samba - Jan 2017 - Samba AD/DC Sync To Windows DC Failures

I just added a window server 2008 r2 to be a backup DC for our samba 4.4.5
AD/DC but I am getting an error when trying to manually sync samba to the
windows server.



I used the link on the wiki site to make the initial sync, which worked
great

§
<https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_
DC_to_a_Samba_AD> Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD



Using the internal samba DNS



Any help would be appreciated.



Clay



/usr/local/samba/bin/samba-tool drs replicate w2008r2 dc01
CN=Configuration,DC=dc01,DC=example,DC=com

Processing section "[netlogon]"

Processing section "[sysvol]"

Processing section "[Profiles]"

Processing section "[3333]"

Processing section "[test]"

pm_process() returned Yes

ldb_wrap open of secrets.ldb

GENSEC backend 'gssapi_spnego' registered

GENSEC backend 'gssapi_krb5' registered

GENSEC backend 'gssapi_krb5_sasl' registered

GENSEC backend 'spnego' registered

GENSEC backend 'schannel' registered

GENSEC backend 'naclrpc_as_system' registered

GENSEC backend 'sasl-EXTERNAL' registered

GENSEC backend 'ntlmssp' registered

GENSEC backend 'ntlmssp_resume_ccache' registered

GENSEC backend 'http_basic' registered

GENSEC backend 'http_ntlm' registered

GENSEC backend 'krb5' registered

GENSEC backend 'fake_gssapi_krb5' registered

Using binding ncacn_ip_tcp:w2008r2[,seal]

Mapped to DCERPC endpoint 135

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name w2008r2<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Mapped to DCERPC endpoint 49155

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name w2008r2<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Received smb_krb5 packet of length 272

Received smb_krb5 packet of length 1247

Received smb_krb5 packet of length 1258

Received smb_krb5 packet of length 1280

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name w2008r2<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Received smb_krb5 packet of length 1258

Received smb_krb5 packet of length 1280

ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')

  File
"/usr/local/samba-4.4.5/lib/python2.7/site-packages/samba/netcmd/drs.py",
line 350, in run

    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)

  File
"/usr/local/samba-4.4.5/lib/python2.7/site-packages/samba/drs_utils.py",
line 83, in sendDsReplicaSync

    raise drsException("DsReplicaSync failed %s" % estr)







We are also getting failures when show replicas



/usr/local/samba/bin/samba-tool drs showrepl

Processing section "[sysvol]"

Processing section "[Profiles]"

Processing section "[3333]"

Processing section "[test]"

pm_process() returned Yes

ldb_wrap open of secrets.ldb

GENSEC backend 'gssapi_spnego' registered

GENSEC backend 'gssapi_krb5' registered

GENSEC backend 'gssapi_krb5_sasl' registered

GENSEC backend 'spnego' registered

GENSEC backend 'schannel' registered

GENSEC backend 'naclrpc_as_system' registered

GENSEC backend 'sasl-EXTERNAL' registered

GENSEC backend 'ntlmssp' registered

GENSEC backend 'ntlmssp_resume_ccache' registered

GENSEC backend 'http_basic' registered

GENSEC backend 'http_ntlm' registered

GENSEC backend 'krb5' registered

GENSEC backend 'fake_gssapi_krb5' registered

Using binding ncacn_ip_tcp:dc01.example.lan[,seal]

Mapped to DCERPC endpoint 135

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name dc01.example.lan<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Mapped to DCERPC endpoint 1024

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name dc01.example.lan<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Received smb_krb5 packet of length 272

Received smb_krb5 packet of length 1247

Received smb_krb5 packet of length 1286

Received smb_krb5 packet of length 1280

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

added interface eth0 ip=10.0.1.100 bcast=10.0.1.255 netmask=255.255.255.0

resolve_lmhosts: Attempting lmhosts lookup for name dc01.example.lan<0x20>

getlmhostsent: lmhost entry: 10.0.1.100 DC01

getlmhostsent: lmhost entry: 10.0.1.135 W2008R2

Received smb_krb5 packet of length 1286

Received smb_krb5 packet of length 1280

Default-First-Site-Name\DC01

DSA Options: 0x00000001

DSA object GUID: 85b9ddd9-887e-41b8-b141-c461477a3c88

DSA invocationId: d99340e4-66cf-4e04-9dfb-e7cb1a950f12



==== INBOUND NEIGHBORS ===


DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:10:10 2017 CST failed, result
2 (WERR_BADFILE)

                1615 consecutive failure(s).

                Last success @ NTTIME(0)



CN=Schema,CN=Configuration,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:10:11 2017 CST failed, result
2 (WERR_BADFILE)

                1615 consecutive failure(s).

                Last success @ NTTIME(0)



CN=Configuration,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:10:11 2017 CST failed, result
2 (WERR_BADFILE)

                1615 consecutive failure(s).

                Last success @ NTTIME(0)



==== OUTBOUND NEIGHBORS ===


DC=DomainDnsZones,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:13:49 2017 CST failed, result
2 (WERR_BADFILE)

                95944 consecutive failure(s).

                Last success @ NTTIME(0)



DC=ForestDnsZones,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:13:49 2017 CST failed, result
2 (WERR_BADFILE)

                95944 consecutive failure(s).

                Last success @ NTTIME(0)



DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:13:49 2017 CST failed, result
2 (WERR_BADFILE)

                96603 consecutive failure(s).

                Last success @ NTTIME(0)



CN=Schema,CN=Configuration,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:13:49 2017 CST failed, result
2 (WERR_BADFILE)

                96603 consecutive failure(s).

                Last success @ NTTIME(0)



CN=Configuration,DC=example,DC=lan

        Default-First-Site-Name\W2008R2 via RPC

                DSA object GUID: 003ee1a3-bcf1-4877-8ebb-f52344853467

                Last attempt @ Thu Jan 26 13:13:50 2017 CST failed, result
2 (WERR_BADFILE)

                96603 consecutive failure(s).

                Last success @ NTTIME(0)



==== KCC CONNECTION OBJECTS ===


Connection --

        Connection name: a75c65f9-7468-4bea-bb29-6bb17b5cb75b

        Enabled        : TRUE

        Server DNS name :

        Server DN name  : CN=NTDS
Settings,CN=W2008R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=example,DC=lan

                TransportType: RPC

                options: 0x00000001

Warning: No NC replicated for Connection!

Hi Clay,

In your samba-tool drs replicate command you specified the partition as
"CN=Configuration,DC=dc01,DC=example,DC=com". Should this be
"CN=Configuration,DC=example,DC=lan"? Please try the replication with
this command. If it doesn't work, please post your smb.conf.

Thanks,
Bob

Thanks Bob.

That worked. Awesome.

Any reason for the listed failures when showing replicas?

"Last attempt @ Thu Jan 26 13:10:11 2017 CST failed, result 2
(WERR_BADFILE)
1615 consecutive failure(s)."


Clay


-----Original Message-----
From: Bob Campbell [mailto:bobcampbell at catalyst.net.nz]
Sent: Thursday, January 26, 2017 2:32 PM
To: Clay Kinney; samba at lists.samba.org
Subject: Re: [Samba] Samba AD/DC Sync To Windows DC Failures

Hi Clay,

In your samba-tool drs replicate command you specified the partition as 
"CN=Configuration,DC=dc01,DC=example,DC=com". Should this be 
"CN=Configuration,DC=example,DC=lan"? Please try the replication with
this
command. If it doesn't work, please post your smb.conf.

Thanks,
Bob