Martin Krämer
2019-Apr-06 08:58 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hello everyone,
I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns backend.
Both are running Samba 4.5.16 - I know it is already very old version
but this is the default one coming with debian stretch repo.
(I will upgrade to Debian buster - and with this to newer Samba
version - as soon as it is released stable and I could test the
upgrade correctly :) )
location-000001.domain.de is one of the DCs hosting all FSMO
Roles.location-000002.domain.de is the second one.
Both are in different subnets but can reach each other.
Unfortunately replication only works from location-000001.domain.de to
location-000002.domain.de.
The other way round I always end up with error:
----------
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
----------
Additionally within journalctl I see:
----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076
for
ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
----------
I already searched the web etc. but unfortunately I did not find
really useful hints.
It seems most of errors "NT_STATUS_LOGON_FAILURE" are related to
Windows client trying to access samba shares - not replication between
two samba DC's.
Below I tried to capture all possible relevant information.
If further information is required please let me know.
Thanks for any hint pointing me into the right direction.
Maybe you know which log file I should check etc.
Kind Regards
mk-maddin
--------ADDITIONAL DETAILS--------
root at location-000001.domain.de: samba-setup-checkup.sh
Check hostnames : Ok
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.13.254 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS location-000001.domain.delocation-000002.domain.de
DC1 location-000001.domain.de
DC2 location-000002.domain.de
Samba AD DC info: = detected (command and where to look)
This server hostname = location-000001 (hostname -s and
/etc/hosts and DNS server)
This server FQDN (hostname) = location-000001.domain.de (hostname -f
and /etc/hosts and DNS server)
This server primary dnsdomain = domain.de (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.13.251 Only one interface
detected (hostname -i (-I) and /etc/networking/interfaces and DNS
server
The DC with FSMO roles = LOCATION-000001 (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context = DC=domain,DC=de (samba-tool fsmo show)
The Kerberos REALM name used = DOMAIN.DE (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC location-000001.domain.de = 192.168.13.251
The Ipadres of DC location-000002.domain.de = 192.168.30.251
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserverroot at location-000001.domain.de:
samba-collect-debug-info.sh
Password for Administrator at DOMAIN.DE:
Please wait, collecting debug info.
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server location-000001.domain.de failed
with (-1073741715, 'Logon failure')
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server location-000001.domain.de failed
with (-1073741715, 'Logon failure')
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips
attachments.root at location-000001.domain.de: cat
/tmp/samba-debug-info.txt
Collected config --- 2019-04-06-08:30 -----------
Hostname: location-000001
DNS Domain: domain.de
FQDN: location-000001.domain.de
ipaddress: 192.168.13.251
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.8 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:04:58:c9 brd ff:ff:ff:ff:ff:ff
inet 192.168.13.251/24 brd 192.168.13.255 scope global eth0
inet6 fe80::5054:ff:fe04:58c9/64 scope link
-----------
Checking file: /etc/hosts
##--FAI default hosts file
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.13.251 location-000001.domain.de location-000001
192.168.30.251 location-000002.domain.de location-000002
-----------
Checking file: /etc/resolv.conf
# fai installation resolve.conf
#nameserver 127.0.0.1
nameserver 192.168.13.251
nameserver 192.168.30.251
nameserver 8.8.4.4
nameserver 192.168.13.254
domain domain.de
search domain.de
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
## FAI generated smb.conf
## do not manually edit this file - changes might be overwritten
[global]
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
server role = active directory domain controller
usershare allow guests = No
realm = DOMAIN.DE
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
workgroup = DOMAIN
[netlogon]
read only = no
path = /var/lib/samba/sysvol/domain.de/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
allow-recursion { all-networks; 127.0.0.1/32; };
allow-query { all-networks; 127.0.0.1/32; };
empty-zones-enable no;
notify no;
listen-on port 53 { thisserverip; 127.0.0.1; };
forwarders { 192.168.30.251; 8.8.4.4; 192.168.13.254; };
version "0.0.7";
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//======================================================================= // If
BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035=no but we are the Authoritive server
listen-on-v6 { none; };
};
acl thisserverip {
192.168.13.251;
};
acl all-networks {
192.168.13.0/24;
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list:
Samba DNS zone list Automated check :
Installed packages:
ii acl 2.2.52-3+b1
amd64 Access control list utilities
ii attr 1:2.4.47-2+b2
amd64 Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2+b2
amd64 Extended attribute shared library
ii libfile-lchown-perl 0.02-2+b2
amd64 module to modify attributes of symlinks without
dereferencing them
