samba - May 2022 - How to determine KCC/idmap error source

Hello everyone,
I am currently trying to get 2 Samba DCs to run.
Both DCs set up according to Wiki incl. DRS and workaround Rsync Sysvol
Replication.
When trying to perform a remote online backup via Sh script, I came across
failures on the 2nd DC while pulling a  backup of dc01. I re-joined the 2nd DC,
same scenario. Samba completely wiped, installed and rejoined and now the
replication doesn't work anymore.

user create on DC1 ? DC2 sees the user

vice versa not.

Am i just missing out on something? 
smb.conf dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Global parameters
[global]
        min protocol = NT1
        dns forwarder = 8.8.8.8
        netbios name = DC01
        realm = MY.DOMAIN
        server role = active directory domain controller
        workgroup = MY
        idmap_ldb:use rfc2307 = yes

        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 3

template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307

        winbind enum users = yes
        winbind enum groups = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
        read only = No
#--------------------Location----------------------------
[U2-Sono]
        path = /var/lib/samba/shares/Location/U2/Sono
        read only = no
[U1-Sono]
        path = /var/lib/samba/shares/Location/U1/Sono
        read only = no
[U1-Kolposkop]
        path = /var/lib/samba/shares/Location/U1/Kolposkop
        read only = no
[U1-Fetview]
        path = /var/lib/samba/shares/Location/U1/Fetview
        read only = no
[CTG]
        path = /var/lib/samba/shares/Location/CTG
        read only = no
[Scan]
        path = /var/lib/samba/shares/Location/Scan
        read only = no

smb.conf dc02
vergr??ern
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC02
        realm = MY.DOMAIN
        server role = active directory domain controller
        workgroup = MY
        idmap_ldb:use rfc2307 = yes

        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 3

template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307

        winbind enum users = yes
        winbind enum groups = yes
name resolve order = bcast host
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
        read only = No

krb5.conf ( identisch )
vergr??ern
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[libdefaults]
        default_realm = MY.DOMAIN
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
MY.DOMAIN = {
        default_domain = MY.DOMAIN
}

[domain_realm]
        DC02 = MY.DOMAIN
        DC01 = MY.DOMAIN

drs replicate von dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root at dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc02[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
Server ldap/dc02 at MY.DOMAIN is not registered with our KDC:  Miscellaneous
failure (see text): Server (ldap/dc02 at MY.DOMAIN) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
Server ldap/dc02 at MY.DOMAIN is not registered with our KDC:  Miscellaneous
failure (see text): Server (ldap/dc02 at MY.DOMAIN) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/dc02 failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Replicate from dc01 to dc02 was successful.

drs replicate nach dc01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 sudo samba-tool drs replicate dc01 dc02 DC=MY,DC=DOMAIN
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc01[,seal]
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
  File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 577,
in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 92,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

drs kcc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
administrator at DC02:~$ sudo samba-tool drs kcc
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC02.MY.DOMAIN<0x20>
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.0.1.9
Server ldap/DC02.MY.DOMAIN at MY.DOMAIN is not registered with our KDC: 
Miscellaneous failure (see text): Server (ldap/DC02.MY.DOMAIN at MY.DOMAIN)
unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/DC02.MY.DOMAIN failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Consistency check on DC02.MY.DOMAIN successful.




Smbd log w?hrend sysvolcheck
2022/05/03 13:49:46.897388,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897429,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17469 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897475,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897503,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1197 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897569,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897597,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17484 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897699,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897755,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17486 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.897863,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.897906,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1134 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898097,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898151,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1198 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898384,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898439,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1159 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898471,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898509,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 1263 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2022/05/03 13:49:46.898667,  3]
../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2022/05/03 13:49:46.898727,  3] ../../source3/lib/messages.c:925(send_all_fn)
  send_all_fn: messaging_send_buf to 17437 failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
Which commands could limit the failure source?

I have read various messages in forums and the mailing archive and tried them
without success.

Some Guesses: idmap ldb/tdb, any other ldb tdb file, stuck objects / attributes

Maybe someone has an idea on this.

