samba - May 2019 - self compiled 4.10.3 replication failure.

Hi,

I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
existing samba AD domain that has 2 existing DCs. One of the existing DCs is
running 4.8.7 and the other is running 4.7.7. Everything looks OK except
that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
following output:

(vdc4 pts4) # samba-tool drs showrepl
Default-First-Site-Name\VDC4
DSA Options: 0x00000001
DSA object GUID: a57c74ed-3343-4497-965d-e7e50a1f84ae
DSA invocationId: 1f0384bb-1f0b-4d8f-a498-d7b02ae53930

==== INBOUND NEIGHBORS ===
CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
                 168 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                 0 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
                 167 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                 0 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
                 351 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                 0 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ Wed May 15 16:09:25 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
                 4603 consecutive failure(s).
                 Last success @ Wed May 15 16:09:25 2019 EDT

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ Wed May 15 16:09:25 2019 EDT was successful
                 0 consecutive failure(s).
                 Last success @ Wed May 15 16:09:25 2019 EDT

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
                 168 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                 0 consecutive failure(s).
                 Last success @ Wed May 15 16:05:17 2019 EDT

==== OUTBOUND NEIGHBORS ===
CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC1 via RPC
                 DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
         Default-First-Site-Name\VDC2 via RPC
                 DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
         Connection name: 4b94d656-40a2-49b2-b904-23a5d7074997
         Enabled        : TRUE
         Server DNS name : vdc2.kmg.mydomain.com
         Server DN name  : CN=NTDS
Settings,CN=VDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
         Connection name: 1cde66a3-415d-42ff-84c6-5b90c06ac44d
         Enabled        : TRUE
         Server DNS name : vdc1.kmg.mydomain.com
         Server DN name  : CN=NTDS
Settings,CN=VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!
(vdc4 pts4) #

I see errors similar to below in the logs:
[2019/05/15 16:19:58.683401,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
   ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
[2019/05/15 16:19:58.695818,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on
<GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
gave 2 objects (done 2/2) 0 links (done 0/0 (as
S-1-5-21-3052942767-4183929206-737583365-1279))
[2019/05/15 16:20:01.245656,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
   Replicated 0 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.260687,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
   Replicated 2 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.271512,  0]
../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
   UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:08.692911,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
   ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)

Given the above errors this looks like a permissions problem but so far I have
not
been able to find it.

Does anyone have any ideas how to troubleshoot this and fix it?

Regards,

-- 
Tom			me at tdiehl.org

On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
<samba at lists.samba.org> wrote:
>
> Hi,
>
> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
> existing samba AD domain that has 2 existing DCs. One of the existing DCs
is
> running 4.8.7 and the other is running 4.7.7. Everything looks OK except
> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
> following output:
"self-compiled" can include a lot of sins, especially if trying to
place it alongside *or* in place of the provided libraries for tevent,
ldb, tdb, and talloc. Let me point you to my git repo,
https:/github.com/nkadel/samba4repo/, with submodules for samba
itself, talloc, tevent, etc., etc. It's built to use the official
upstream tarballs from www.samba.org, not tarballs from *me*, and that
also will give you a good git repo you can use to manage any
compilation options in the ".spec" file.
> I see errors similar to below in the logs:
> [2019/05/15 16:19:58.683401,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
> [2019/05/15 16:19:58.695818,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
>    DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on
<GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
gave 2 objects (done 2/2) 0 links (done 0/0 (as
S-1-5-21-3052942767-4183929206-737583365-1279))
> [2019/05/15 16:20:01.245656,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>    Replicated 0 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:06.260687,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>    Replicated 2 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:06.271512,  0]
../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
> [2019/05/15 16:20:08.692911,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)
>
> Given the above errors this looks like a permissions problem but so far I
have not
> been able to find it.
Hmm. some classic questions include "is SELinux on", and "which
Kerberos did you use, the supported internal Heimdal Kerberos or the
experimental support for MIT kerberos?
> Does anyone have any ideas how to troubleshoot this and fix it?
>
> Regards,
>
> --
> Tom                     me at tdiehl.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sat, 18 May 2019, Nico Kadel-Garcia wrote:
> On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
> <samba at lists.samba.org> wrote:
>>
>> Hi,
>>
>> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to
an
>> existing samba AD domain that has 2 existing DCs. One of the existing
DCs is
>> running 4.8.7 and the other is running 4.7.7. Everything looks OK
except
>> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
>> following output:
>
> "self-compiled" can include a lot of sins, especially if trying
to
> place it alongside *or* in place of the provided libraries for tevent,
> ldb, tdb, and talloc. Let me point you to my git repo,
Well OK maybe I should have said self compiled using the instructions 
@ https://wiki.samba.org/index.php/Build_Samba_from_Source#configure and
the package list from
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_7_.2F_CentOS_7_.2F_Scientific_Linux_7
substituting python36-devel for python-devel and adding python32-dns
to get the samba-tool dns module to work. 
None of the distro samba packages are installed.

TBH, I am guessng about the package list given the change from python2 to
python3
as it does not look like the wiki has been updated for 4.10.x.
> https:/github.com/nkadel/samba4repo/, with submodules for samba
> itself, talloc, tevent, etc., etc. It's built to use the official
> upstream tarballs from www.samba.org, not tarballs from *me*, and that
> also will give you a good git repo you can use to manage any
> compilation options in the ".spec" file.
Is there a way to only build the Centos bits using your git repo? I have no
Fedora machines and so far I have not been successful in getting the above
to build on a Centos 7 VM using the version of Mock supplied by the Centos
project.
>
>> I see errors similar to below in the logs:
>> [2019/05/15 16:19:58.683401,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges
on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter
(uSNChanged>=29465)
>> [2019/05/15 16:19:58.695818,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
>>    DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on
<GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
gave 2 objects (done 2/2) 0 links (done 0/0 (as
S-1-5-21-3052942767-4183929206-737583365-1279))
>> [2019/05/15 16:20:01.245656,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>>    Replicated 0 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:06.260687,  2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
>>    Replicated 2 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:06.271512,  0]
../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
>>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105
for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
>> [2019/05/15 16:20:08.692911,  2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
>>    ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges
on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter
(uSNChanged>=29467)
>>
>> Given the above errors this looks like a permissions problem but so far
I have not
>> been able to find it.
>
> Hmm. some classic questions include "is SELinux on", and
"which
> Kerberos did you use, the supported internal Heimdal Kerberos or the
> experimental support for MIT kerberos?
SELinux is in permissive and my configure line is simply ./configure so no MIT
here. IMO no one in their right mind would try to use MIT in production.

Regards,

-- 
Tom			me at tdiehl.org