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.5.16+dfsg-1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.16+dfsg-1
amd64 Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1
amd64 Python bindings for Samba
ii samba 2:4.5.16+dfsg-1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.16+dfsg-1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.16+dfsg-1
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.5.16+dfsg-1
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3
amd64 System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.16+dfsg-1
amd64 service to resolve user and group information from
Windows NT servers
-----------root at location-000001.domain.de: kinit -k -i
"LOCATION-000001$"root at location-000001.domain.de: klist
Ticket cache: FILE:/tmp/krb5cc_1334401137_DLDYzd
Default principal: LOCATION-000001$@DOMAIN.DE
Valid starting Expires Service principal
04/06/2019 08:30:26 04/06/2019 18:30:26 krbtgt/DOMAIN.DE at DOMAIN.DE
renew until 04/07/2019 08:30:26root at location-000001.domain.de:
192.168.13.251
251.13.168.192.in-addr.arpa domain name pointer
location-000001.domain.de.root at location-000001.domain.de: host
location-000001.domain.delocation-000001.domain.de has address
192.168.13.251root at location-000001.domain.de: host 192.168.30.251
251.30.168.192.in-addr.arpa domain name pointer
location-000002.domain.de.root at location-000001.domain.de: host
location-000002.domain.delocation-000002.domain.de has address
192.168.30.251root at location-000001.domain.de: host -t CNAME
2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de
2cb772ba-41ef-450f-bd04-706c5e21fbc7._msdcs.domain.de is an alias for
location-000001.domain.de.root at location-000001.domain.de: host -t
CNAME 1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de
1204a63a-c247-42f0-8144-68ab35632e03._msdcs.domain.de is an alias for
location-000002.domain.de.root at location-000001.domain.de: samba-tool
drs replicate -k yes location-000001.domain.de
location-000002.domain.de DC=domain,DC=de
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" %
estr)root at location-000001.domain.de: samba-tool drs replicate -k yes
location-000002.domain.de location-000001.domain.de DC=domain,DC=de
Replicate from location-000001.domain.de to location-000002.domain.de
was successful.root at location-000001.domain.de: samba-tool drs showrepl
-k yes
Default-First-Site-Name\LOCATION-000001
DSA Options: 0x00000001
DSA object GUID: 2cb772ba-41ef-450f-bd04-706c5e21fbc7
DSA invocationId: 6726b0b3-edc3-46ea-9d97-a1aea14b20ec
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
160 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
DC=DomainDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
168 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:27 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
191 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
CN=Schema,CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
159 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:28:19 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
159 consecutive failure(s).
Last success @ Fri Apr 5 19:47:00 2019 UTC
==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:24 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=domain,DC=de
Default-First-Site-Name\LOCATION-000002 via RPC
DSA object GUID: 1204a63a-c247-42f0-8144-68ab35632e03
Last attempt @ Sat Apr 6 08:30:25 2019 UTC failed, result 1326
(WERR_LOGON_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 68b39459-45f1-4221-ba3e-bc096201023c
Enabled : TRUE
Server DNS name : location-000002.domain.de
Server DN name : CN=NTDS
Settings,CN=LOCATION-000002,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=de
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Rowland Penny
2019-Apr-06 12:31 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Sat, 6 Apr 2019 10:58:15 +0200 Martin Krämer via samba <samba at lists.samba.org> wrote:> Hello everyone, > > I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns > backend. Both are running Samba 4.5.16 - I know it is already very > old version but this is the default one coming with debian stretch > repo. (I will upgrade to Debian buster - and with this to newer Samba > version - as soon as it is released stable and I could test the > upgrade correctly :) )See here: http://apt.van-belle.nl/> > location-000001.domain.de is one of the DCs hosting all FSMO > Roles.location-000002.domain.de is the second one. > Both are in different subnets but can reach each other. > Unfortunately replication only works from location-000001.domain.de to > location-000002.domain.de. > The other way round I always end up with error: > ---------- > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') > ---------- > > Additionally within journalctl I see: > ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > for > ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname=location-000001.domain.de,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] > NT_STATUS_LOGON_FAILURE ----------Try reading and following this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record> > Checking file: /etc/resolv.conf > > # fai installation resolve.conf > > #nameserver 127.0.0.1 > nameserver 192.168.13.251 > nameserver 192.168.30.251 > nameserver 8.8.4.4 > nameserver 192.168.13.254 > domain domain.de > search domain.de >Why all the nameservers ? You only need the DC itself> > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss > group: compat sss > shadow: compat sssWhy are you using sssd ? You do not seem to be using the DC as a fileserver.> > Checking file: /etc/samba/smb.conf > > ## FAI generated smb.conf > ## do not manually edit this file - changes might be overwrittenOH yes, definitely manually edit this by removing the rubbish FAI added (what is FAI ?) : [global] realm = DOMAIN.DE server role = active directory domain controller server services = -dns workgroup = DOMAIN idmap_ldb:use rfc2307 = yes ldap server require strong auth = no [netlogon] read only = no path = /var/lib/samba/sysvol/domain.de/Scripts [sysvol] read only = no path = /var/lib/samba/sysvol Rowland
