Hai,
Environment, Debian Jessie.
I got reports about pc's unable to login into the samba ad dc domain.
The trust between this workstation and the primary domain failed.
This happend on a win7 and win10 pc.
Now, this is "normaly" easy fixed,by rejoining the pc to the domain
with the domain wizzard in windows.
I noticed this didnt work anymore.
I was running without problem, so what lead to this problem.
installed the needed security updates last friday. ( kernel, bind, no samba
things. )
I was prepering to upgrade to 4.6.3 and did the following.
1) samba-tool dbcheck and a samba-tool dbcheck --fix
--- DC 1 ----
That fixed 4 errors.
i got some others back.
Multple messages with :
CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
this part "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System"
can be anything, multiple messages.
users/computers.
rebooted the server, resulting in these log messages.
samba logs clean, no errors,
running : samba-tool dbcheck and a samba-tool dbcheck --fix again, fixed
simalar like above. ( 8 errors )
running samba-tool ldapcmp:
samba-tool ldapcmp --filter='whenChanged,dc,cn'
ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
Shows differenced in login timpstamps.
Which can explain the message on the pc's : the trust between this
workstation and the primary domain failed.
Difference in attribute values:
lastLogonTimestamp =>
['131390598670332960']
['131380923051230950']
FAILED
Difference in attribute values:
pwdLastSet =>
['131389578099979510']
['131363450502014640']
FAILED
-------------------------
Now i checked my DC2.
samba-tool dbcheck:
Please use --fix to fix these errors
Checked 852 objects (626 errors)
pff, 626 errors?
mostly things like these below.
STATUS=daemon 'samba' finished starting up and ready to serve
connections
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.
[2017/05/15 09:17:32.208909, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: No objectClass found in replPropertyMetaData for
CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
[2017/05/15 09:17:32.213955, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:22:32.210006, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: No objectClass found in replPropertyMetaData for
CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
[2017/05/15 09:22:32.211300, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:27:32.222921, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: No objectClass found in replPropertyMetaData for
CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
[2017/05/15 09:27:32.223286, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Not fixing replPropertyMetaData on
CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00090364
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x0009030e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x000902ee
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00090177
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x0009012e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x000900dd
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00090092
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00090001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00020119
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00020002
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00020001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x0000000d
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00000003
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld:
0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on CN=Windows
Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
Not fixing replPropertyMetaData on CN=Windows Authorization Access
Group,CN=Builtin,DC=internal,DC=domain,DC=tld
What is the best action here, do a full resync from DC1 to DC2?
Or did i forget something?
Greetz,
Louis
I forgot to mention it involves samba 4.5.8.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: maandag 15 mei 2017 11:40 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Problem samba db / pc - domain trust gone. > > Hai, > > Environment, Debian Jessie. > > > I got reports about pc's unable to login into the samba ad dc domain. > The trust between this workstation and the primary domain failed. > This happend on a win7 and win10 pc. > Now, this is "normaly" easy fixed,by rejoining the pc to the > domain with the domain wizzard in windows. > I noticed this didnt work anymore. > > I was running without problem, so what lead to this problem. > > installed the needed security updates last friday. ( kernel, > bind, no samba things. ) I was prepering to upgrade to 4.6.3 > and did the following. > > 1) samba-tool dbcheck and a samba-tool dbcheck --fix > > --- DC 1 ---- > > That fixed 4 errors. > i got some others back. > Multple messages with : > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > icies,CN=System,DC=internal,DC=domain,DC=tld > this part > "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > icies,CN=System" can be anything, multiple messages. > users/computers. > > rebooted the server, resulting in these log messages. > samba logs clean, no errors, > running : samba-tool dbcheck and a samba-tool dbcheck --fix > again, fixed simalar like above. ( 8 errors ) > > > running samba-tool ldapcmp: > samba-tool ldapcmp --filter='whenChanged,dc,cn' > ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld > Shows differenced in login timpstamps. Which can explain the > message on the pc's : the trust between this workstation and > the primary domain failed. > > Difference in attribute values: > lastLogonTimestamp => > ['131390598670332960'] > ['131380923051230950'] > FAILED > > Difference in attribute values: > pwdLastSet => > ['131389578099979510'] > ['131363450502014640'] > FAILED > > > ------------------------- > Now i checked my DC2. > > samba-tool dbcheck: > Please use --fix to fix these errors > Checked 852 objects (626 errors) > > pff, 626 errors? > > mostly things like these below. > > STATUS=daemon 'samba' finished starting up and ready to > serve connections > samba: setproctitle not initialized, please either call > setproctitle_init() or link against libbsd-ctor. > [2017/05/15 09:17:32.208909, 0] > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > ldb: No objectClass found in replPropertyMetaData for > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > ound,DC=internal,DC=domain,DC=tld! > > [2017/05/15 09:17:32.213955, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > source_apply_changes_trigger) > Failed to commit objects: > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > [2017/05/15 09:22:32.210006, 0] > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > ldb: No objectClass found in replPropertyMetaData for > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > ound,DC=internal,DC=domain,DC=tld! > > [2017/05/15 09:22:32.211300, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > source_apply_changes_trigger) > Failed to commit objects: > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > [2017/05/15 09:27:32.222921, 0] > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > ldb: No objectClass found in replPropertyMetaData for > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > ound,DC=internal,DC=domain,DC=tld! > > [2017/05/15 09:27:32.223286, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > source_apply_changes_trigger) > Failed to commit objects: > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > > Not fixing replPropertyMetaData on > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > icies,CN=System,DC=internal,DC=domain,DC=tld > > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003 > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000 > ERROR: unsorted attributeID values in replPropertyMetaData on > CN=Windows Authorization Access > Group,CN=Builtin,DC=internal,DC=domain,DC=tld > > Not fixing replPropertyMetaData on CN=Windows Authorization > Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld > > > What is the best action here, do a full resync from DC1 to > DC2? Or did i forget something? > > > Greetz, > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Nobody? These are repeating every 5 min on my DC2. No i dont care about the LostAndFound/deleted. [2017/05/15 16:52:32.848035, 0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger) Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE [2017/05/15 16:57:32.857425, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld! Im wondering what this is. [2017/05/15 16:57:32.857647, 0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger) Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE So any tips? Im out tomorrow, but any info helps thanks. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: maandag 15 mei 2017 12:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone. > > I forgot to mention it involves samba 4.5.8. > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > > Belle via samba > > Verzonden: maandag 15 mei 2017 11:40 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Problem samba db / pc - domain trust gone. > > > > Hai, > > > > Environment, Debian Jessie. > > > > > > I got reports about pc's unable to login into the samba ad > dc domain. > > The trust between this workstation and the primary domain failed. > > This happend on a win7 and win10 pc. > > Now, this is "normaly" easy fixed,by rejoining the pc to the domain > > with the domain wizzard in windows. > > I noticed this didnt work anymore. > > > > I was running without problem, so what lead to this problem. > > > > installed the needed security updates last friday. ( > kernel, bind, no > > samba things. ) I was prepering to upgrade to 4.6.3 and did the > > following. > > > > 1) samba-tool dbcheck and a samba-tool dbcheck --fix > > > > --- DC 1 ---- > > > > That fixed 4 errors. > > i got some others back. > > Multple messages with : > > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > > icies,CN=System,DC=internal,DC=domain,DC=tld > > this part > > "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > > icies,CN=System" can be anything, multiple messages. > > users/computers. > > > > rebooted the server, resulting in these log messages. > > samba logs clean, no errors, > > running : samba-tool dbcheck and a samba-tool dbcheck > --fix