Greetings

On Tue, 2022-05-03 at 14:09 +0200, Hakim Liso via samba
wrote:
> Hello everyone,
> I am currently trying to get 2 Samba DCs to run.
But what OS and Samba version ?
> Both DCs set up according to Wiki incl. DRS and workaround Rsync
> Sysvol Replication.
> When trying to perform a remote online backup via Sh script
How are you trying to do the backup ? and are you aware that you
shouldn't backup an individual DC, you should only backup the domain.
 
> , I came across failures on the 2nd DC while pulling a  backup of
> dc01. I re-joined the 2nd DC, same scenario. Samba completely wiped,
> installed and rejoined and now the replication doesn't work anymore.
> 
> user create on DC1 ? DC2 sees the user
> 
> vice versa not.
It sounds like you have replication problems between DC2 and DC1
> 
> Am i just missing out on something? 
> smb.conf dc01
> 
> # Global parameters
> [global]
>         min protocol = NT1
Why are you using NT1
>         dns forwarder = 8.8.8.8
>         netbios name = DC01
>         realm = MY.DOMAIN
>         server role = active directory domain controller
>         workgroup = MY
>         idmap_ldb:use rfc2307 = yes
> 
>         map to guest = Bad User
'guest' on a DC ?
>         log file = /var/log/samba/%m
>         log level = 3
> 
> template shell = /bin/bash
> winbind use default domain = true
The line above does nothing on a DC
> winbind offline logon = false
> winbind nss info = rfc2307
You do not require the two lines above on a DC
> 
>         winbind enum users = yes
>         winbind enum groups = yes
If you have a lot of users the two lines above a bad idea and they are
not required anyway.
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
>         read only = No
> #--------------------Location----------------------------
> [U2-Sono]
>         path = /var/lib/samba/shares/Location/U2/Sono
>         read only = no
> [U1-Sono]
>         path = /var/lib/samba/shares/Location/U1/Sono
>         read only = no
> [U1-Kolposkop]
>         path = /var/lib/samba/shares/Location/U1/Kolposkop
>         read only = no
> [U1-Fetview]
>         path = /var/lib/samba/shares/Location/U1/Fetview
>         read only = no
> [CTG]
>         path = /var/lib/samba/shares/Location/CTG
>         read only = no
> [Scan]
>         path = /var/lib/samba/shares/Location/Scan
>         read only = no
It isn't recommended to use a DC as a fileserver, I suggest you use a
Unix domain member instead.
> 
> smb.conf dc02
> vergr??ern
> 
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = DC02
>         realm = MY.DOMAIN
>         server role = active directory domain controller
>         workgroup = MY
>         idmap_ldb:use rfc2307 = yes
> 
>         map to guest = Bad User
>         log file = /var/log/samba/%m
>         log level = 3
> 
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> 
>         winbind enum users = yes
>         winbind enum groups = yes
> name resolve order = bcast host
AD uses DNS, so you definitely shouldn't have the 'name resolv
order'
line.
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
>         read only = No
> 
> 
> 
> drs replicate von dc01
> 
> root at dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN
> ldb_wrap open of secrets.ldb
> 
> Using binding ncacn_ip_tcp:dc02[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> Server ldap/dc02 at MY.DOMAIN is not registered with our
> KDC:  Miscellaneous failure (see text): Server (ldap/dc02 at MY.DOMAIN)
> unknown
Is DC02 joined as a DC correctly (note that above it appears to be
called 'DC2'
> drs kcc
> 
> administrator at DC02:~$ sudo samba-tool drs kcc
> Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Server ldap/DC02.MY.DOMAIN at MY.DOMAIN is not registered with our
> KDC:  Miscellaneous failure (see text): Server (
> ldap/DC02.MY.DOMAIN at MY.DOMAIN) unknown
It really looks like the join isn't correct.
> 
> 
> 
> Smbd log w?hrend sysvolcheck
> 2022/05/03 13:49:46.897388,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897429,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 17469 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897475,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897503,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 1197 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897569,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897597,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 17484 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897699,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897755,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 17486 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897863,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897906,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 1134 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898097,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898151,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 1198 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898384,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898439,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 1159 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898471,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898509,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 1263 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898667,  3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
>   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898727,  3]
> ../../source3/lib/messages.c:925(send_all_fn)
>   send_all_fn: messaging_send_buf to 17437 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> Which commands could limit the failure source?
The GPO's are stored in two places, in Sysvol and in AD, it looks like
either Sysvol or AD is missing at least one GPO (probably Sysvol).

Rowland