Dr. Johannes-Ulrich Menzebach
2018-Jan-16 18:52 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Heinz, I had exactly the same problem, and used ldbedit to apply the fix. Thanks for digging into this! Now I'm interested in the root cause as well ... Uli Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba:> no, it seems to work!!! > > > i did a ldapmodify on DC2: > > ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f > serverReference.ldif > > serverReference.ldif: > dn: CN=SAMBA3,CN=Servers,CN=Default-First- > SiteName,CN=Sites,CN=Configuration,DC=test,DC=net > changetype: modify > add: serverReference > serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net > - > > > now the question: > Why the attribut serverReference was missing on DC2 after the join? > > Is it a bug? > > > > > Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via samba: >> Hi, >> >> there is no firewall, all DCs are in the same subnet. >> >> here ist the output of a test, you can see, the CNAME guid entries in >> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and >> second DCs, SAMBA3 was added at last. >> >> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross- >> ncs >> objectguid >> # record 1 >> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=test,DC=net >> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f >> >> # record 2 >> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=test,DC=net >> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be >> >> # record 3 >> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=test,DC=net >> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04 >> >> # returned 3 records >> # 3 entries >> # 0 referrals >> >> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >> DC1 >> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >> dc2.test.net. >> >> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >> DC2 >> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >> dc2.test.net. >> >> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >> SAMBA3 >> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >> dc2.test.net. >> >> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >> DC1 >> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >> dc1.test.net. >> >> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >> DC2 >> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >> dc1.test.net. >> >> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >> SAMBA3 >> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >> dc1.test.net. >> >> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >> DC1 >> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >> SAMBA3.test.net. >> >> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >> DC2 >> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >> SAMBA3.test.net. >> >> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >> SAMBA3 >> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >> SAMBA3.test.net. >> >> >> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon: >>> Hi Heinz, >>> >>>> i have the same problem on samba 4.7.3 and 4.7.4. >>>> I start with 2 DCs and the sync works fine. After the join of a >>>> third >>>> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 >>>> times. >>>> >>>> in my case i have: >>>> DC1 (with any FSMO Roles) >>>> DC2 >>>> >>>> new join as DC: >>>> DC3 >>>> >>>> After the join, the sync from DC2 to DC3 fails. >>>> >>>> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK >>>> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK >>>> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK >>>> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK >>>> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK >>>> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK >>> like Rowland pointed you earlier, it is often an issue with missing >>> DNS >>> entries. Be sure to check that samba_dnsupdate on both servers is >>> happy, >>> especially with the CNAME guid entries in the _msdcs zone. >>> >>> Another case I saw was that firewall had not been disable (or at >>> least >>> the port opening was not done right). >>> >>> Cheers, >>> >>> Denis >>> >>>> >>>> >>>> p.s. DC3 is a new server witch newer was member in the ADS. >>>> >>>> >>>> regards, >>>> heinz >>>> >>>> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- >>>> Ulrich >>>> Menzebach via samba: >>>>> Rowland, >>>>> >>>>> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites >>>>> and >>>>> Services console to each of them). >>>>> - I also checked that "samba-tool dbcheck" completes w/o >>>>> showing >>>>> errors. >>>>> - the objectGUID DNS aliases of all DCs are resolvable against >>>>> all 3 >>>>> DCs' builtin DNS >>>>> - I forced a full sync from the FSMO holder (dcge1) to the 2 >>>>> other >>>>> DCs >>>>> which finished w/o errors. >>>>> - after that, sync and also full sync dcdo1-->dcnh1 failed >>>>> exactly >>>>> as >>>>> earlier. >>>>> >>>>> I'm wondering whether this is related to >>>>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm >>>>> running >>>>> 4.7.4 and the domain had been created under 4.7.3 (based on the >>>>> Samba >>>>> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. >>>>> >>>>> Many thanks, >>>>> >>>>> Uli >>>>> >>>>> >>>>> >>>>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: >>>>>> On Wed, 27 Dec 2017 13:00:05 +0100 >>>>>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba. >>>>>> or >>>>>> g> >>>>>> wrote: >>>>>> >>>>>>> There is additional info in the logs of the source DC >>>>>>> (dcdo1, >>>>>>> log >>>>>>> level 2, manually triggered another replication): >>>>>>> ===================>>>>>>> [2017/12/27 12:31:29.695121, 2] >>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan >>>>>>> ge >>>>>>> s_co >>>>>>> llect_objects) >>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731: >>>>>>> getncchanges on >>>>>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) >>>>>>> [2017/12/27 12:31:29.698828, 2] >>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr >>>>>>> su >>>>>>> api_ >>>>>>> DsGetNCChanges) >>>>>>> DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 >>>>>>> on >>>>>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- >>>>>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com >>>>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as >>>>>>> S-1-5-21-454945863-777199239-1595221609-1112)) >>>>>>> [2017/12/27 12:31:29.733157, 1] >>>>>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) >>>>>>> ../source4/dsdb/common/util.c:4807: Failed to find >>>>>>> account dn >>>>>>> (serverReference) for >>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, >>>>>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- >>>>>>> a0771bb6fb76, >>>>>>> sid S-1-5-21-454945863-777199239-1595221609-1112 >>>>>>> [2017/12/27 12:31:29.733198, 0] >>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua >>>>>>> pi >>>>>>> _DsR >>>>>>> eplicaUpdateRefs) >>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>> Refusing >>>>>>> DsReplicaUpdateRefs for sid >>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>> >>>>>>> According to what I see in the "Sites and Services" RSAT >>>>>>> console >>>>>>> the >>>>>>> DN for >>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>> seems to exist. >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Uli >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via >>>>>>> samba >>>>>>> wrote: >>>>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from >>>>>>>> source,internal >>>>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all >>>>>>>> FSMO >>>>>>>> roles. >>>>>>>> The 3 ADCs are on different locations connected via IPSec >>>>>>>> based >>>>>>>> VPN. No traffic is filtered out. >>>>>>>> >>>>>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: >>>>>>>> >>>>>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com >>>>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com >>>>>>>> ERROR(<class 'samba.drs_utils.drsException'>): >>>>>>>> DsReplicaSync >>>>>>>> failed >>>>>>>> - drsException: DsReplicaSync failed (8453, >>>>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File >>>>>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", >>>>>>>> line >>>>>>>> 386, >>>>>>>> in run drs_utils.sendDsReplicaSync(server_bind, >>>>>>>> server_bind_handle, >>>>>>>> source_dsa_guid, NC, req_options) >>>>>>>> File "/usr/lib64/python2.7/site- >>>>>>>> packages/samba/drs_utils.py", >>>>>>>> line 85, in sendDsReplicaSync >>>>>>>> raise drsException("DsReplicaSync failed %s" % estr) >>>>>>>> >>>>>>>> Log on dcdo1: >>>>>>>> =============>>>>>>>> [2017/12/27 08:20:56.335895, 0] >>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs >>>>>>>> ua >>>>>>>> pi_D >>>>>>>> sReplicaUpdateRefs) >>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>>> Refusing >>>>>>>> DsReplicaUpdateRefs for sid >>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>>> >>>>>>>> Log on target DC dcnh1: >>>>>>>> =============>>>>>>>> [2017/12/27 08:20:55.278559, 5] >>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>> ea >>>>>>>> dabl >>>>>>>> e) >>>>>>>> Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT >>>>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec >>>>>>>> 2017 >>>>>>>> 08:20:55.278538 CET] Remote host >>>>>>>> [ipv4:192.168.172.14:36196] >>>>>>>> local >>>>>>>> host [ipv4:192.168.152.15:135] >>>>>>>> [2017/12/27 08:20:55.278641, 5] >>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>> JSON Authorization: {"timestamp": >>>>>>>> "2017-12-27T08:20:55.278587+0100", "type": >>>>>>>> "Authorization", >>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>> "localAddress": "ipv4:192.168.152.15:135", >>>>>>>> "remoteAddress": >>>>>>>> "ipv4:192.168.172.14:36196", "serviceDescription": >>>>>>>> "DCE/RPC", >>>>>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", >>>>>>>> "account": >>>>>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": >>>>>>>> "DCNH1", >>>>>>>> "transportProtection": "NONE", "accountFlags": >>>>>>>> "0x00000010"}} >>>>>>>> [2017/12/27 08:20:55.278660, >>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>> registered >>>>>>>> on >>>>>>>> the message bus to send JSON authentication events to: >>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>> 08:20:55.337740, >>>>>>>> 3] >>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>> ec >>>>>>>> tion >>>>>>>> ) >>>>>>>> Terminating connection - 'dcesrv: >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>> 08:20:55.337873, 3] >>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>> single_terminate: reason[dcesrv: >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>> 08:20:55.506117, 3] >>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>> [2017/12/27 08:20:55.506420, 5] >>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>> Starting GENSEC mechanism spnego >>>>>>>> [2017/12/27 08:20:55.506501, 5] >>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>> [2017/12/27 08:20:55.536259, 5] >>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>> up >>>>>>>> date >>>>>>>> _internal) >>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>> [2017/12/27 08:20:55.536320, 5] >>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_ >>>>>>>> up >>>>>>>> date >>>>>>>> _internal) >>>>>>>> GSSAPI Connection will be cryptographically sealed >>>>>>>> [2017/12/27 08:20:55.538591, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_T\04\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.538644, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.538712, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_<\02\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.538762, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.538819, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.538864, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.538909, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.538967, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>> -> >>>>>>>> 0 >>>>>>>> [2017/12/27 08:20:55.539029, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>> 0 >>>>>>>> -> 1 >>>>>>>> [2017/12/27 08:20:55.539087, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>> 0 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.539289, 4] >>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>> ea >>>>>>>> dabl >>>>>>>> e) >>>>>>>> Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] >>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>> 27 >>>>>>>> Dec >>>>>>>> 2017 >>>>>>>> 08:20:55.539277 CET] Remote host >>>>>>>> [ipv4:192.168.172.14:57364] >>>>>>>> local >>>>>>>> host [ipv4:192.168.152.15:49152] >>>>>>>> [2017/12/27 08:20:55.539359, 4] >>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>> JSON Authorization: {"timestamp": >>>>>>>> "2017-12-27T08:20:55.539334+0100", "type": >>>>>>>> "Authorization", >>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>> "localAddress": "ipv4:192.168.152.15:49152", >>>>>>>> "remoteAddress": >>>>>>>> "ipv4:192.168.172.14:57364", "serviceDescription": >>>>>>>> "DCE/RPC", >>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>> "sid": >>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>> "logonServer": >>>>>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags": >>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.539398, >>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>> registered >>>>>>>> on >>>>>>>> the message bus to send JSON authentication events to: >>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>> 08:20:55.568937, >>>>>>>> 3] >>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_ >>>>>>>> dr >>>>>>>> suap >>>>>>>> i_DsBind) >>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: >>>>>>>> doing >>>>>>>> DsBind >>>>>>>> with system_session >>>>>>>> [2017/12/27 08:20:55.641297, 3] >>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>> [2017/12/27 08:20:55.644257, 5] >>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>> eq >>>>>>>> uest >>>>>>>> ) >>>>>>>> ldb_request BASE dn>>>>>>>> filter=(|(objectClass=*)(distinguishedName=*)) >>>>>>>> [2017/12/27 >>>>>>>> 08:20:55.706421, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.706573, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.706777, 3] >>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>> de >>>>>>>> bug_ >>>>>>>> wrapper) >>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kd >>>>>>>> u. >>>>>>>> COM >>>>>>>> [canonicalize] [2017/12/27 08:20:55.708186, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.708670, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.708795, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.709594, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.710027, 3] >>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>> de >>>>>>>> bug_ >>>>>>>> wrapper) >>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>> starttime: >>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>> till: >>>>>>>> unset >>>>>>>> [2017/12/27 08:20:55.740222, 3] >>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>> ec >>>>>>>> tion >>>>>>>> ) >>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>> [2017/12/27 08:20:55.740440, 3] >>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>> [2017/12/27 08:20:55.770764, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.771034, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.771283, 3] >>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>> de >>>>>>>> bug_ >>>>>>>> wrapper) >>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.CO >>>>>>>> M >>>>>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.771786, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.772103, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.772257, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.773194, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>> [2017/12/27 08:20:55.773691, 3] >>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>> de >>>>>>>> bug_ >>>>>>>> wrapper) >>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>> starttime: >>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>> till: >>>>>>>> unset >>>>>>>> [2017/12/27 08:20:55.804565, 3] >>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>> ec >>>>>>>> tion >>>>>>>> ) >>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>> [2017/12/27 08:20:55.804774, 3] >>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>> [2017/12/27 08:20:55.806137, 5] >>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>> Starting GENSEC mechanism spnego >>>>>>>> [2017/12/27 08:20:55.806296, 5] >>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>> [2017/12/27 08:20:55.807170, 5] >>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>> up >>>>>>>> date >>>>>>>> _internal) >>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>> [2017/12/27 08:20:55.807242, 5] >>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_ >>>>>>>> up >>>>>>>> date >>>>>>>> _internal) >>>>>>>> GSSAPI Connection will be cryptographically signed >>>>>>>> [2017/12/27 08:20:55.810168, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_T\04\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.810265, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.810353, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>> 87 >>>>>>>> \1ES >>>>>>>> .i\26\15_<\02\00\00 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.810428, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.810507, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.810582, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.810674, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>> [2017/12/27 08:20:55.810745, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>> -> >>>>>>>> 0 >>>>>>>> [2017/12/27 08:20:55.810826, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>> 0 >>>>>>>> -> 1 >>>>>>>> [2017/12/27 08:20:55.810901, 6] >>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>> gendb_search_v: NULL >>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>> 0 >>>>>>>> -> 0 >>>>>>>> [2017/12/27 08:20:55.811125, 4] >>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>> ea >>>>>>>> dabl >>>>>>>> e) >>>>>>>> Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] >>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>> 27 >>>>>>>> Dec >>>>>>>> 2017 >>>>>>>> 08:20:55.811108 CET] Remote host >>>>>>>> [ipv4:192.168.172.14:56798] >>>>>>>> local >>>>>>>> host [ipv4:192.168.152.15:389] >>>>>>>> [2017/12/27 08:20:55.811301, 4] >>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>> JSON Authorization: {"timestamp": >>>>>>>> "2017-12-27T08:20:55.811228+0100", "type": >>>>>>>> "Authorization", >>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>> "localAddress": "ipv4:192.168.152.15:389", >>>>>>>> "remoteAddress": >>>>>>>> "ipv4:192.168.172.14:56798", "serviceDescription": >>>>>>>> "LDAP", >>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>> "sid": >>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>> "logonServer": >>>>>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags": >>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.811385, >>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>> registered >>>>>>>> on >>>>>>>> the message bus to send JSON authentication events to: >>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>> 08:20:55.841539, >>>>>>>> 5] >>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>> eq >>>>>>>> uest >>>>>>>> ) >>>>>>>> ldb_request BASE dn= filter=(objectClass=*) >>>>>>>> [2017/12/27 08:20:55.871177, 5] >>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>> eq >>>>>>>> uest >>>>>>>> ) >>>>>>>> ldb_request SUB >>>>>>>> dn=CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com) >>>>>>>> (d >>>>>>>> NSHo >>>>>>>> stName=dcdo1.ad.kdu.com))) >>>>>>>> [2017/12/27 08:20:55.902579, 5] >>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>> eq >>>>>>>> uest >>>>>>>> ) >>>>>>>> ldb_request ONE >>>>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- >>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR >>>>>>>> O) >>>>>>>> ) >>>>>>>> [2017/12/27 08:20:55.932550, 5] >>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis >>>>>>>> pa >>>>>>>> tch) >>>>>>>> function drsuapi_DsReplicaSync will reply async >>>>>>>> [2017/12/27 08:20:55.932676, 3] >>>>>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_ >>>>>>>> re >>>>>>>> plic >>>>>>>> ation) >>>>>>>> _drepl_schedule_replication: forcing sync of partition >>>>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, >>>>>>>> dc=ad,dc=kdu,dc=com, >>>>>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) >>>>>>>> [2017/12/27 08:20:55.932697, 4] >>>>>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin >>>>>>>> go >>>>>>>> ps_s >>>>>>>> chedule) >>>>>>>> dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 >>>>>>>> 08:20:57 >>>>>>>> 2017 CET >>>>>>>> [2017/12/27 08:20:56.971645, 4] >>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r >>>>>>>> ep >>>>>>>> lmd_ >>>>>>>> extended_replicated_objects) >>>>>>>> linked_attributes_count=0 >>>>>>>> [2017/12/27 08:20:56.971966, 4] >>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r >>>>>>>> ep >>>>>>>> lmd_ >>>>>>>> replicated_uptodate_modify) >>>>>>>> DRS replication uptodate modify message: >>>>>>>> dn: DC=ad,DC=kdu,DC=com >>>>>>>> changetype: modify >>>>>>>> replace: replUpToDateVector >>>>>>>> replUpToDateVector:: >>>>>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP >>>>>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV >>>>>>>> rz >>>>>>>> S7KY >>>>>>>> P2wnvCZRbBYAAA >>>>>>>> >>>>>>>> AAAAAAgD7V3rGdAQ=>>>>>>>> - >>>>>>>> replace: repsFrom >>>>>>>> repsFrom:: >>>>>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>> AB >>>>>>>> 0AAA >>>>>>>> AERE >>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>> ER >>>>>>>> ERER >>>>>>>> ERERERERERERER >>>>>>>> >>>>>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA >>>>>>>> AB >>>>>>>> rFgA >>>>>>>> AAAAAAKQMPrx0t >>>>>>>> >>>>>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD >>>>>>>> oA >>>>>>>> AABi >>>>>>>> YzNlMGNhNC1iNT >>>>>>>> >>>>>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>> jb >>>>>>>> 20A >>>>>>>> repsFrom:: >>>>>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>> AB >>>>>>>> kAAA >>>>>>>> AERE >>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>> ER >>>>>>>> ERER >>>>>>>> ERERERERERERER >>>>>>>> >>>>>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA >>>>>>>> AD >>>>>>>> 4FAA >>>>>>>> AAAAAABNWUx36g >>>>>>>> >>>>>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD >>>>>>>> oA >>>>>>>> AAAx >>>>>>>> ZDUzNTYxMy04MW >>>>>>>> >>>>>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>> jb >>>>>>>> 20A >>>>>>>> - >>>>>>>> >>>>>>>> >>>>>>>> [2017/12/27 08:20:56.974912, 2] >>>>>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli >>>>>>>> ca >>>>>>>> ted_ >>>>>>>> objects_commit) >>>>>>>> Replicated 0 objects (0 linked attributes) for >>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>> [2017/12/27 08:20:57.004974, 0] >>>>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up >>>>>>>> da >>>>>>>> te_r >>>>>>>> efs_done) >>>>>>>> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT >>>>>>>> code >>>>>>>> 0xc0002105 for >>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com >>>>>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] >>>>>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin >>>>>>>> g_ >>>>>>>> op_c >>>>>>>> allback) >>>>>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for >>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>> [2017/12/27 08:20:57.009507, 5] >>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re >>>>>>>> pl >>>>>>>> y) >>>>>>>> function drsuapi_DsReplicaSync replied async >>>>>>>> [2017/12/27 08:20:57.053246, 3] >>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>> ec >>>>>>>> tion >>>>>>>> ) >>>>>>>> Terminating connection - 'dcesrv: >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>> 08:20:57.053478, 3] >>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>> single_terminate: reason[dcesrv: >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>> 08:20:57.053528, 3] >>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>> ec >>>>>>>> tion >>>>>>>> ) >>>>>>>> Terminating connection - 'ldapsrv_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>> [2017/12/27 08:20:57.053760, 2] >>>>>>>> ../source4/smbd/process_standard.c:473(standard_terminate >>>>>>>> ) >>>>>>>> standard_terminate: reason[ldapsrv_call_loop: >>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>> [2017/12/27 08:20:57.057842, 2] >>>>>>>> ../source4/smbd/process_standard.c:157(standard_child_pip >>>>>>>> e_ >>>>>>>> hand >>>>>>>> ler) >>>>>>>> Child 900 () exited with status 0 >>>>>>>> >>>>>>>> Any hints/ideas very much appreciated ... >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Uli >>>>>>>> >>>>>>>> >>>>>> Couple of thoughts, try reading this: >>>>>> >>>>>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_ >>>>>> DN >>>>>> S_Re >>>>>> cord >>>>>> >>>>>> and this: >>>>>> >>>>>> https://wiki.samba.org/index.php/Manually_Replicating_Directo >>>>>> ry >>>>>> _Par >>>>>> titions >>>>>> >>>>>> Does the missing 'CN' exist on the other two DCs ? >>>>>> >>>>>> Rowland >>>>>> >>>>> >>>-- +----------------------------------------------------------------------+ | Dr. Johannes-Ulrich Menzebach | | phone : ++49-203-306-1765 (work) ++49-160-98930847 (cellular) | | eMail : menze at dirac.ruhr.de | | GPG Key fingerprint = | | A36C 9660 6A1C 91E6 051E DF1A 573A 770B DD66 9D9F | +----------------------------------------------------------------------+
Denis Cardon
2018-Feb-12 18:24 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
Hi Heinz and Johannes,> I had exactly the same problem, and used ldbedit to apply the fix. > Thanks for digging into this! > > Now I'm interested in the root cause as well ...I just had a client calling with a replication issue due to the exact same error. The domain was initially build on 4.7.1, upgraded to 4.7.3, and it was also missing the serverReference attribute on one of the DCs... The fix mentionned by the OP did resolve the issue. I'm wondering what triggered this. I have just installed a fresh 4.7.0, and a fresh 4.7.1, and a fresh 4.7.4. The serverReference attribute is always there... Thanks Heinz for the hint, Denis> > > Uli > > > > Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba: >> no, it seems to work!!! >> >> >> i did a ldapmodify on DC2: >> >> ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f >> serverReference.ldif >> >> serverReference.ldif: >> dn: CN=SAMBA3,CN=Servers,CN=Default-First- >> SiteName,CN=Sites,CN=Configuration,DC=test,DC=net >> changetype: modify >> add: serverReference >> serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net >> - >> >> >> now the question: >> Why the attribut serverReference was missing on DC2 after the join? >> >> Is it a bug? >> >> >> >> >> Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via samba: >>> Hi, >>> >>> there is no firewall, all DCs are in the same subnet. >>> >>> here ist the output of a test, you can see, the CNAME guid entries in >>> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and >>> second DCs, SAMBA3 was added at last. >>> >>> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross- >>> ncs >>> objectguid >>> # record 1 >>> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site- >>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f >>> >>> # record 2 >>> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site- >>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be >>> >>> # record 3 >>> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site- >>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04 >>> >>> # returned 3 records >>> # 3 entries >>> # 0 referrals >>> >>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>> DC1 >>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>> dc2.test.net. >>> >>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>> DC2 >>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>> dc2.test.net. >>> >>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>> SAMBA3 >>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>> dc2.test.net. >>> >>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>> DC1 >>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>> dc1.test.net. >>> >>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>> DC2 >>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>> dc1.test.net. >>> >>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>> SAMBA3 >>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>> dc1.test.net. >>> >>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>> DC1 >>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>> SAMBA3.test.net. >>> >>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>> DC2 >>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>> SAMBA3.test.net. >>> >>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>> SAMBA3 >>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>> SAMBA3.test.net. >>> >>> >>> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon: >>>> Hi Heinz, >>>> >>>>> i have the same problem on samba 4.7.3 and 4.7.4. >>>>> I start with 2 DCs and the sync works fine. After the join of a >>>>> third >>>>> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 >>>>> times. >>>>> >>>>> in my case i have: >>>>> DC1 (with any FSMO Roles) >>>>> DC2 >>>>> >>>>> new join as DC: >>>>> DC3 >>>>> >>>>> After the join, the sync from DC2 to DC3 fails. >>>>> >>>>> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK >>>>> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK >>>>> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK >>>>> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK >>>>> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK >>>>> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK >>>> like Rowland pointed you earlier, it is often an issue with missing >>>> DNS >>>> entries. Be sure to check that samba_dnsupdate on both servers is >>>> happy, >>>> especially with the CNAME guid entries in the _msdcs zone. >>>> >>>> Another case I saw was that firewall had not been disable (or at >>>> least >>>> the port opening was not done right). >>>> >>>> Cheers, >>>> >>>> Denis >>>> >>>>> >>>>> >>>>> p.s. DC3 is a new server witch newer was member in the ADS. >>>>> >>>>> >>>>> regards, >>>>> heinz >>>>> >>>>> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- >>>>> Ulrich >>>>> Menzebach via samba: >>>>>> Rowland, >>>>>> >>>>>> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites >>>>>> and >>>>>> Services console to each of them). >>>>>> - I also checked that "samba-tool dbcheck" completes w/o >>>>>> showing >>>>>> errors. >>>>>> - the objectGUID DNS aliases of all DCs are resolvable against >>>>>> all 3 >>>>>> DCs' builtin DNS >>>>>> - I forced a full sync from the FSMO holder (dcge1) to the 2 >>>>>> other >>>>>> DCs >>>>>> which finished w/o errors. >>>>>> - after that, sync and also full sync dcdo1-->dcnh1 failed >>>>>> exactly >>>>>> as >>>>>> earlier. >>>>>> >>>>>> I'm wondering whether this is related to >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm >>>>>> running >>>>>> 4.7.4 and the domain had been created under 4.7.3 (based on the >>>>>> Samba >>>>>> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. >>>>>> >>>>>> Many thanks, >>>>>> >>>>>> Uli >>>>>> >>>>>> >>>>>> >>>>>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: >>>>>>> On Wed, 27 Dec 2017 13:00:05 +0100 >>>>>>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba. >>>>>>> or >>>>>>> g> >>>>>>> wrote: >>>>>>> >>>>>>>> There is additional info in the logs of the source DC >>>>>>>> (dcdo1, >>>>>>>> log >>>>>>>> level 2, manually triggered another replication): >>>>>>>> ===================>>>>>>>> [2017/12/27 12:31:29.695121, 2] >>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan >>>>>>>> ge >>>>>>>> s_co >>>>>>>> llect_objects) >>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731: >>>>>>>> getncchanges on >>>>>>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) >>>>>>>> [2017/12/27 12:31:29.698828, 2] >>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr >>>>>>>> su >>>>>>>> api_ >>>>>>>> DsGetNCChanges) >>>>>>>> DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 >>>>>>>> on >>>>>>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- >>>>>>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com >>>>>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as >>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112)) >>>>>>>> [2017/12/27 12:31:29.733157, 1] >>>>>>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) >>>>>>>> ../source4/dsdb/common/util.c:4807: Failed to find >>>>>>>> account dn >>>>>>>> (serverReference) for >>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, >>>>>>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- >>>>>>>> a0771bb6fb76, >>>>>>>> sid S-1-5-21-454945863-777199239-1595221609-1112 >>>>>>>> [2017/12/27 12:31:29.733198, 0] >>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua >>>>>>>> pi >>>>>>>> _DsR >>>>>>>> eplicaUpdateRefs) >>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>>> Refusing >>>>>>>> DsReplicaUpdateRefs for sid >>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>>> >>>>>>>> According to what I see in the "Sites and Services" RSAT >>>>>>>> console >>>>>>>> the >>>>>>>> DN for >>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>> seems to exist. >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Uli >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via >>>>>>>> samba >>>>>>>> wrote: >>>>>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from >>>>>>>>> source,internal >>>>>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all >>>>>>>>> FSMO >>>>>>>>> roles. >>>>>>>>> The 3 ADCs are on different locations connected via IPSec >>>>>>>>> based >>>>>>>>> VPN. No traffic is filtered out. >>>>>>>>> >>>>>>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: >>>>>>>>> >>>>>>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com >>>>>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com >>>>>>>>> ERROR(<class 'samba.drs_utils.drsException'>): >>>>>>>>> DsReplicaSync >>>>>>>>> failed >>>>>>>>> - drsException: DsReplicaSync failed (8453, >>>>>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File >>>>>>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", >>>>>>>>> line >>>>>>>>> 386, >>>>>>>>> in run drs_utils.sendDsReplicaSync(server_bind, >>>>>>>>> server_bind_handle, >>>>>>>>> source_dsa_guid, NC, req_options) >>>>>>>>> File "/usr/lib64/python2.7/site- >>>>>>>>> packages/samba/drs_utils.py", >>>>>>>>> line 85, in sendDsReplicaSync >>>>>>>>> raise drsException("DsReplicaSync failed %s" % estr) >>>>>>>>> >>>>>>>>> Log on dcdo1: >>>>>>>>> =============>>>>>>>>> [2017/12/27 08:20:56.335895, 0] >>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs >>>>>>>>> ua >>>>>>>>> pi_D >>>>>>>>> sReplicaUpdateRefs) >>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>>>> Refusing >>>>>>>>> DsReplicaUpdateRefs for sid >>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>>>> >>>>>>>>> Log on target DC dcnh1: >>>>>>>>> =============>>>>>>>>> [2017/12/27 08:20:55.278559, 5] >>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>> ea >>>>>>>>> dabl >>>>>>>>> e) >>>>>>>>> Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT >>>>>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec >>>>>>>>> 2017 >>>>>>>>> 08:20:55.278538 CET] Remote host >>>>>>>>> [ipv4:192.168.172.14:36196] >>>>>>>>> local >>>>>>>>> host [ipv4:192.168.152.15:135] >>>>>>>>> [2017/12/27 08:20:55.278641, 5] >>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>> "2017-12-27T08:20:55.278587+0100", "type": >>>>>>>>> "Authorization", >>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>> "localAddress": "ipv4:192.168.152.15:135", >>>>>>>>> "remoteAddress": >>>>>>>>> "ipv4:192.168.172.14:36196", "serviceDescription": >>>>>>>>> "DCE/RPC", >>>>>>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", >>>>>>>>> "account": >>>>>>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": >>>>>>>>> "DCNH1", >>>>>>>>> "transportProtection": "NONE", "accountFlags": >>>>>>>>> "0x00000010"}} >>>>>>>>> [2017/12/27 08:20:55.278660, >>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>> registered >>>>>>>>> on >>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>> 08:20:55.337740, >>>>>>>>> 3] >>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>> ec >>>>>>>>> tion >>>>>>>>> ) >>>>>>>>> Terminating connection - 'dcesrv: >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>>> 08:20:55.337873, 3] >>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>> single_terminate: reason[dcesrv: >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>>> 08:20:55.506117, 3] >>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>>> [2017/12/27 08:20:55.506420, 5] >>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>> Starting GENSEC mechanism spnego >>>>>>>>> [2017/12/27 08:20:55.506501, 5] >>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>>> [2017/12/27 08:20:55.536259, 5] >>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>>> up >>>>>>>>> date >>>>>>>>> _internal) >>>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>>> [2017/12/27 08:20:55.536320, 5] >>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_ >>>>>>>>> up >>>>>>>>> date >>>>>>>>> _internal) >>>>>>>>> GSSAPI Connection will be cryptographically sealed >>>>>>>>> [2017/12/27 08:20:55.538591, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_T\04\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.538644, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.538712, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_<\02\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.538762, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.538819, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.538864, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.538909, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.538967, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>>> -> >>>>>>>>> 0 >>>>>>>>> [2017/12/27 08:20:55.539029, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>>> 0 >>>>>>>>> -> 1 >>>>>>>>> [2017/12/27 08:20:55.539087, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>>> 0 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.539289, 4] >>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>> ea >>>>>>>>> dabl >>>>>>>>> e) >>>>>>>>> Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] >>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>>> 27 >>>>>>>>> Dec >>>>>>>>> 2017 >>>>>>>>> 08:20:55.539277 CET] Remote host >>>>>>>>> [ipv4:192.168.172.14:57364] >>>>>>>>> local >>>>>>>>> host [ipv4:192.168.152.15:49152] >>>>>>>>> [2017/12/27 08:20:55.539359, 4] >>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>> "2017-12-27T08:20:55.539334+0100", "type": >>>>>>>>> "Authorization", >>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>> "localAddress": "ipv4:192.168.152.15:49152", >>>>>>>>> "remoteAddress": >>>>>>>>> "ipv4:192.168.172.14:57364", "serviceDescription": >>>>>>>>> "DCE/RPC", >>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>>> "sid": >>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>>> "logonServer": >>>>>>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags": >>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.539398, >>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>> registered >>>>>>>>> on >>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>> 08:20:55.568937, >>>>>>>>> 3] >>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_ >>>>>>>>> dr >>>>>>>>> suap >>>>>>>>> i_DsBind) >>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: >>>>>>>>> doing >>>>>>>>> DsBind >>>>>>>>> with system_session >>>>>>>>> [2017/12/27 08:20:55.641297, 3] >>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>>> [2017/12/27 08:20:55.644257, 5] >>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>> eq >>>>>>>>> uest >>>>>>>>> ) >>>>>>>>> ldb_request BASE dn>>>>>>>>> filter=(|(objectClass=*)(distinguishedName=*)) >>>>>>>>> [2017/12/27 >>>>>>>>> 08:20:55.706421, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.706573, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.706777, 3] >>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>> de >>>>>>>>> bug_ >>>>>>>>> wrapper) >>>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kd >>>>>>>>> u. >>>>>>>>> COM >>>>>>>>> [canonicalize] [2017/12/27 08:20:55.708186, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.708670, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.708795, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.709594, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.710027, 3] >>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>> de >>>>>>>>> bug_ >>>>>>>>> wrapper) >>>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>>> starttime: >>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>>> till: >>>>>>>>> unset >>>>>>>>> [2017/12/27 08:20:55.740222, 3] >>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>> ec >>>>>>>>> tion >>>>>>>>> ) >>>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>> [2017/12/27 08:20:55.740440, 3] >>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>> [2017/12/27 08:20:55.770764, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.771034, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.771283, 3] >>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>> de >>>>>>>>> bug_ >>>>>>>>> wrapper) >>>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.CO >>>>>>>>> M >>>>>>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.771786, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.772103, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.772257, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.773194, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>> [2017/12/27 08:20:55.773691, 3] >>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>> de >>>>>>>>> bug_ >>>>>>>>> wrapper) >>>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>>> starttime: >>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>>> till: >>>>>>>>> unset >>>>>>>>> [2017/12/27 08:20:55.804565, 3] >>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>> ec >>>>>>>>> tion >>>>>>>>> ) >>>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>> [2017/12/27 08:20:55.804774, 3] >>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>> [2017/12/27 08:20:55.806137, 5] >>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>> Starting GENSEC mechanism spnego >>>>>>>>> [2017/12/27 08:20:55.806296, 5] >>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>>> [2017/12/27 08:20:55.807170, 5] >>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>>> up >>>>>>>>> date >>>>>>>>> _internal) >>>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>>> [2017/12/27 08:20:55.807242, 5] >>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_ >>>>>>>>> up >>>>>>>>> date >>>>>>>>> _internal) >>>>>>>>> GSSAPI Connection will be cryptographically signed >>>>>>>>> [2017/12/27 08:20:55.810168, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_T\04\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.810265, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.810353, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>> 87 >>>>>>>>> \1ES >>>>>>>>> .i\26\15_<\02\00\00 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.810428, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.810507, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.810582, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.810674, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>>> [2017/12/27 08:20:55.810745, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>>> -> >>>>>>>>> 0 >>>>>>>>> [2017/12/27 08:20:55.810826, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>>> 0 >>>>>>>>> -> 1 >>>>>>>>> [2017/12/27 08:20:55.810901, 6] >>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>> gendb_search_v: NULL >>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>>> 0 >>>>>>>>> -> 0 >>>>>>>>> [2017/12/27 08:20:55.811125, 4] >>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>> ea >>>>>>>>> dabl >>>>>>>>> e) >>>>>>>>> Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] >>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>>> 27 >>>>>>>>> Dec >>>>>>>>> 2017 >>>>>>>>> 08:20:55.811108 CET] Remote host >>>>>>>>> [ipv4:192.168.172.14:56798] >>>>>>>>> local >>>>>>>>> host [ipv4:192.168.152.15:389] >>>>>>>>> [2017/12/27 08:20:55.811301, 4] >>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>> "2017-12-27T08:20:55.811228+0100", "type": >>>>>>>>> "Authorization", >>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>> "localAddress": "ipv4:192.168.152.15:389", >>>>>>>>> "remoteAddress": >>>>>>>>> "ipv4:192.168.172.14:56798", "serviceDescription": >>>>>>>>> "LDAP", >>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>>> "sid": >>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>>> "logonServer": >>>>>>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags": >>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.811385, >>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>> registered >>>>>>>>> on >>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>> 08:20:55.841539, >>>>>>>>> 5] >>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>> eq >>>>>>>>> uest >>>>>>>>> ) >>>>>>>>> ldb_request BASE dn= filter=(objectClass=*) >>>>>>>>> [2017/12/27 08:20:55.871177, 5] >>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>> eq >>>>>>>>> uest >>>>>>>>> ) >>>>>>>>> ldb_request SUB >>>>>>>>> dn=CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com) >>>>>>>>> (d >>>>>>>>> NSHo >>>>>>>>> stName=dcdo1.ad.kdu.com))) >>>>>>>>> [2017/12/27 08:20:55.902579, 5] >>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>> eq >>>>>>>>> uest >>>>>>>>> ) >>>>>>>>> ldb_request ONE >>>>>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- >>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR >>>>>>>>> O) >>>>>>>>> ) >>>>>>>>> [2017/12/27 08:20:55.932550, 5] >>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis >>>>>>>>> pa >>>>>>>>> tch) >>>>>>>>> function drsuapi_DsReplicaSync will reply async >>>>>>>>> [2017/12/27 08:20:55.932676, 3] >>>>>>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_ >>>>>>>>> re >>>>>>>>> plic >>>>>>>>> ation) >>>>>>>>> _drepl_schedule_replication: forcing sync of partition >>>>>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, >>>>>>>>> dc=ad,dc=kdu,dc=com, >>>>>>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) >>>>>>>>> [2017/12/27 08:20:55.932697, 4] >>>>>>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin >>>>>>>>> go >>>>>>>>> ps_s >>>>>>>>> chedule) >>>>>>>>> dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 >>>>>>>>> 08:20:57 >>>>>>>>> 2017 CET >>>>>>>>> [2017/12/27 08:20:56.971645, 4] >>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r >>>>>>>>> ep >>>>>>>>> lmd_ >>>>>>>>> extended_replicated_objects) >>>>>>>>> linked_attributes_count=0 >>>>>>>>> [2017/12/27 08:20:56.971966, 4] >>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r >>>>>>>>> ep >>>>>>>>> lmd_ >>>>>>>>> replicated_uptodate_modify) >>>>>>>>> DRS replication uptodate modify message: >>>>>>>>> dn: DC=ad,DC=kdu,DC=com >>>>>>>>> changetype: modify >>>>>>>>> replace: replUpToDateVector >>>>>>>>> replUpToDateVector:: >>>>>>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP >>>>>>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV >>>>>>>>> rz >>>>>>>>> S7KY >>>>>>>>> P2wnvCZRbBYAAA >>>>>>>>> >>>>>>>>> AAAAAAgD7V3rGdAQ=>>>>>>>>> - >>>>>>>>> replace: repsFrom >>>>>>>>> repsFrom:: >>>>>>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>>> AB >>>>>>>>> 0AAA >>>>>>>>> AERE >>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>>> ER >>>>>>>>> ERER >>>>>>>>> ERERERERERERER >>>>>>>>> >>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA >>>>>>>>> AB >>>>>>>>> rFgA >>>>>>>>> AAAAAAKQMPrx0t >>>>>>>>> >>>>>>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD >>>>>>>>> oA >>>>>>>>> AABi >>>>>>>>> YzNlMGNhNC1iNT >>>>>>>>> >>>>>>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>>> jb >>>>>>>>> 20A >>>>>>>>> repsFrom:: >>>>>>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>>> AB >>>>>>>>> kAAA >>>>>>>>> AERE >>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>>> ER >>>>>>>>> ERER >>>>>>>>> ERERERERERERER >>>>>>>>> >>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA >>>>>>>>> AD >>>>>>>>> 4FAA >>>>>>>>> AAAAAABNWUx36g >>>>>>>>> >>>>>>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD >>>>>>>>> oA >>>>>>>>> AAAx >>>>>>>>> ZDUzNTYxMy04MW >>>>>>>>> >>>>>>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>>> jb >>>>>>>>> 20A >>>>>>>>> - >>>>>>>>> >>>>>>>>> >>>>>>>>> [2017/12/27 08:20:56.974912, 2] >>>>>>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli >>>>>>>>> ca >>>>>>>>> ted_ >>>>>>>>> objects_commit) >>>>>>>>> Replicated 0 objects (0 linked attributes) for >>>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>>> [2017/12/27 08:20:57.004974, 0] >>>>>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up >>>>>>>>> da >>>>>>>>> te_r >>>>>>>>> efs_done) >>>>>>>>> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT >>>>>>>>> code >>>>>>>>> 0xc0002105 for >>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com >>>>>>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] >>>>>>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin >>>>>>>>> g_ >>>>>>>>> op_c >>>>>>>>> allback) >>>>>>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for >>>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>>> [2017/12/27 08:20:57.009507, 5] >>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re >>>>>>>>> pl >>>>>>>>> y) >>>>>>>>> function drsuapi_DsReplicaSync replied async >>>>>>>>> [2017/12/27 08:20:57.053246, 3] >>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>> ec >>>>>>>>> tion >>>>>>>>> ) >>>>>>>>> Terminating connection - 'dcesrv: >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>>> 08:20:57.053478, 3] >>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>> single_terminate: reason[dcesrv: >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>>> 08:20:57.053528, 3] >>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>> ec >>>>>>>>> tion >>>>>>>>> ) >>>>>>>>> Terminating connection - 'ldapsrv_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>> [2017/12/27 08:20:57.053760, 2] >>>>>>>>> ../source4/smbd/process_standard.c:473(standard_terminate >>>>>>>>> ) >>>>>>>>> standard_terminate: reason[ldapsrv_call_loop: >>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>> [2017/12/27 08:20:57.057842, 2] >>>>>>>>> ../source4/smbd/process_standard.c:157(standard_child_pip >>>>>>>>> e_ >>>>>>>>> hand >>>>>>>>> ler) >>>>>>>>> Child 900 () exited with status 0 >>>>>>>>> >>>>>>>>> Any hints/ideas very much appreciated ... >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Uli >>>>>>>>> >>>>>>>>> >>>>>>> Couple of thoughts, try reading this: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_ >>>>>>> DN >>>>>>> S_Re >>>>>>> cord >>>>>>> >>>>>>> and this: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Manually_Replicating_Directo >>>>>>> ry >>>>>>> _Par >>>>>>> titions >>>>>>> >>>>>>> Does the missing 'CN' exist on the other two DCs ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>> >>>> >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
lingpanda101
2018-Feb-12 18:57 UTC
[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
On 2/12/2018 1:24 PM, Denis Cardon via samba wrote:> Hi Heinz and Johannes, > >> I had exactly the same problem, and used ldbedit to apply the fix. >> Thanks for digging into this! >> >> Now I'm interested in the root cause as well ... > > I just had a client calling with a replication issue due to the exact > same error. The domain was initially build on 4.7.1, upgraded to > 4.7.3, and it was also missing the serverReference attribute on one of > the DCs... The fix mentionned by the OP did resolve the issue. > > I'm wondering what triggered this. I have just installed a fresh > 4.7.0, and a fresh 4.7.1, and a fresh 4.7.4. The serverReference > attribute is always there... > > Thanks Heinz for the hint, > > Denis > >> >> >> Uli >> >> >> >> Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba: >>> no, it seems to work!!! >>> >>> >>> i did a ldapmodify on DC2: >>> >>> ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f >>> serverReference.ldif >>> >>> serverReference.ldif: >>> dn: CN=SAMBA3,CN=Servers,CN=Default-First- >>> SiteName,CN=Sites,CN=Configuration,DC=test,DC=net >>> changetype: modify >>> add: serverReference >>> serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net >>> - >>> >>> >>> now the question: >>> Why the attribut serverReference was missing on DC2 after the join? >>> >>> Is it a bug? >>> >>> >>> >>> >>> Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via samba: >>>> Hi, >>>> >>>> there is no firewall, all DCs are in the same subnet. >>>> >>>> here ist the output of a test, you can see, the CNAME guid entries in >>>> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and >>>> second DCs, SAMBA3 was added at last. >>>> >>>> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross- >>>> ncs >>>> objectguid >>>> # record 1 >>>> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site- >>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>>> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f >>>> >>>> # record 2 >>>> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site- >>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>>> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be >>>> >>>> # record 3 >>>> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site- >>>> Name,CN=Sites,CN=Configuration,DC=test,DC=net >>>> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04 >>>> >>>> # returned 3 records >>>> # 3 entries >>>> # 0 referrals >>>> >>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>>> DC1 >>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>>> dc2.test.net. >>>> >>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>>> DC2 >>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>>> dc2.test.net. >>>> >>>> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net >>>> SAMBA3 >>>> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for >>>> dc2.test.net. >>>> >>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>>> DC1 >>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>>> dc1.test.net. >>>> >>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>>> DC2 >>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>>> dc1.test.net. >>>> >>>> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net >>>> SAMBA3 >>>> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for >>>> dc1.test.net. >>>> >>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>>> DC1 >>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>>> SAMBA3.test.net. >>>> >>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>>> DC2 >>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>>> SAMBA3.test.net. >>>> >>>> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net >>>> SAMBA3 >>>> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for >>>> SAMBA3.test.net. >>>> >>>> >>>> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon: >>>>> Hi Heinz, >>>>> >>>>>> i have the same problem on samba 4.7.3 and 4.7.4. >>>>>> I start with 2 DCs and the sync works fine. After the join of a >>>>>> third >>>>>> DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 >>>>>> times. >>>>>> >>>>>> in my case i have: >>>>>> DC1 (with any FSMO Roles) >>>>>> DC2 >>>>>> >>>>>> new join as DC: >>>>>> DC3 >>>>>> >>>>>> After the join, the sync from DC2 to DC3 fails. >>>>>> >>>>>> samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK >>>>>> samba-tool drs replicate dc1 dc2 dc=gvcc,dc=net : OK >>>>>> samba-tool drs replicate dc2 dc3 dc=gvcc,dc=net : OK >>>>>> samba-tool drs replicate dc1 dc3 dc=gvcc,dc=net : OK >>>>>> samba-tool drs replicate dc3 dc1 dc=gvcc,dc=net : OK >>>>>> samba-tool drs replicate dc3 dc2 dc=gvcc,dc=net : NOT OK >>>>> like Rowland pointed you earlier, it is often an issue with missing >>>>> DNS >>>>> entries. Be sure to check that samba_dnsupdate on both servers is >>>>> happy, >>>>> especially with the CNAME guid entries in the _msdcs zone. >>>>> >>>>> Another case I saw was that firewall had not been disable (or at >>>>> least >>>>> the port opening was not done right). >>>>> >>>>> Cheers, >>>>> >>>>> Denis >>>>> >>>>>> >>>>>> >>>>>> p.s. DC3 is a new server witch newer was member in the ADS. >>>>>> >>>>>> >>>>>> regards, >>>>>> heinz >>>>>> >>>>>> Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- >>>>>> Ulrich >>>>>> Menzebach via samba: >>>>>>> Rowland, >>>>>>> >>>>>>> - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites >>>>>>> and >>>>>>> Services console to each of them). >>>>>>> - I also checked that "samba-tool dbcheck" completes w/o >>>>>>> showing >>>>>>> errors. >>>>>>> - the objectGUID DNS aliases of all DCs are resolvable against >>>>>>> all 3 >>>>>>> DCs' builtin DNS >>>>>>> - I forced a full sync from the FSMO holder (dcge1) to the 2 >>>>>>> other >>>>>>> DCs >>>>>>> which finished w/o errors. >>>>>>> - after that, sync and also full sync dcdo1-->dcnh1 failed >>>>>>> exactly >>>>>>> as >>>>>>> earlier. >>>>>>> >>>>>>> I'm wondering whether this is related to >>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm >>>>>>> running >>>>>>> 4.7.4 and the domain had been created under 4.7.3 (based on the >>>>>>> Samba >>>>>>> Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD. >>>>>>> >>>>>>> Many thanks, >>>>>>> >>>>>>> Uli >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 12/27/2017 01:29 PM, Rowland Penny via samba wrote: >>>>>>>> On Wed, 27 Dec 2017 13:00:05 +0100 >>>>>>>> "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba. >>>>>>>> or >>>>>>>> g> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> There is additional info in the logs of the source DC >>>>>>>>> (dcdo1, >>>>>>>>> log >>>>>>>>> level 2, manually triggered another replication): >>>>>>>>> ===================>>>>>>>>> [2017/12/27 12:31:29.695121, 2] >>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan >>>>>>>>> ge >>>>>>>>> s_co >>>>>>>>> llect_objects) >>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:1731: >>>>>>>>> getncchanges on >>>>>>>>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) >>>>>>>>> [2017/12/27 12:31:29.698828, 2] >>>>>>>>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr >>>>>>>>> su >>>>>>>>> api_ >>>>>>>>> DsGetNCChanges) >>>>>>>>> DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 >>>>>>>>> on >>>>>>>>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21- >>>>>>>>> 454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com >>>>>>>>> gave 0 objects (done 0/0) 0 links (done 0/0 (as >>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112)) >>>>>>>>> [2017/12/27 12:31:29.733157, 1] >>>>>>>>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid) >>>>>>>>> ../source4/dsdb/common/util.c:4807: Failed to find >>>>>>>>> account dn >>>>>>>>> (serverReference) for >>>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com, >>>>>>>>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d- >>>>>>>>> a0771bb6fb76, >>>>>>>>> sid S-1-5-21-454945863-777199239-1595221609-1112 >>>>>>>>> [2017/12/27 12:31:29.733198, 0] >>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua >>>>>>>>> pi >>>>>>>>> _DsR >>>>>>>>> eplicaUpdateRefs) >>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>>>> Refusing >>>>>>>>> DsReplicaUpdateRefs for sid >>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>>>> >>>>>>>>> According to what I see in the "Sites and Services" RSAT >>>>>>>>> console >>>>>>>>> the >>>>>>>>> DN for >>>>>>>>> CN=DCNH1,CN=Servers,CN=Default-First-Site- >>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>>> seems to exist. >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Uli >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via >>>>>>>>> samba >>>>>>>>> wrote: >>>>>>>>>> We have 3 ADCs based on Samba-4.7.4 (compiled from >>>>>>>>>> source,internal >>>>>>>>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all >>>>>>>>>> FSMO >>>>>>>>>> roles. >>>>>>>>>> The 3 ADCs are on different locations connected via IPSec >>>>>>>>>> based >>>>>>>>>> VPN. No traffic is filtered out. >>>>>>>>>> >>>>>>>>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom: >>>>>>>>>> >>>>>>>>>> [root at dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com >>>>>>>>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com >>>>>>>>>> ERROR(<class 'samba.drs_utils.drsException'>): >>>>>>>>>> DsReplicaSync >>>>>>>>>> failed >>>>>>>>>> - drsException: DsReplicaSync failed (8453, >>>>>>>>>> 'WERR_DS_DRA_ACCESS_DENIED') File >>>>>>>>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", >>>>>>>>>> line >>>>>>>>>> 386, >>>>>>>>>> in run drs_utils.sendDsReplicaSync(server_bind, >>>>>>>>>> server_bind_handle, >>>>>>>>>> source_dsa_guid, NC, req_options) >>>>>>>>>> File "/usr/lib64/python2.7/site- >>>>>>>>>> packages/samba/drs_utils.py", >>>>>>>>>> line 85, in sendDsReplicaSync >>>>>>>>>> raise drsException("DsReplicaSync failed %s" % estr) >>>>>>>>>> >>>>>>>>>> Log on dcdo1: >>>>>>>>>> =============>>>>>>>>>> [2017/12/27 08:20:56.335895, 0] >>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs >>>>>>>>>> ua >>>>>>>>>> pi_D >>>>>>>>>> sReplicaUpdateRefs) >>>>>>>>>> ../source4/rpc_server/drsuapi/updaterefs.c:374: >>>>>>>>>> Refusing >>>>>>>>>> DsReplicaUpdateRefs for sid >>>>>>>>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID >>>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76 >>>>>>>>>> >>>>>>>>>> Log on target DC dcnh1: >>>>>>>>>> =============>>>>>>>>>> [2017/12/27 08:20:55.278559, 5] >>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>>> ea >>>>>>>>>> dabl >>>>>>>>>> e) >>>>>>>>>> Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT >>>>>>>>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec >>>>>>>>>> 2017 >>>>>>>>>> 08:20:55.278538 CET] Remote host >>>>>>>>>> [ipv4:192.168.172.14:36196] >>>>>>>>>> local >>>>>>>>>> host [ipv4:192.168.152.15:135] >>>>>>>>>> [2017/12/27 08:20:55.278641, 5] >>>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>>> "2017-12-27T08:20:55.278587+0100", "type": >>>>>>>>>> "Authorization", >>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>>> "localAddress": "ipv4:192.168.152.15:135", >>>>>>>>>> "remoteAddress": >>>>>>>>>> "ipv4:192.168.172.14:36196", "serviceDescription": >>>>>>>>>> "DCE/RPC", >>>>>>>>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", >>>>>>>>>> "account": >>>>>>>>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": >>>>>>>>>> "DCNH1", >>>>>>>>>> "transportProtection": "NONE", "accountFlags": >>>>>>>>>> "0x00000010"}} >>>>>>>>>> [2017/12/27 08:20:55.278660, >>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>>> registered >>>>>>>>>> on >>>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>>> 08:20:55.337740, >>>>>>>>>> 3] >>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>>> ec >>>>>>>>>> tion >>>>>>>>>> ) >>>>>>>>>> Terminating connection - 'dcesrv: >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>>>> 08:20:55.337873, 3] >>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>>> single_terminate: reason[dcesrv: >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>>>> 08:20:55.506117, 3] >>>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>>>> [2017/12/27 08:20:55.506420, 5] >>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>>> Starting GENSEC mechanism spnego >>>>>>>>>> [2017/12/27 08:20:55.506501, 5] >>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>>>> [2017/12/27 08:20:55.536259, 5] >>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>>>> up >>>>>>>>>> date >>>>>>>>>> _internal) >>>>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>>>> [2017/12/27 08:20:55.536320, 5] >>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_ >>>>>>>>>> up >>>>>>>>>> date >>>>>>>>>> _internal) >>>>>>>>>> GSSAPI Connection will be cryptographically sealed >>>>>>>>>> [2017/12/27 08:20:55.538591, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_T\04\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538644, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538712, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_<\02\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538762, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538819, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538864, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538909, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.538967, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>>>> -> >>>>>>>>>> 0 >>>>>>>>>> [2017/12/27 08:20:55.539029, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>>>> 0 >>>>>>>>>> -> 1 >>>>>>>>>> [2017/12/27 08:20:55.539087, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>>>> 0 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.539289, 4] >>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>>> ea >>>>>>>>>> dabl >>>>>>>>>> e) >>>>>>>>>> Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$] >>>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>>>> 27 >>>>>>>>>> Dec >>>>>>>>>> 2017 >>>>>>>>>> 08:20:55.539277 CET] Remote host >>>>>>>>>> [ipv4:192.168.172.14:57364] >>>>>>>>>> local >>>>>>>>>> host [ipv4:192.168.152.15:49152] >>>>>>>>>> [2017/12/27 08:20:55.539359, 4] >>>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>>> "2017-12-27T08:20:55.539334+0100", "type": >>>>>>>>>> "Authorization", >>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>>> "localAddress": "ipv4:192.168.152.15:49152", >>>>>>>>>> "remoteAddress": >>>>>>>>>> "ipv4:192.168.172.14:57364", "serviceDescription": >>>>>>>>>> "DCE/RPC", >>>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>>>> "sid": >>>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>>>> "logonServer": >>>>>>>>>> "DCDO1", "transportProtection": "SEAL", "accountFlags": >>>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.539398, >>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>>> registered >>>>>>>>>> on >>>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>>> 08:20:55.568937, >>>>>>>>>> 3] >>>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_ >>>>>>>>>> dr >>>>>>>>>> suap >>>>>>>>>> i_DsBind) >>>>>>>>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: >>>>>>>>>> doing >>>>>>>>>> DsBind >>>>>>>>>> with system_session >>>>>>>>>> [2017/12/27 08:20:55.641297, 3] >>>>>>>>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) >>>>>>>>>> ldb_wrap open of secrets.ldb >>>>>>>>>> [2017/12/27 08:20:55.644257, 5] >>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>>> eq >>>>>>>>>> uest >>>>>>>>>> ) >>>>>>>>>> ldb_request BASE dn>>>>>>>>>> filter=(|(objectClass=*)(distinguishedName=*)) >>>>>>>>>> [2017/12/27 >>>>>>>>>> 08:20:55.706421, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.706573, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.706777, 3] >>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>>> de >>>>>>>>>> bug_ >>>>>>>>>> wrapper) >>>>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>>>> ipv4:192.168.172.14:48486 for ldap/dcnh1.ad.kdu.com at AD.kd >>>>>>>>>> u. >>>>>>>>>> COM >>>>>>>>>> [canonicalize] [2017/12/27 08:20:55.708186, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.708670, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.708795, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.709594, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.710027, 3] >>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>>> de >>>>>>>>>> bug_ >>>>>>>>>> wrapper) >>>>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>>>> starttime: >>>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>>>> till: >>>>>>>>>> unset >>>>>>>>>> [2017/12/27 08:20:55.740222, 3] >>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>>> ec >>>>>>>>>> tion >>>>>>>>>> ) >>>>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>>> [2017/12/27 08:20:55.740440, 3] >>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>>> [2017/12/27 08:20:55.770764, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.771034, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.771283, 3] >>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>>> de >>>>>>>>>> bug_ >>>>>>>>>> wrapper) >>>>>>>>>> Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from >>>>>>>>>> ipv4:192.168.172.14:48488 for krbtgt/AD.kdu.COM at AD.kdu.CO >>>>>>>>>> M >>>>>>>>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.771786, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.772103, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.772257, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.773194, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1 >>>>>>>>>> [2017/12/27 08:20:55.773691, 3] >>>>>>>>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_ >>>>>>>>>> de >>>>>>>>>> bug_ >>>>>>>>>> wrapper) >>>>>>>>>> Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 >>>>>>>>>> starttime: >>>>>>>>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew >>>>>>>>>> till: >>>>>>>>>> unset >>>>>>>>>> [2017/12/27 08:20:55.804565, 3] >>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>>> ec >>>>>>>>>> tion >>>>>>>>>> ) >>>>>>>>>> Terminating connection - 'kdc_tcp_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>>> [2017/12/27 08:20:55.804774, 3] >>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>>> single_terminate: reason[kdc_tcp_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>>> [2017/12/27 08:20:55.806137, 5] >>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>>> Starting GENSEC mechanism spnego >>>>>>>>>> [2017/12/27 08:20:55.806296, 5] >>>>>>>>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech) >>>>>>>>>> Starting GENSEC submechanism gssapi_krb5 >>>>>>>>>> [2017/12/27 08:20:55.807170, 5] >>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_ >>>>>>>>>> up >>>>>>>>>> date >>>>>>>>>> _internal) >>>>>>>>>> gensec_gssapi: credentials were delegated >>>>>>>>>> [2017/12/27 08:20:55.807242, 5] >>>>>>>>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_ >>>>>>>>>> up >>>>>>>>>> date >>>>>>>>>> _internal) >>>>>>>>>> GSSAPI Connection will be cryptographically signed >>>>>>>>>> [2017/12/27 08:20:55.810168, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_T\04\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810265, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_\04\02\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810353, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\ >>>>>>>>>> 87 >>>>>>>>>> \1ES >>>>>>>>>> .i\26\15_<\02\00\00 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810428, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810507, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810582, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810674, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0 >>>>>>>>>> [2017/12/27 08:20:55.810745, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 >>>>>>>>>> -> >>>>>>>>>> 0 >>>>>>>>>> [2017/12/27 08:20:55.810826, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0 >>>>>>>>>> 0 >>>>>>>>>> -> 1 >>>>>>>>>> [2017/12/27 08:20:55.810901, 6] >>>>>>>>>> ../lib/util/util_ldb.c:60(gendb_search_v) >>>>>>>>>> gendb_search_v: NULL >>>>>>>>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0 >>>>>>>>>> 0 >>>>>>>>>> -> 0 >>>>>>>>>> [2017/12/27 08:20:55.811125, 4] >>>>>>>>>> ../auth/auth_log.c:860(log_successful_authz_event_human_r >>>>>>>>>> ea >>>>>>>>>> dabl >>>>>>>>>> e) >>>>>>>>>> Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$] >>>>>>>>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, >>>>>>>>>> 27 >>>>>>>>>> Dec >>>>>>>>>> 2017 >>>>>>>>>> 08:20:55.811108 CET] Remote host >>>>>>>>>> [ipv4:192.168.172.14:56798] >>>>>>>>>> local >>>>>>>>>> host [ipv4:192.168.152.15:389] >>>>>>>>>> [2017/12/27 08:20:55.811301, 4] >>>>>>>>>> ../auth/auth_log.c:220(log_json) >>>>>>>>>> JSON Authorization: {"timestamp": >>>>>>>>>> "2017-12-27T08:20:55.811228+0100", "type": >>>>>>>>>> "Authorization", >>>>>>>>>> "Authorization": {"version": {"major": 1, "minor": 0}, >>>>>>>>>> "localAddress": "ipv4:192.168.152.15:389", >>>>>>>>>> "remoteAddress": >>>>>>>>>> "ipv4:192.168.172.14:56798", "serviceDescription": >>>>>>>>>> "LDAP", >>>>>>>>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", >>>>>>>>>> "sid": >>>>>>>>>> "S-1-5-21-454945863-777199239-1595221609-1108", >>>>>>>>>> "logonServer": >>>>>>>>>> "DCDO1", "transportProtection": "SIGN", "accountFlags": >>>>>>>>>> "0x00002100"}} [2017/12/27 08:20:55.811385, >>>>>>>>>> 3] ../auth/auth_log.c:139(get_auth_event_server) >>>>>>>>>> get_auth_event_server: Failed to find 'auth_event' >>>>>>>>>> registered >>>>>>>>>> on >>>>>>>>>> the message bus to send JSON authentication events to: >>>>>>>>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 >>>>>>>>>> 08:20:55.841539, >>>>>>>>>> 5] >>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>>> eq >>>>>>>>>> uest >>>>>>>>>> ) >>>>>>>>>> ldb_request BASE dn= filter=(objectClass=*) >>>>>>>>>> [2017/12/27 08:20:55.871177, 5] >>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>>> eq >>>>>>>>>> uest >>>>>>>>>> ) >>>>>>>>>> ldb_request SUB >>>>>>>>>> dn=CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com) >>>>>>>>>> (d >>>>>>>>>> NSHo >>>>>>>>>> stName=dcdo1.ad.kdu.com))) >>>>>>>>>> [2017/12/27 08:20:55.902579, 5] >>>>>>>>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR >>>>>>>>>> eq >>>>>>>>>> uest >>>>>>>>>> ) >>>>>>>>>> ldb_request ONE >>>>>>>>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site- >>>>>>>>>> Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com >>>>>>>>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR >>>>>>>>>> O) >>>>>>>>>> ) >>>>>>>>>> [2017/12/27 08:20:55.932550, 5] >>>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis >>>>>>>>>> pa >>>>>>>>>> tch) >>>>>>>>>> function drsuapi_DsReplicaSync will reply async >>>>>>>>>> [2017/12/27 08:20:55.932676, 3] >>>>>>>>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_ >>>>>>>>>> re >>>>>>>>>> plic >>>>>>>>>> ation) >>>>>>>>>> _drepl_schedule_replication: forcing sync of partition >>>>>>>>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, >>>>>>>>>> dc=ad,dc=kdu,dc=com, >>>>>>>>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com) >>>>>>>>>> [2017/12/27 08:20:55.932697, 4] >>>>>>>>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin >>>>>>>>>> go >>>>>>>>>> ps_s >>>>>>>>>> chedule) >>>>>>>>>> dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 >>>>>>>>>> 08:20:57 >>>>>>>>>> 2017 CET >>>>>>>>>> [2017/12/27 08:20:56.971645, 4] >>>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r >>>>>>>>>> ep >>>>>>>>>> lmd_ >>>>>>>>>> extended_replicated_objects) >>>>>>>>>> linked_attributes_count=0 >>>>>>>>>> [2017/12/27 08:20:56.971966, 4] >>>>>>>>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r >>>>>>>>>> ep >>>>>>>>>> lmd_ >>>>>>>>>> replicated_uptodate_modify) >>>>>>>>>> DRS replication uptodate modify message: >>>>>>>>>> dn: DC=ad,DC=kdu,DC=com >>>>>>>>>> changetype: modify >>>>>>>>>> replace: replUpToDateVector >>>>>>>>>> replUpToDateVector:: >>>>>>>>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP >>>>>>>>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV >>>>>>>>>> rz >>>>>>>>>> S7KY >>>>>>>>>> P2wnvCZRbBYAAA >>>>>>>>>> >>>>>>>>>> AAAAAAgD7V3rGdAQ=>>>>>>>>>> - >>>>>>>>>> replace: repsFrom >>>>>>>>>> repsFrom:: >>>>>>>>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>>>> AB >>>>>>>>>> 0AAA >>>>>>>>>> AERE >>>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>>>> ER >>>>>>>>>> ERER >>>>>>>>>> ERERERERERERER >>>>>>>>>> >>>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA >>>>>>>>>> AB >>>>>>>>>> rFgA >>>>>>>>>> AAAAAAKQMPrx0t >>>>>>>>>> >>>>>>>>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD >>>>>>>>>> oA >>>>>>>>>> AABi >>>>>>>>>> YzNlMGNhNC1iNT >>>>>>>>>> >>>>>>>>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>>>> jb >>>>>>>>>> 20A >>>>>>>>>> repsFrom:: >>>>>>>>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA >>>>>>>>>> AB >>>>>>>>>> kAAA >>>>>>>>>> AERE >>>>>>>>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERER >>>>>>>>>> ER >>>>>>>>>> ERER >>>>>>>>>> ERERERERERERER >>>>>>>>>> >>>>>>>>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA >>>>>>>>>> AD >>>>>>>>>> 4FAA >>>>>>>>>> AAAAAABNWUx36g >>>>>>>>>> >>>>>>>>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD >>>>>>>>>> oA >>>>>>>>>> AAAx >>>>>>>>>> ZDUzNTYxMy04MW >>>>>>>>>> >>>>>>>>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5 >>>>>>>>>> jb >>>>>>>>>> 20A >>>>>>>>>> - >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [2017/12/27 08:20:56.974912, 2] >>>>>>>>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli >>>>>>>>>> ca >>>>>>>>>> ted_ >>>>>>>>>> objects_commit) >>>>>>>>>> Replicated 0 objects (0 linked attributes) for >>>>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>>>> [2017/12/27 08:20:57.004974, 0] >>>>>>>>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up >>>>>>>>>> da >>>>>>>>>> te_r >>>>>>>>>> efs_done) >>>>>>>>>> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT >>>>>>>>>> code >>>>>>>>>> 0xc0002105 for >>>>>>>>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com >>>>>>>>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468, 4] >>>>>>>>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin >>>>>>>>>> g_ >>>>>>>>>> op_c >>>>>>>>>> allback) >>>>>>>>>> dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for >>>>>>>>>> DC=ad,DC=kdu,DC=com >>>>>>>>>> [2017/12/27 08:20:57.009507, 5] >>>>>>>>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re >>>>>>>>>> pl >>>>>>>>>> y) >>>>>>>>>> function drsuapi_DsReplicaSync replied async >>>>>>>>>> [2017/12/27 08:20:57.053246, 3] >>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>>> ec >>>>>>>>>> tion >>>>>>>>>> ) >>>>>>>>>> Terminating connection - 'dcesrv: >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 >>>>>>>>>> 08:20:57.053478, 3] >>>>>>>>>> ../source4/smbd/process_single.c:114(single_terminate) >>>>>>>>>> single_terminate: reason[dcesrv: >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 >>>>>>>>>> 08:20:57.053528, 3] >>>>>>>>>> ../source4/smbd/service_stream.c:65(stream_terminate_conn >>>>>>>>>> ec >>>>>>>>>> tion >>>>>>>>>> ) >>>>>>>>>> Terminating connection - 'ldapsrv_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED' >>>>>>>>>> [2017/12/27 08:20:57.053760, 2] >>>>>>>>>> ../source4/smbd/process_standard.c:473(standard_terminate >>>>>>>>>> ) >>>>>>>>>> standard_terminate: reason[ldapsrv_call_loop: >>>>>>>>>> tstream_read_pdu_blob_recv() - >>>>>>>>>> NT_STATUS_CONNECTION_DISCONNECTED] >>>>>>>>>> [2017/12/27 08:20:57.057842, 2] >>>>>>>>>> ../source4/smbd/process_standard.c:157(standard_child_pip >>>>>>>>>> e_ >>>>>>>>>> hand >>>>>>>>>> ler) >>>>>>>>>> Child 900 () exited with status 0 >>>>>>>>>> >>>>>>>>>> Any hints/ideas very much appreciated ... >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Uli >>>>>>>>>> >>>>>>>>>> >>>>>>>> Couple of thoughts, try reading this: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_ >>>>>>>> DN >>>>>>>> S_Re >>>>>>>> cord >>>>>>>> >>>>>>>> and this: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Manually_Replicating_Directo >>>>>>>> ry >>>>>>>> _Par >>>>>>>> titions >>>>>>>> >>>>>>>> Does the missing 'CN' exist on the other two DCs ? >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> >>>>> >> >Was one the DC's exhibiting the issue manually moved to another site prior to or after the update? Normally the attribute is updated during a site creation. -- -- James
Reasonably Related Threads
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging