David Koscinski
2014-Nov-02 14:04 UTC
[Samba] drs replicate to Windows 2003 DC fails with WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT and WERR_DS_DRA_ACCESS_DENIED
My samba4.11 server will only replicate one way: windows -> samba.
Replication from samba -> windows fails. Details follow.
I have a Samba 4.11 domain controller (fs1) that was added to an
existing domain that had a Windows Server 2003R2 domain controller (fs)
and Windows Small Business Server 2011 (sbs).
fs1 is running on Debian 7.6
My issues seems similar to
https://lists.samba.org/archive/samba/2014-September/185140.html except
that my domain is at 2003 functional level. See more details about this
at the end of my post.
Replication works successfully from fs to sbs and sbs to fs.
Replication works successfully from sbs to fs1:
fs1.pearl.local:~# samba-tool drs replicate fs1 sbs DC=pearl,DC=local
Replicate from sbs to fs1 was successful.
And from fs to fs1:
fs1.pearl.local:~# samba-tool drs replicate fs1 fs DC=pearl,DC=local
Replicate from fs to fs1 was successful.
However, replication from fs1 to either of the other domain controllers
fails:
fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8606,
'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
345, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
I've tried samba-tool dbcheck. It found 2 errors.
fs1.pearl.local:~# samba-tool dbcheck
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for
link authOrig in CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Not removing orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local -
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Not fixing missing GUID
Please use --fix to fix these errors
Checked 658 objects (2 errors)
I used --fix --yes to fix the errors
fs1.pearl.local:~# samba-tool dbcheck --fix --yes
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for
link authOrig in CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Remove orphaned backlink authOrig [YES]
Fixed orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local -
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Change DN to
<GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
Fixed missing GUID on attribute authOrig
Checked 658 objects (2 errors)
Replicating again gives a new error WERR_DS_DRA_ACCESS_DENIED the first
attempt, then the same old error
WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT each subsequent attempt.
fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
345, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8606,
'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
345, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
I noticed that the database continues to have 2 errors. I can run this
command repeatedly and it will always find and fix the same 2 errors.
fs1.pearl.local:~# samba-tool dbcheck --fix --yes
Checking 658 objects
ERROR: orphaned backlink attribute 'authOrigBL' in
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for
link authOrig in CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Remove orphaned backlink authOrig [YES]
Fixed orphaned backlink authOrig
ERROR: missing GUID component for authOrig in object
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local -
CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local
Change DN to
<GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox
{D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES]
Fixed missing GUID on attribute authOrig
Checked 658 objects (2 errors)
Suspecting that the issue might be that I have a Windows Small Business
Server 2011 in my network, I checked the domain functional levels and
confirmed that the domain and forest are at 2003 and so are fs and fs1.
sbs is at level 4. sbs also runs Exchange 2010 so that exchange
extensions are present in the ad.
PS C:\Users\gecko> $dse = ([ADSI] "LDAP://RootDSE")
PS C:\Users\gecko> $dse.dnsHostName
SBS.pearl.local
PS C:\Users\gecko> $dse.forestFunctionality
2
PS C:\Users\gecko> $dse.domainFunctionality
2
PS C:\Users\gecko> $dse.domainControllerFunctionality
4
PS C:\Documents and Settings\gecko.PEARL> $dse = ([ADSI]
"LDAP://RootDSE")
PS C:\Documents and Settings\gecko.PEARL> $dse.dnsHostName
fs.pearl.local
PS C:\Documents and Settings\gecko.PEARL> $dse.domainControllerFunctionality
2
PS C:\Documents and Settings\gecko.PEARL> $dse.domainFunctionality
2
PS C:\Documents and Settings\gecko.PEARL> $dse.forestFunctionality
2
PS C:\Documents and Settings\gecko.PEARL>
fs1.pearl.local:~# samba-tool domain level show
Domain and forest function level for domain 'DC=pearl,DC=local'
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003
Does anyone know how to get past this roadblock?
Cheers,
David.
