samba - Apr 2013 - Global Catalog replication error to win 2008

Hi all,

Running Samba 4.0.0apha18 with good results but getting an error when I attempt
to replicate the Global Catalog to a Windows 2008 Machine.

Samba machine = DC1
Windows 2008 machine = DC0

samba-tool Showrepl result:

Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 05c3c860-0a0d-4672-a39e-a212ccb0ce9c
DSA invocationId: abb0cab3-13d3-456c-8a16-e65a4855a2df

==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:53 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:53 2013 MDT

DC=DomainDnsZones,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:54 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:54 2013 MDT

DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:54 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:54 2013 MDT

CN=Schema,CN=Configuration,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:55 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:55 2013 MDT

CN=Configuration,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:55 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:55 2013 MDT

==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:34 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:34 2013 MDT

DC=DomainDnsZones,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:15:34 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:15:34 2013 MDT

DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 17:02:31 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 17:02:31 2013 MDT

CN=Schema,CN=Configuration,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 15:45:34 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 15:45:34 2013 MDT

CN=Configuration,DC=mydomain,DC=local
??????? Default-First-Site-Name\DC0 via RPC
??????????????? DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
??????????????? Last attempt @ Mon Apr 29 15:45:34 2013 MDT was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon Apr 29 15:45:34 2013 MDT

==== KCC CONNECTION OBJECTS ===
Connection --
??????? Connection name: adcd1e5f-3336-42b5-acfb-2b308c9a83bc
??????? Enabled??????? : TRUE
??????? Server DNS name : DC1.mydomain.local
??????? Server DN name? : CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
??????????????? TransportType: RPC
??????????????? options: 0x00000001
Warning: No NC replicated for Connection!


samba-tool drs replicate DC0 DC1 returns:

Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -? <00002028:
LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity
checking if SSL\TLS are not already active on the connection, data 0, v1772>
<>
Failed to connect to 'ldap://DC0' with backend 'ldap': (null)
ERROR(ldb): LDAP connection to DC0 failed - None

Very much a newbie,? and I jumped in with both feet any help you could provide
is very much appreciated!!

Thanks!
- Fred

On 04/29/2013 04:30 PM, Fred Geo wrote:
> Hi all,
>
> Running Samba 4.0.0apha18 with good results but getting an error when I
attempt to replicate the Global Catalog to a Windows 2008 Machine.
>
> Samba machine = DC1
> Windows 2008 machine = DC0
>
> samba-tool Showrepl result:
>
> Default-First-Site-Name\DC1
> DSA Options: 0x00000001
> DSA object GUID: 05c3c860-0a0d-4672-a39e-a212ccb0ce9c
> DSA invocationId: abb0cab3-13d3-456c-8a16-e65a4855a2df
>
> ==== INBOUND NEIGHBORS ===>
> DC=ForestDnsZones,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:53 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:53 2013 MDT
>
> DC=DomainDnsZones,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:54 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:54 2013 MDT
>
> DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:54 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:54 2013 MDT
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:55 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:55 2013 MDT
>
> CN=Configuration,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:55 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:55 2013 MDT
>
> ==== OUTBOUND NEIGHBORS ===>
> DC=ForestDnsZones,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:34 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:34 2013 MDT
>
> DC=DomainDnsZones,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:15:34 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:15:34 2013 MDT
>
> DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 17:02:31 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 17:02:31 2013 MDT
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 15:45:34 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 15:45:34 2013 MDT
>
> CN=Configuration,DC=mydomain,DC=local
>          Default-First-Site-Name\DC0 via RPC
>                  DSA object GUID: 2f9a5ed0-165e-4e2f-a1e4-9814baaea7cb
>                  Last attempt @ Mon Apr 29 15:45:34 2013 MDT was successful
>                  0 consecutive failure(s).
>                  Last success @ Mon Apr 29 15:45:34 2013 MDT
>
> ==== KCC CONNECTION OBJECTS ===>
> Connection --
>          Connection name: adcd1e5f-3336-42b5-acfb-2b308c9a83bc
>          Enabled        : TRUE
>          Server DNS name : DC1.mydomain.local
>          Server DN name  : CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
>                  TransportType: RPC
>                  options: 0x00000001
> Warning: No NC replicated for Connection!
Pay more attention to the 0 consecutive failure, the last error is not 
really one, it's just because we don't set some bits still it *should* 
be harmless
>
>
> samba-tool drs replicate DC0 DC1 returns:
>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <00002028:
LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity
checking if SSL\TLS are not already active on the connection, data 0, v1772>
<>
> Failed to connect to 'ldap://DC0' with backend 'ldap':
(null)
> ERROR(ldb): LDAP connection to DC0 failed - None
You have to specify an account for doing this, use -U administrator for 
instance

> Very much a newbie,  and I jumped in with both feet any help you could
provide is very much appreciated!!
>
> Thanks!
> - Fred
Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org