David Minard
2015-Oct-01 00:24 UTC
[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED
G'day All,
I've been setting up a new set of DCs, using 4.2.3 and all was
going well until I tried to get a 4th DC going. I'm using bind_DLZ, and
I think this is where I went wrong.
I provisioned the new DC before having set up bind properly (I
forgot to "yum install bind bind-util bind-libs") before hand. The
provision worked okay, except that it told me that it couldn't work out
what version of bind was installed, and that I had to edit the
"/usr/local/samba/private/named.conf" file. Which I have done, and
uncommented out the 9.9 line).
Then, I started bind, and then samba. All seemed well, except that
it has replication errors. So I went through the ownership of files, as
described by the wiki, making changes as appropriate, and compared them
to my other DCs. They now all seemed right. bind and samba restarted.
samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to
samba4-40.samba4.scem.westernsydney.edu.au failed - drsException: DRS
connection to samba4-40.samba4.scem.westernsydney.edu.au failed:
(-1073741772, 'The object name is not found.')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py",
line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 54, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
I have the server name in /etc/hosts. I have resolve.conf pointing to
the other DCs.
If I "samba-tool drs showrepl samba4-40" I get
Default-First-Site-Name\SAMBA4-40
DSA Options: 0x00000001
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
DSA invocationId: acea15ea-f471-42b9-84c3-8dc44bd98da4
==== INBOUND NEIGHBORS ===
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:37 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:37 2015 AEST
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:37 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:37 2015 AEST
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-20 via RPC
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
Last attempt @ Thu Oct 1 10:13:37 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:37 2015 AEST
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:37 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:37 2015 AEST
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:37 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:37 2015 AEST
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-20 via RPC
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
Last attempt @ Thu Oct 1 10:13:38 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:38 2015 AEST
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:36 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:36 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-20 via RPC
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
Last attempt @ Thu Oct 1 10:13:36 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:38 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:38 2015 AEST
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:38 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:38 2015 AEST
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-20 via RPC
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
Last attempt @ Thu Oct 1 10:13:39 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:39 2015 AEST
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:36 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:36 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-20 via RPC
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
Last attempt @ Thu Oct 1 10:13:36 2015 AEST failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
205 consecutive failure(s).
Last success @ Thu Oct 1 10:13:36 2015 AEST
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 0809eed4-d61d-4c7f-89cb-f230311fc7e3
Enabled : TRUE
Server DNS name : samba4-00.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 78bb6883-6d6a-4c5c-9d6b-39f256823401
Enabled : TRUE
Server DNS name : samba4-10.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: c91eece0-11bb-416f-888d-6e87e9439abf
Enabled : TRUE
Server DNS name : samba4-20.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-20,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
On another dc "samba-tool drs showrepl" gives me:
Default-First-Site-Name\SAMBA4-20
DSA Options: 0x00000001
DSA object GUID: 21a9f003-e429-4320-81c3-06e995652d11
DSA invocationId: e5e45b36-50e5-4f56-97d3-11e1cb7f1b22
==== INBOUND NEIGHBORS ===
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:55 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:55 2015 AEST
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:55 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:55 2015 AEST
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:13:55 2015 AEST failed, result 2
(WERR_BADFILE)
208 consecutive failure(s).
Last success @ NTTIME(0)
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:55 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:55 2015 AEST
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:56 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:56 2015 AEST
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:13:56 2015 AEST failed, result 2
(WERR_BADFILE)
208 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:54 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:54 2015 AEST
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:54 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:54 2015 AEST
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:13:54 2015 AEST failed, result 2
(WERR_BADFILE)
208 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:56 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:56 2015 AEST
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:56 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:56 2015 AEST
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:13:57 2015 AEST failed, result 2
(WERR_BADFILE)
208 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ Thu Oct 1 10:13:54 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:54 2015 AEST
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ Thu Oct 1 10:13:54 2015 AEST was successful
0 consecutive failure(s).
Last success @ Thu Oct 1 10:13:54 2015 AEST
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:13:55 2015 AEST failed, result 2
(WERR_BADFILE)
208 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ===
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:14:58 2015 AEST failed, result 2
(WERR_BADFILE)
12196 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:14:59 2015 AEST failed, result 2
(WERR_BADFILE)
12195 consecutive failure(s).
Last success @ NTTIME(0)
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:14:58 2015 AEST failed, result 2
(WERR_BADFILE)
12197 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:14:59 2015 AEST failed, result 2
(WERR_BADFILE)
12194 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-40 via RPC
DSA object GUID: 072d7de1-f6f3-45e0-bbcd-4ba17b0054ab
Last attempt @ Thu Oct 1 10:14:58 2015 AEST failed, result 2
(WERR_BADFILE)
12196 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-00 via RPC
DSA object GUID: 56352be2-bdf3-4a54-87a5-1355417519de
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
Default-First-Site-Name\SAMBA4-10 via RPC
DSA object GUID: 7fa7fc88-8d99-4217-b329-7e82324ec084
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 19cae640-3d3a-4c64-83f0-7cb99b8e2303
Enabled : TRUE
Server DNS name : samba4-10.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9648274d-fbcc-4974-8e00-32dedef0482c
Enabled : TRUE
Server DNS name : samba4-00.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: dd40f960-8f12-4d8e-8027-e4284a3e063b
Enabled : TRUE
Server DNS name : samba4-40.samba4.scem.westernsydney.edu.au
Server DN name : CN=NTDS
Settings,CN=SAMBA4-40,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Which is what I'd expect given that samba4-40 has issues.
So, I thought that I'd try to demote samba4-40 and re-try the domain join.
samb-tool domain demote -U administrator
Using samba4-00.samba4.scem.westernsydney.edu.au as partner server for
the demotion
Password for [SCEM_AD\administrator]:
Deactivating inbound replication
Asking partner server samba4-00.samba4.scem.westernsydney.edu.au to
synchronize from us
Error while demoting, re-enabling inbound replication
ERROR(<class 'samba.drs_utils.drsException'>): Error while sending
a
DsReplicaSync for partion
CN=Schema,CN=Configuration,DC=samba4,DC=scem,DC=westernsydney,DC=edu,DC=au
- drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 712, in run
sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid,
str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
HELP !! I'm now stuck. I've not seen
"WERR_DS_DRA_ACCESS_DENIED"
before, and I don't know how to fix it.
I don't know if running the domain join again is a good idea, or if
that will break more stuff....
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Marc Muehlfeld
2015-Oct-05 08:29 UTC
[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED
Hello David, Am 01.10.2015 um 02:24 schrieb David Minard:> I don't know if running the domain join again is a good idea, or if > that will break more stuff....If the DC has the same name, it should be no problem. samba-tool check for existing entries and removes them before re-adding. Looks like this then: https://cpaste.org/p2t5huhmm (Line 8-14). Two things are to mention about this procedure: After the join, the DC has a new GUID. This means that you have to remove the old GUID._msdcs.samdom.example.com DNS record and add the right one (the latter you have to do anyway when joining a DC at the moment. See https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller) https://wiki.samba.org/index.php/DNS_administration#Delete_a_record_2 shows you how to delete a record. Of course, you should create a working backup before and do good testing afterwards! ;-) Regards, Marc
mourik jan heupink
2015-Oct-05 08:49 UTC
[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED
Dear Marc, On 10/05/2015 10:29 AM, Marc Muehlfeld wrote:> If the DC has the same name, it should be no problem. samba-tool check > for existing entries and removes them before re-adding. Looks like this > then: https://cpaste.org/p2t5huhmm (Line 8-14).I did not know this. I always thought that we cannot simply re-add a new dc using an old (previously used) name. Is this new functionality? MJ
L.P.H. van Belle
2015-Oct-05 09:07 UTC
[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED
Ai... This is very dangerous.. If you accedently install a DC with the same name as your DC with FSMO roles, your big F..d.. Is it an option to add an extra parameter to samba-tool, with something like --override-dc=yes So that if this happens exit with an error message your trying to override a existing host and you need to use the extra parameter. As far as i know, in a pure windows domain, these settings are not deleted when joined, but correcte me if im wrong here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan > heupink > Verzonden: maandag 5 oktober 2015 10:49 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] 4th DC Unable to Replicate - > WERR_DS_DRA_ACCESS_DENIED > > Dear Marc, > > > On 10/05/2015 10:29 AM, Marc Muehlfeld wrote: > > > If the DC has the same name, it should be no problem. samba-tool check > > for existing entries and removes them before re-adding. Looks like this > > then: https://cpaste.org/p2t5huhmm (Line 8-14). > I did not know this. I always thought that we cannot simply re-add a new > dc using an old (previously used) name. Is this new functionality? > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
David Minard
2015-Oct-06 00:48 UTC
[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED
G'day Marc,
Thanks for the interesting reply - seems to have opened up a can of
worms :-)
I will look into it after I chase one more thing down. I had a
thought over the weekend, now my brain hurts. The new testing DC was
joined (and a production DC as well), at a new site. They are both
exhibiting the same lack of post join replication. My thought was that
there just might be a block on RPC ports on the network there, and as
RPC seems to be the way the replication works, this would do it. The
last time we had this type of problem was over 20 years ago when the
University IT guys decided that RPC traffic should be blocked by
default. We had to ask for this to be changed between all of the
School's subnets - we couldn't map shares across sites!
So, before I try anything "dangerous", I'll see if my hunch
is
correct. Once the Uni IT guys allow RPC traffic to/from the new site to
all the School's networks, we'll see how things go.
I'll let the list know how things goes.
On 05/10/15 19:29, Marc Muehlfeld wrote:> Hello David,
>
> Am 01.10.2015 um 02:24 schrieb David Minard:
>> I don't know if running the domain join again is a good idea,
or if
>> that will break more stuff....
> If the DC has the same name, it should be no problem. samba-tool check
> for existing entries and removes them before re-adding. Looks like this
> then: https://cpaste.org/p2t5huhmm (Line 8-14).
>
> Two things are to mention about this procedure: After the join, the DC
> has a new GUID. This means that you have to remove the old
> GUID._msdcs.samdom.example.com DNS record and add the right one (the
> latter you have to do anyway when joining a DC at the moment. See
>
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller)
>
> https://wiki.samba.org/index.php/DNS_administration#Delete_a_record_2
> shows you how to delete a record.
>
>
> Of course, you should create a working backup before and do good testing
> afterwards! ;-)
>
>
> Regards,
> Marc
>
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.