David Koscinski
2014-Nov-05 22:08 UTC
[Samba] drs replicate to Windows 2003 DC fails with WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT and WERR_DS_DRA_ACCESS_DENIED
On 11/2/2014 8:04 AM, David Koscinski wrote:> My samba4.11 server will only replicate one way: windows -> samba. > Replication from samba -> windows fails. Details follow. > > I have a Samba 4.11 domain controller (fs1) that was added to an > existing domain that had a Windows Server 2003R2 domain controller > (fs) and Windows Small Business Server 2011 (sbs). > > fs1 is running on Debian 7.6 > > My issues seems similar to > https://lists.samba.org/archive/samba/2014-September/185140.html > except that my domain is at 2003 functional level. See more details > about this at the end of my post. > > Replication works successfully from fs to sbs and sbs to fs. > > Replication works successfully from sbs to fs1: > > fs1.pearl.local:~# samba-tool drs replicate fs1 sbs DC=pearl,DC=local > Replicate from sbs to fs1 was successful. > > And from fs to fs1: > > fs1.pearl.local:~# samba-tool drs replicate fs1 fs DC=pearl,DC=local > Replicate from fs to fs1 was successful. > > However, replication from fs1 to either of the other domain > controllers fails: > > fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8606, > 'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 345, in run > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > I've tried samba-tool dbcheck. It found 2 errors. > > fs1.pearl.local:~# samba-tool dbcheck > Checking 658 objects > ERROR: orphaned backlink attribute 'authOrigBL' in > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for > link authOrig in CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Not removing orphaned backlink authOrig > ERROR: missing GUID component for authOrig in object > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Not fixing missing GUID > Please use --fix to fix these errors > Checked 658 objects (2 errors) > > I used --fix --yes to fix the errors > > fs1.pearl.local:~# samba-tool dbcheck --fix --yes > Checking 658 objects > ERROR: orphaned backlink attribute 'authOrigBL' in > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for > link authOrig in CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Remove orphaned backlink authOrig [YES] > Fixed orphaned backlink authOrig > ERROR: missing GUID component for authOrig in object > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Change DN to > <GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES] > Fixed missing GUID on attribute authOrig > Checked 658 objects (2 errors) > > Replicating again gives a new error WERR_DS_DRA_ACCESS_DENIED the > first attempt, then the same old error > WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT each subsequent attempt. > > fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 345, in run > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > fs1.pearl.local:~# samba-tool drs replicate fs fs1 DC=pearl,DC=local > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8606, > 'WERR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 345, in run > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > I noticed that the database continues to have 2 errors. I can run > this command repeatedly and it will always find and fix the same 2 > errors. > > fs1.pearl.local:~# samba-tool dbcheck --fix --yes > Checking 658 objects > ERROR: orphaned backlink attribute 'authOrigBL' in > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local for > link authOrig in CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Remove orphaned backlink authOrig [YES] > Fixed orphaned backlink authOrig > ERROR: missing GUID component for authOrig in object > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local - > CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local > Change DN to > <GUID=1fb53160-7eb6-404c-8656-0fe9f0c0a546>;<SID=S-1-5-21-31344582-3446745131-2667729944-1135>;CN=DiscoverySearchMailbox > {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=pearl,DC=local? [YES] > Fixed missing GUID on attribute authOrig > Checked 658 objects (2 errors) > > Suspecting that the issue might be that I have a Windows Small > Business Server 2011 in my network, I checked the domain functional > levels and confirmed that the domain and forest are at 2003 and so are > fs and fs1. sbs is at level 4. sbs also runs Exchange 2010 so that > exchange extensions are present in the ad. > > PS C:\Users\gecko> $dse = ([ADSI] "LDAP://RootDSE") > PS C:\Users\gecko> $dse.dnsHostName > SBS.pearl.local > PS C:\Users\gecko> $dse.forestFunctionality > 2 > PS C:\Users\gecko> $dse.domainFunctionality > 2 > PS C:\Users\gecko> $dse.domainControllerFunctionality > 4 > > PS C:\Documents and Settings\gecko.PEARL> $dse = ([ADSI] > "LDAP://RootDSE") > PS C:\Documents and Settings\gecko.PEARL> $dse.dnsHostName > fs.pearl.local > PS C:\Documents and Settings\gecko.PEARL> > $dse.domainControllerFunctionality > 2 > PS C:\Documents and Settings\gecko.PEARL> $dse.domainFunctionality > 2 > PS C:\Documents and Settings\gecko.PEARL> $dse.forestFunctionality > 2 > PS C:\Documents and Settings\gecko.PEARL> > > > fs1.pearl.local:~# samba-tool domain level show > Domain and forest function level for domain 'DC=pearl,DC=local' > > Forest function level: (Windows) 2003 > Domain function level: (Windows) 2003 > Lowest function level of a DC: (Windows) 2003 > > > Does anyone know how to get past this roadblock? > > Cheers, > > David.I checked the changelog for samba4 since version 11 and there aren't any obvious fixes that address this. Of course at this point I don't even know if it is a flaw in Samba.