again, > > fixed simalar like above. ( 8 errors ) > > > > > > running samba-tool ldapcmp: > > samba-tool ldapcmp --filter='whenChanged,dc,cn' > > ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld Shows > > differenced in login timpstamps. Which can explain the > message on the > > pc's : the trust between this workstation and the primary domain > > failed. > > > > Difference in attribute values: > > lastLogonTimestamp => > > ['131390598670332960'] > > ['131380923051230950'] > > FAILED > > > > Difference in attribute values: > > pwdLastSet => > > ['131389578099979510'] > > ['131363450502014640'] > > FAILED > > > > > > ------------------------- > > Now i checked my DC2. > > > > samba-tool dbcheck: > > Please use --fix to fix these errors > > Checked 852 objects (626 errors) > > > > pff, 626 errors? > > > > mostly things like these below. > > > > STATUS=daemon 'samba' finished starting up and ready to serve > > connections > > samba: setproctitle not initialized, please either call > > setproctitle_init() or link against libbsd-ctor. > > [2017/05/15 09:17:32.208909, 0] > > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > ldb: No objectClass found in replPropertyMetaData for > > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > > ound,DC=internal,DC=domain,DC=tld! > > > > [2017/05/15 09:17:32.213955, 0] > > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > > source_apply_changes_trigger) > > Failed to commit objects: > > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > [2017/05/15 09:22:32.210006, 0] > > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > ldb: No objectClass found in replPropertyMetaData for > > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > > ound,DC=internal,DC=domain,DC=tld! > > > > [2017/05/15 09:22:32.211300, 0] > > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > > source_apply_changes_trigger) > > Failed to commit objects: > > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > [2017/05/15 09:27:32.222921, 0] > > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > ldb: No objectClass found in replPropertyMetaData for > > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF > > ound,DC=internal,DC=domain,DC=tld! > > > > [2017/05/15 09:27:32.223286, 0] > > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ > > source_apply_changes_trigger) > > Failed to commit objects: > > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > > > > > Not fixing replPropertyMetaData on > > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class > > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol > > icies,CN=System,DC=internal,DC=domain,DC=tld > > > > CN=Windows Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003 > CN=Windows > > Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000 > > ERROR: unsorted attributeID values in replPropertyMetaData on > > CN=Windows Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld > > > > Not fixing replPropertyMetaData on CN=Windows Authorization Access > > Group,CN=Builtin,DC=internal,DC=domain,DC=tld > > > > > > What is the best action here, do a full resync from DC1 to > DC2? Or did > > i forget something? > > > > > > Greetz, > > > > Louis > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hello Louis, Looks like an unsynced deleted object. Did you try "samba-tool domain tombstones expunge" achim~ Am 15.05.2017 um 17:02 schrieb L.P.H. van Belle via samba:> Nobody? > > > These are repeating every 5 min on my DC2. > No i dont care about the LostAndFound/deleted. > > [2017/05/15 16:52:32.848035, 0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger) > Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > [2017/05/15 16:57:32.857425, 0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld! > > Im wondering what this is. > > [2017/05/15 16:57:32.857647, 0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger) > Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > So any tips? > > Im out tomorrow, but any info helps thanks. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> L.P.H. van Belle via samba >> Verzonden: maandag 15 mei 2017 12:13 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone. >> >> I forgot to mention it involves samba 4.5.8. >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van >>> Belle via samba >>> Verzonden: maandag 15 mei 2017 11:40 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] Problem samba db / pc - domain trust gone. >>> >>> Hai, >>> >>> Environment, Debian Jessie. >>> >>> >>> I got reports about pc's unable to login into the samba ad >> dc domain. >>> The trust between this workstation and the primary domain failed. >>> This happend on a win7 and win10 pc. >>> Now, this is "normaly" easy fixed,by rejoining the pc to the domain >>> with the domain wizzard in windows. >>> I noticed this didnt work anymore. >>> >>> I was running without problem, so what lead to this problem. >>> >>> installed the needed security updates last friday. ( >> kernel, bind, no >>> samba things. ) I was prepering to upgrade to 4.6.3 and did the >>> following. >>> >>> 1) samba-tool dbcheck and a samba-tool dbcheck --fix >>> >>> --- DC 1 ---- >>> >>> That fixed 4 errors. >>> i got some others back. >>> Multple messages with : >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol >>> icies,CN=System,DC=internal,DC=domain,DC=tld >>> this part >>> "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol >>> icies,CN=System" can be anything, multiple messages. >>> users/computers. >>> >>> rebooted the server, resulting in these log messages. >>> samba logs clean, no errors, >>> running : samba-tool dbcheck and a samba-tool dbcheck >> --fix again, >>> fixed simalar like above. ( 8 errors ) >>> >>> >>> running samba-tool ldapcmp: >>> samba-tool ldapcmp --filter='whenChanged,dc,cn' >>> ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld Shows >>> differenced in login timpstamps. Which can explain the >> message on the >>> pc's : the trust between this workstation and the primary domain >>> failed. >>> >>> Difference in attribute values: >>> lastLogonTimestamp => >>> ['131390598670332960'] >>> ['131380923051230950'] >>> FAILED >>> >>> Difference in attribute values: >>> pwdLastSet => >>> ['131389578099979510'] >>> ['131363450502014640'] >>> FAILED >>> >>> >>> ------------------------- >>> Now i checked my DC2. >>> >>> samba-tool dbcheck: >>> Please use --fix to fix these errors >>> Checked 852 objects (626 errors) >>> >>> pff, 626 errors? >>> >>> mostly things like these below. >>> >>> STATUS=daemon 'samba' finished starting up and ready to serve >>> connections >>> samba: setproctitle not initialized, please either call >>> setproctitle_init() or link against libbsd-ctor. >>> [2017/05/15 09:17:32.208909, 0] >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) >>> ldb: No objectClass found in replPropertyMetaData for >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF >>> ound,DC=internal,DC=domain,DC=tld! >>> >>> [2017/05/15 09:17:32.213955, 0] >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ >>> source_apply_changes_trigger) >>> Failed to commit objects: >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE >>> [2017/05/15 09:22:32.210006, 0] >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) >>> ldb: No objectClass found in replPropertyMetaData for >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF >>> ound,DC=internal,DC=domain,DC=tld! >>> >>> [2017/05/15 09:22:32.211300, 0] >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ >>> source_apply_changes_trigger) >>> Failed to commit objects: >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE >>> [2017/05/15 09:27:32.222921, 0] >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) >>> ldb: No objectClass found in replPropertyMetaData for >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF >>> ound,DC=internal,DC=domain,DC=tld! >>> >>> [2017/05/15 09:27:32.223286, 0] >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_ >>> source_apply_changes_trigger) >>> Failed to commit objects: >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE >>> >>> >>> Not fixing replPropertyMetaData on >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol >>> icies,CN=System,DC=internal,DC=domain,DC=tld >>> >>> CN=Windows Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003 >> CN=Windows >>> Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000 >>> ERROR: unsorted attributeID values in replPropertyMetaData on >>> CN=Windows Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld >>> >>> Not fixing replPropertyMetaData on CN=Windows Authorization Access >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld >>> >>> >>> What is the best action here, do a full resync from DC1 to >> DC2? Or did >>> i forget something? >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
L.P.H. van Belle
2017-May-19 06:50 UTC
[Samba] Problem samba db / pc - domain trust gone. (solved)
Hai,
Thanks, (sorry for the late reply).
Tried that on both server, 0 tumbstones..
Now running : on DC1.
samba-tool dbcheck
Please use --fix to fix these errors
Checked 863 objects (4 errors)
samba-tool drs showrepl
0 errors
Now running : on DC2
samba-tool dbcheck
Please use --fix to fix these errors
Checked 835 objects (608 errors)
samba-tool drs showrepl
Only this one shows errors. But a lot.
Default-First-Site-Name\RTD-DC1 via RPC
DSA object GUID: 1abcder-f4ck-46af-9dcf-561234556789
Last attempt @ Thu May 18 16:52:39 2017 CEST failed, result 58
(WERR_BAD_NET_RESP)
2574 consecutive failure(s).
Last success @ Wed May 10 10:48:14 2017 CEST
I fixed it by on DC1 :
runnning: samba-tool dbcheck --fix
do a full re-sync from dc1 to dc2.
samba-tool drs replicate dc2 dc1 DC=internal,DC=domain,DC=tld --full-sync
Resulting in 0 errors, and no more pc's that are dropping out of my network.
Just to bad i didnt find where this was comming from.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Achim Gottinger via samba
> Verzonden: maandag 15 mei 2017 17:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
>
> Hello Louis,
>
> Looks like an unsynced deleted object.
>
> Did you try "samba-tool domain tombstones expunge"
>
> achim~
>
>
> Am 15.05.2017 um 17:02 schrieb L.P.H. van Belle via samba:
> > Nobody?
> >
> >
> > These are repeating every 5 min on my DC2.
> > No i dont care about the LostAndFound/deleted.
> >
> > [2017/05/15 16:52:32.848035, 0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> > Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> > [2017/05/15 16:57:32.857425, 0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
> >
> > Im wondering what this is.
> >
> > [2017/05/15 16:57:32.857647, 0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> > Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >
> > So any tips?
> >
> > Im out tomorrow, but any info helps thanks.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van
> >> Belle via samba
> >> Verzonden: maandag 15 mei 2017 12:13
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
> >>
> >> I forgot to mention it involves samba 4.5.8.
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van
> >>> Belle via samba
> >>> Verzonden: maandag 15 mei 2017 11:40
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
> >>>
> >>> Hai,
> >>>
> >>> Environment, Debian Jessie.
> >>>
> >>>
> >>> I got reports about pc's unable to login into the samba ad
> >> dc domain.
> >>> The trust between this workstation and the primary domain
failed.
> >>> This happend on a win7 and win10 pc.
> >>> Now, this is "normaly" easy fixed,by rejoining the
pc to
> the domain
> >>> with the domain wizzard in windows.
> >>> I noticed this didnt work anymore.
> >>>
> >>> I was running without problem, so what lead to this problem.
> >>>
> >>> installed the needed security updates last friday. (
> >> kernel, bind, no
> >>> samba things. ) I was prepering to upgrade to 4.6.3 and did
the
> >>> following.
> >>>
> >>> 1) samba-tool dbcheck and a samba-tool dbcheck --fix
> >>>
> >>> --- DC 1 ----
> >>>
> >>> That fixed 4 errors.
> >>> i got some others back.
> >>> Multple messages with :
> >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System,DC=internal,DC=domain,DC=tld
> >>> this part
> >>>
"CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System" can be anything, multiple messages.
> >>> users/computers.
> >>>
> >>> rebooted the server, resulting in these log messages.
> >>> samba logs clean, no errors,
> >>> running : samba-tool dbcheck and a samba-tool dbcheck
> >> --fix again,
> >>> fixed simalar like above. ( 8 errors )
> >>>
> >>>
> >>> running samba-tool ldapcmp:
> >>> samba-tool ldapcmp --filter='whenChanged,dc,cn'
> >>> ldap://dc1.internal.domain.tld
> ldap://dc2.internal.domain.tld Shows
> >>> differenced in login timpstamps. Which can explain the
> >> message on the
> >>> pc's : the trust between this workstation and the primary
domain
> >>> failed.
> >>>
> >>> Difference in attribute values:
> >>> lastLogonTimestamp =>
> >>> ['131390598670332960']
> >>> ['131380923051230950']
> >>> FAILED
> >>>
> >>> Difference in attribute values:
> >>> pwdLastSet =>
> >>> ['131389578099979510']
> >>> ['131363450502014640']
> >>> FAILED
> >>>
> >>>
> >>> -------------------------
> >>> Now i checked my DC2.
> >>>
> >>> samba-tool dbcheck:
> >>> Please use --fix to fix these errors Checked 852 objects (626
> >>> errors)
> >>>
> >>> pff, 626 errors?
> >>>
> >>> mostly things like these below.
> >>>
> >>> STATUS=daemon 'samba' finished starting up and
ready to serve
> >>> connections
> >>> samba: setproctitle not initialized, please either call
> >>> setproctitle_init() or link against libbsd-ctor.
> >>> [2017/05/15 09:17:32.208909, 0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>> ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>
> >>> [2017/05/15 09:17:32.213955, 0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>> Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>> [2017/05/15 09:22:32.210006, 0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>> ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>
> >>> [2017/05/15 09:22:32.211300, 0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>> Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>> [2017/05/15 09:27:32.222921, 0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>> ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>
> >>> [2017/05/15 09:27:32.223286, 0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>> Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>>
> >>>
> >>> Not fixing replPropertyMetaData on
> >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System,DC=internal,DC=domain,DC=tld
> >>>
> >>> CN=Windows Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
> >>> ERROR: unsorted attributeID values in replPropertyMetaData on
> >>> CN=Windows Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >>>
> >>> Not fixing replPropertyMetaData on CN=Windows
> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >>>
> >>>
> >>> What is the best action here, do a full resync from DC1 to
> >> DC2? Or did
> >>> i forget something?
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>