samba - Jul 2019 - replication stuck?

I figured it out myself. The kerberos configuration on the old dc cobra was bad
? no clue why it worked at all until yesterday.

After fixing it, testing with kinit, and restarting the dc processes it resumed
replication.

Joachim 

 

Von: Joachim Lindenberg <samba at lindenberg.one> 
Gesendet: Friday, 19 July 2019 16:54
An: samba at lists.samba.org
Betreff: replication stuck?

 

Until yesterday replication between my two DCs (boa and cobra) was running fine.
Now I am observing one direction boa->cobra being stuck. I noticed this with
a  missing update of a DNS entry, but samba-tool drs showrepl confirms?

 

Output of cobra shows plenty entries like the following (including just he first
of each type):

 

==== INBOUND NEIGHBORS ===
 

DC=DomainDnsZones,DC=samba,DC=lindenberg,DC=one

        Default-First-Site-Name\BOA via RPC

                DSA object GUID: a0c6a86f-61da-4b05-8510-5d7af2cc34b7

                Last attempt @ Fri Jul 19 16:46:13 2019 CEST failed, result 1311
(WERR_NO_LOGON_SERVERS)

                709 consecutive failure(s).

                Last success @ NTTIME(0)

?

==== OUTBOUND NEIGHBORS ===
 

DC=DomainDnsZones,DC=samba,DC=lindenberg,DC=one

        Default-First-Site-Name\BOA via RPC

                DSA object GUID: a0c6a86f-61da-4b05-8510-5d7af2cc34b7

                Last attempt @ Fri Jul 19 16:50:47 2019 CEST failed, result 1311
(WERR_NO_LOGON_SERVERS)

                25 consecutive failure(s).

                Last success @ NTTIME(0)

 

?

==== KCC CONNECTION OBJECTS ===
 

Connection --

        Connection name: 8327eca6-ffbc-4c3e-ad29-f5a0ddbbd976

        Enabled        : TRUE

        Server DNS name : boa.samba.lindenberg.one

        Server DN name  : CN=NTDS
Settings,CN=BOA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=lindenberg,DC=one

                TransportType: RPC

                options: 0x00000001

Warning: No NC replicated for Connection!

 

/var/log/samba/log.samba ends with repeated entries

 

[2019/07/19 16:51:17.781888,  0]
../../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)

  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:fd00::215:5dff:feb1:c20[49153,seal,krb5,target_hostname=a0c6a86f-61da-4b05-8510-5d7af2cc34b7._msdcs.samba.lindenberg.one,target_principal=GC/boa.samba.lindenberg.one/samba.lindenberg.one,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=fd00::215:5dff:fe74:d707]
NT_STATUS_NO_LOGON_SERVERS

 

Reboots didn?t help..

Please advise.

Thanks, Joachim Lindenberg

Am 20.07.19 um 11:54 schrieb Joachim Lindenberg via
samba:
> I figured it out myself. The kerberos configuration on the old dc cobra was
bad ? no clue why it worked at all until yesterday.
> 
> After fixing it, testing with kinit, and restarting the dc processes it
resumed replication.
pls show how you fixed it

I assume I face something similar

Am 22.07.19 um 10:39 schrieb Stefan G. Weichinger via
samba:
> Am 20.07.19 um 11:54 schrieb Joachim Lindenberg via samba:
>> I figured it out myself. The kerberos configuration on the old dc cobra
was bad ? no clue why it worked at all until yesterday.
>>
>> After fixing it, testing with kinit, and restarting the dc processes it
resumed replication.
> 
> pls show how you fixed it
> 
> I assume I face something similar
> 
> 
> 
my 2 DCs seem to be out of sync for DNS

I demoted and rejoined, and still see:


; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at
pre01svdeb03.pilsbacher.at 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at
pre01svdeb03.pilsbacher.at 389 (add)
Successfully obtained Kerberos ticket to DNS/pre01svdeb03.pilsbacher.at
as PRE01SVDEB03$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pilsbacher.at.
900 IN SRV 0 100 389 pre01svdeb03.pilsbacher.at.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 28 entries


-

how can I fix that?

I think this leads to my issues with pulling GPOs etc