.0.0.1 > > nameserver 192.168.13.251 > > nameserver 192.168.30.251 > > nameserver 8.8.4.4 > > nameserver 192.168.13.254 > > domain domain.de > > search domain.de > > > > Why all the nameservers ? > You only need the DC itself >Well the first one that is available should be used or? Others are ignored - due to this there should be no error with them, should it? I just added most of the servers for test purposes I did why I tried to find reason for the error described. (I removed any other than the both DC IPs)> > > > > Checking file: /etc/nsswitch.conf > > > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > > installed, try: # `info libc "Name Service Switch"' for information > > about this file. > > > > passwd: compat sss > > group: compat sss > > shadow: compat sss > > Why are you using sssd ? > You do not seem to be using the DC as a fileserver. >I came from an openldap installation running on centOS. This one was already using sssd and all my debian clients (infrastructure about 50% windows; 50% debian) were set up to use sssd. What is wrong with it? Until yesterday I never hat problems with it. I can successfully authenticate most services (sudo; ssh; apache etc.) using kerberos and sssd.> > > > > Checking file: /etc/samba/smb.conf > > > > ## FAI generated smb.conf > > ## do not manually edit this file - changes might be overwritten > > OH yes, definitely manually edit this by removing the rubbish FAI added > (what is FAI ?) : > >:) - Think you miss interpreted. FAI is Fully Automatic Installation tool (http://fai-project.org/ ) which I use to administer my network configuration. "manually edit" here means outside of the FAI administration tool since if I do this it will be overwritten again by FAI softupdate. Changes have to be made in the FAI "version" of this file.> [global] > realm = DOMAIN.DE > server role = active directory domain controller > server services = -dns > workgroup = DOMAIN > idmap_ldb:use rfc2307 = yes > ldap server require strong auth = no > > [netlogon] > read only = no > path = /var/lib/samba/sysvol/domain.de/Scripts > [sysvol] > read only = no > path = /var/lib/samba/sysvol > > Rowland > >You removed some stuff. But as soon as I remove it some ldaps connections from other applications do not further work. --> To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE