Hi, I'm resending this to the list since I cannot see it on the archive, for some reason... I recently upgraded two (running stable) systems from Debian Wheezy to Jessie. Samba version has not changed since on Wheezy I was using the one from wheezy-backports (v4.1.17), same as on jessie. These are 2 basic DCs without any additional config. Since the upgrade, every day at either at 10 PM or 8 AM replication is broken (I can see WERR_ACCESS_DENIED errors by running samba-tool drs showrepl). Restarting Samba returns everything to normal, until the next day... By increasing the log level I can see this: -- [2015/07/07 22:02:48.149819, 3] ../auth/credentials/credentials_krb5.c:532(cli_credentials_get_client_gss_creds) Credentials for DC2$@MYCOMPANY.COM will expire shortly (0 sec), must refresh credentials cache [2015/07/07 22:02:48.150486, 1] ../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update) GSS client Update(krb5)(1) Update failed: Miscellaneous failure (see text): Matching credential (GC/dc1.mycompany.com/mycompany.com at MYCOMPANY.COM) not found [2015/07/07 22:02:48.150615, 0] ../auth/gensec/gensec.c:247(gensec_update) Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6 [2015/07/07 22:02:48.150959, 0] ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp :74f6388c-a704-4bb1-857a-e7dc15c320cd._msdcs.mycompany.com[1024,seal,krb5] NT_STATUS_ACCESS_DENIED -- After that the logs get heavily spammed by the same messages "Did not manage..." and "Failed to bind...", every minute or so. Any ideas? I'm tempted to rejoin the servers to the domain or regenerate the keytabs, still I don't understand why everything gets fixed by just restarting samba. Any help is appreciated. Best regards. George
You did change :
the DLZ option from 9.8 to 9.9 ?
check your bind options.
this ..
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens George
>Verzonden: maandag 13 juli 2015 14:04
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Replication issues after OS upgrade
>
>Hi, I'm resending this to the list since I cannot see it on
>the archive,
>for some reason...
>
>I recently upgraded two (running stable) systems from Debian Wheezy to
>Jessie. Samba version has not changed since on Wheezy I was
>using the one
>from wheezy-backports (v4.1.17), same as on jessie.
>
>These are 2 basic DCs without any additional config. Since the upgrade,
>every day at either at 10 PM or 8 AM replication is broken (I can see
>WERR_ACCESS_DENIED errors by running samba-tool drs showrepl).
>Restarting Samba returns everything to normal, until the next day...
>
>By increasing the log level I can see this:
>
>--
>[2015/07/07 22:02:48.149819, 3]
>../auth/credentials/credentials_krb5.c:532(cli_credentials_get_
>client_gss_creds)
> Credentials for DC2$@MYCOMPANY.COM will expire shortly (0 sec), must
>refresh credentials cache
>[2015/07/07 22:02:48.150486, 1]
>../source4/auth/gensec/gensec_gssapi.c:644(gensec_gssapi_update)
> GSS client Update(krb5)(1) Update failed: Miscellaneous failure (see
>text): Matching credential
>(GC/dc1.mycompany.com/mycompany.com at MYCOMPANY.COM)
>not found
>[2015/07/07 22:02:48.150615, 0]
>../auth/gensec/gensec.c:247(gensec_update)
> Did not manage to negotiate mandetory feature SIGN for
>dcerpc auth_level 6
>[2015/07/07 22:02:48.150959, 0]
>../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp
>:74f6388c-a704-4bb1-857a-e7dc15c320cd._msdcs.mycompany.com[1024
>,seal,krb5]
>NT_STATUS_ACCESS_DENIED
>--
>
>After that the logs get heavily spammed by the same messages "Did not
>manage..." and "Failed to bind...", every minute or so.
>
>Any ideas? I'm tempted to rejoin the servers to the domain or
>regenerate
>the keytabs, still I don't understand why everything gets fixed by just
>restarting samba.
>
>Any help is appreciated.
>
>Best regards.
>
>George
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
I'm using the internal DNS backend from Samba. Anyway, after some further research, I found this: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1357471 https://bugzilla.samba.org/show_bug.cgi?id=11164 Not sure if the patch included is just a cosmetic one to avoid the error message or indeed fixes the replication problems. I can confirm this is due to connectivity issues between the DCs, as stated in the Ubuntu bug. In my case it occurs at the same time that our routers renegotiate the VPN link over a different WAN link. Once the connectivity is restored (which is almost inmediately, BTW) replication does not recover unless samba is restarted. I guess I will apply the supplied patch, try again and report back. It still puzzles me why this never occurred on Debian Wheezy with the same Samba version and network conditions. Best regards On Mon, Jul 13, 2015 at 10:21 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> You did change : > > the DLZ option from 9.8 to 9.9 ? > check your bind options. > > this .. > dlz "AD DNS Zone" { > # For BIND 9.8.x > # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.x > database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > > # For BIND 9.10.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; > }; > > > > Greetz, > > Louis > >