adam_xu at adagene.com.cn
2018-Feb-08 17:01 UTC
[Samba] Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375
Hello,I'm using samba ad dc about a year. I have 2 DCs, One is DC1 with FSMO
role. And another is DC2.
there's a error in DC1 when i use dbcheck tool. And samba-tool
dbcheck --cross-ncs--fix can't fix that. And I made a big mistake !
In DC2 I use "tdbbackup -s .bak
/var/lib/samba/private/sam.ldb" create a bak file. and using that bak file
replace the sam.ldb file in DC1 without any backup.
Now , I saw the errors in DC1:
Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn DC=adagene,DC=cn
Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078274, 0]
../source4/dsdb/common/util.c:4825(dsdb_validate_dsa_guid)
Feb 08 22:06:04 dc1.adagene.cn samba[32129]:
../source4/dsdb/common/util.c:4825: Bad DSA objectGUID
ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid
S-1-5-21-570971082-1333357699-3675202899-1375 - expected sid
S-1-5-21-570971082-1333357699-3675202899-1689
Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078367, 0]
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
Feb 08 22:06:04 dc1.adagene.cn samba[32129]:
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for
sid S-1-5-21-570971082-1333357699-3675202899-1375 with GUID
ed8970e5-84cc-43dd-89f1-4af8d6ab675a
Feb 08 22:06:04 dc1.adagene.cn samba[32137]: [2018/02/08 22:06:04.078521, 0]
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn
CN=Configuration,DC=adagene,DC=cn
Feb 08 22:07:00 dc1.adagene.cn samba[32129]: [2018/02/08 22:07:00.803258, 0]
../source4/rpc_server/drsuapi/writespn.c:238(dcesrv_drsuapi_DsWriteAccountSpn)
the sid S-1-5-21-570971082-1333357699-3675202899-1375 should be DC1 and
sid S-1-5-21-570971082-1333357699-3675202899-1689 should be DC2.
The Directory Replication failed and when I ping dc1.adagene.cn or
dc2.adagene.cn in the DC1 host, the same IP address of the DC1 is retruned.
when I run the command below in DC1:
# ldbsearch -H sam.ldb '(invocationId=*)' --cross-ncs objectguid
it returns:
# record 1
dn: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn
objectGUID: 99804022-ab9e-4c0a-921b-f6f13b6da4c8
# record 2
dn: CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn
objectGUID: ed8970e5-84cc-43dd-89f1-4af8d6ab675a
the result is the same in DC2.
How can I fix these errors.
Thank you.
yours Adam
Andrew Bartlett
2018-Feb-08 22:51 UTC
[Samba] Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375
On Fri, 2018-02-09 at 01:01 +0800, adam_xu--- via samba wrote:> Hello,I'm using samba ad dc about a year. I have 2 DCs, One is DC1 with FSMO role. And another is DC2. > there's a error in DC1 when i use dbcheck tool. And samba-tool dbcheck --cross-ncs--fix can't fix that. And I made a big mistake ! > In DC2 I use "tdbbackup -s .bak /var/lib/samba/private/sam.ldb" create a bak file. and using that bak file replace the sam.ldb file in DC1 without any backup. > Now , I saw the errors in DC1: > > Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn DC=adagene,DC=cn > Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078274, 0] ../source4/dsdb/common/util.c:4825(dsdb_validate_dsa_guid) > Feb 08 22:06:04 dc1.adagene.cn samba[32129]: ../source4/dsdb/common/util.c:4825: Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375 - expected sid S-1-5-21-570971082-1333357699-3675202899-1689 > Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078367, 0] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs) > Feb 08 22:06:04 dc1.adagene.cn samba[32129]: ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-570971082-1333357699-3675202899-1375 with GUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a > Feb 08 22:06:04 dc1.adagene.cn samba[32137]: [2018/02/08 22:06:04.078521, 0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done) > Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn CN=Configuration,DC=adagene,DC=cn > Feb 08 22:07:00 dc1.adagene.cn samba[32129]: [2018/02/08 22:07:00.803258, 0] ../source4/rpc_server/drsuapi/writespn.c:238(dcesrv_drsuapi_DsWriteAccountSpn) > > the sid S-1-5-21-570971082-1333357699-3675202899-1375 should be DC1 and sid S-1-5-21-570971082-1333357699-3675202899-1689 should be DC2. > The Directory Replication failed and when I ping dc1.adagene.cn or dc2.adagene.cn in the DC1 host, the same IP address of the DC1 is retruned. > > when I run the command below in DC1: > # ldbsearch -H sam.ldb '(invocationId=*)' --cross-ncs objectguid > > it returns: > # record 1 > dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn > objectGUID: 99804022-ab9e-4c0a-921b-f6f13b6da4c8 > > # record 2 > dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn > objectGUID: ed8970e5-84cc-43dd-89f1-4af8d6ab675a > > the result is the same in DC2. > > How can I fix these errors. > Thank you.Is there any reason you can't just rejoin DC1 from DC2? You may wish to steal the FSMO roles across first. The background is that along with metadata that is generally consistent, the sam.ldb file contains this record: dn: @ROOTDSE configurationNamingContext: CN=Configuration,DC=addom,DC=samba,DC=example,DC=c om defaultNamingContext: DC=addom,DC=samba,DC=example,DC=com rootDomainNamingContext: DC=addom,DC=samba,DC=example,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=addom,DC=samba,DC=example,D C=com subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=addom,DC=samba,D C=example,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Samba Team (https://www.samba.org) isSynchronized: TRUE dsServiceName: <GUID=3ea98d77-60b4-4405-b11d-26ccb1c798c4> The last value dsServiceName contains the GUID of the DC's own record, and the mixup is why things are not happy. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
adam_xu at adagene.com.cn
2018-Feb-09 06:57 UTC
[Samba] Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375
Andrew Bartlett, samba
Think you for your reply.
I know the process to resovle the problem now. first ,I need
transferring and Seizing FSMO Roles to DC2 and then demoting DC1. After that ,I
join the DC1 from DC2 with the fsmo role to the domain again. Right?
Is there any other method that I can edit the sam.ldb file directly and
add the dsServiceName entry of the DC1?
yours Adam
From: Andrew Bartlett
Date: 2018-02-09 06:51
To: adam_xu at adagene.com.cn; samba
Subject: Re: [Samba] Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for
sid S-1-5-21-570971082-1333357699-3675202899-1375
On Fri, 2018-02-09 at 01:01 +0800, adam_xu--- via samba
wrote:> Hello,I'm using samba ad dc about a year. I have 2 DCs, One is DC1 with
FSMO role. And another is DC2.
> there's a error in DC1 when i use dbcheck tool. And samba-tool
dbcheck --cross-ncs--fix can't fix that. And I made a big mistake !
> In DC2 I use "tdbbackup -s .bak
/var/lib/samba/private/sam.ldb" create a bak file. and using that bak file
replace the sam.ldb file in DC1 without any backup.
> Now , I saw the errors in DC1:
>
> Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn DC=adagene,DC=cn
> Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078274,
0] ../source4/dsdb/common/util.c:4825(dsdb_validate_dsa_guid)
> Feb 08 22:06:04 dc1.adagene.cn samba[32129]:
../source4/dsdb/common/util.c:4825: Bad DSA objectGUID
ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid
S-1-5-21-570971082-1333357699-3675202899-1375 - expected sid
S-1-5-21-570971082-1333357699-3675202899-1689
> Feb 08 22:06:04 dc1.adagene.cn samba[32129]: [2018/02/08 22:06:04.078367,
0]
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
> Feb 08 22:06:04 dc1.adagene.cn samba[32129]:
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for
sid S-1-5-21-570971082-1333357699-3675202899-1375 with GUID
ed8970e5-84cc-43dd-89f1-4af8d6ab675a
> Feb 08 22:06:04 dc1.adagene.cn samba[32137]: [2018/02/08 22:06:04.078521,
0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
> Feb 08 22:06:04 dc1.adagene.cn samba[32137]: UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
ed8970e5-84cc-43dd-89f1-4af8d6ab675a._msdcs.adagene.cn
CN=Configuration,DC=adagene,DC=cn
> Feb 08 22:07:00 dc1.adagene.cn samba[32129]: [2018/02/08 22:07:00.803258,
0]
../source4/rpc_server/drsuapi/writespn.c:238(dcesrv_drsuapi_DsWriteAccountSpn)
>
> the sid S-1-5-21-570971082-1333357699-3675202899-1375 should be DC1
and sid S-1-5-21-570971082-1333357699-3675202899-1689 should be DC2.
> The Directory Replication failed and when I ping dc1.adagene.cn or
dc2.adagene.cn in the DC1 host, the same IP address of the DC1 is retruned.
>
> when I run the command below in DC1:
> # ldbsearch -H sam.ldb '(invocationId=*)' --cross-ncs objectguid
>
> it returns:
> # record 1
> dn: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn
> objectGUID: 99804022-ab9e-4c0a-921b-f6f13b6da4c8
>
> # record 2
> dn: CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adagene,DC=cn
> objectGUID: ed8970e5-84cc-43dd-89f1-4af8d6ab675a
>
> the result is the same in DC2.
>
> How can I fix these errors.
> Thank you.
Is there any reason you can't just rejoin DC1 from DC2? You may wish
to steal the FSMO roles across first.
The background is that along with metadata that is generally
consistent, the sam.ldb file contains this record:
dn: @ROOTDSE
configurationNamingContext:
CN=Configuration,DC=addom,DC=samba,DC=example,DC=c
om
defaultNamingContext: DC=addom,DC=samba,DC=example,DC=com
rootDomainNamingContext: DC=addom,DC=samba,DC=example,DC=com
schemaNamingContext:
CN=Schema,CN=Configuration,DC=addom,DC=samba,DC=example,D
C=com
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=addom,DC=samba,D
C=example,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Samba Team (https://www.samba.org)
isSynchronized: TRUE
dsServiceName: <GUID=3ea98d77-60b4-4405-b11d-26ccb1c798c4>
The last value dsServiceName contains the GUID of the DC's own record,
and the mixup is why things are not happy.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
Seemingly Similar Threads
- Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375
- Bad DSA objectGUID ed8970e5-84cc-43dd-89f1-4af8d6ab675a for sid S-1-5-21-570971082-1333357699-3675202899-1375
- A db error that dbcheck tool can't fix
- classic upgrade error "uncaught exception - Unable to add sam account 'guest', "
- A db error that dbcheck tool can't fix