Martin Krämer
2019-Apr-06 15:21 UTC
[Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
Hello Rowland, thanks for your help. Below my comments Am Sa., 6. Apr. 2019 um 14:32 Uhr schrieb Rowland Penny via samba < samba at lists.samba.org>:> On Sat, 6 Apr 2019 10:58:15 +0200 > Martin Krämer via samba <samba at lists.samba.org> wrote: > > > Hello everyone, > > > > I have setup two Samba AD DC's running Debian 9 with BIND9_DLZ dns > > backend. Both are running Samba 4.5.16 - I know it is already very > > old version but this is the default one coming with debian stretch > > repo. (I will upgrade to Debian buster - and with this to newer Samba > > version - as soon as it is released stable and I could test the > > upgrade correctly :) ) > > See here: > > http://apt.van-belle.nl/ > > >From stability point of view I always had the best experience by sayingwith the debian default repository. Additionally as you have seen blow I am using ssds (more on this later) "PACKAGES ARE NOT COMPATIBLE WITH SSSD"> > > > location-000001.domain.de is one of the DCs hosting all FSMO > > Roles.location-000002.domain.de is the second one. > > Both are in different subnets but can reach each other. > > Unfortunately replication only works from location-000001.domain.de to > > location-000002.domain.de. > > The other way round I always end up with error: > > ---------- > > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > > drsException: DsReplicaSync failed (1326, 'WERR_LOGON_FAILURE') > > ---------- > > > > Additionally within journalctl I see: > > ----------Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > > for > > ncacn_ip_tcp:192.168.13.251[1024,sign,target_hostname> location-000001.domain.de > ,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.13.251] > > NT_STATUS_LOGON_FAILURE ---------- > > Try reading and following this: > > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_RecordI know that article. - But how does it help here? Both <DC objectGUID>._msdcs.domain.de CNAMES already exist. An none of the both objectGUIDs I recieve from: ldbsearch -H "/var/lib/samba/private/sam.ldb" '(invocationId=*)' --cross-ncs objectguid does match to the uuid I recieve the error about. Should I (additionally to the objectGUIDs recieve from ldbsearch) register the error uuid "50abc2a4-574d-40b3-9d66-ee4fd5fba076" ? If yes, should I register a CNAME to location-000001(192.168.13.251) or location-000002(192.168.30.251) dc?> > > > > Checking file: /etc/resolv.conf > > > > # fai installation resolve.conf > > > > #nameserver 127.0.0.1 > > nameserver 192.168.13.251 > > nameserver 192.168.30.251 > > nameserver 8.8.4.4 > > nameserver 192.168.13.254 > > domain domain.de > > search domain.de > > > > Why all the nameservers ? > You only need the DC itself >Well the first one that is available should be used or? Others are ignored - due to this there should be no error with them, should it? I just added most of the servers for test purposes I did why I tried to find reason for the error described. (I removed any other than the both DC IPs)> > > > > Checking file: /etc/nsswitch.conf > > > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > > installed, try: # `info libc "Name Service Switch"' for information > > about this file. > > > > passwd: compat sss > > group: compat sss > > shadow: compat sss > > Why are you using sssd ? > You do not seem to be using the DC as a fileserver. >I came from an openldap installation running on centOS. This one was already using sssd and all my debian clients (infrastructure about 50% windows; 50% debian) were set up to use sssd. What is wrong with it? Until yesterday I never hat problems with it. I can successfully authenticate most services (sudo; ssh; apache etc.) using kerberos and sssd.> > > > > Checking file: /etc/samba/smb.conf > > > > ## FAI generated smb.conf > > ## do not manually edit this file - changes might be overwritten > > OH yes, definitely manually edit this by removing the rubbish FAI added > (what is FAI ?) : > >:) - Think you miss interpreted. FAI is Fully Automatic Installation tool (http://fai-project.org/ ) which I use to administer my network configuration. "manually edit" here means outside of the FAI administration tool since if I do this it will be overwritten again by FAI softupdate. Changes have to be made in the FAI "version" of this file.> [global] > realm = DOMAIN.DE > server role = active directory domain controller > server services = -dns > workgroup = DOMAIN > idmap_ldb:use rfc2307 = yes > ldap server require strong auth = no > > [netlogon] > read only = no > path = /var/lib/samba/sysvol/domain.de/Scripts > [sysvol] > read only = no > path = /var/lib/samba/sysvol > > Rowland > >You removed some stuff. But as soon as I remove it some ldaps connections from other applications do not further work. --> To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Seemingly Similar Threads
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE