thr3ads.net - samba - [Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED"

If this information is useful, please help other people find it:
Share via:

Dirk Laurenz

2018-Apr-04 12:32 UTC

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Same error here...

root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02
-Uadministrator --filter=CN,DC,member CONFIGURATION
Password for [LAURENZ\administrator]:

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1631

Comparing:
'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws'
[ldap://samba01]
'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws'
[ldap://samba02]
    Attributes found only in ldap://samba01:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://samba01:

    serverReference
ERROR: Compare failed: -1


-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Heinz Hölzl
via samba
Gesendet: Dienstag, 16. Januar 2018 16:32
An: samba at lists.samba.org
Betreff: Re: [Samba] AD replication problem
"WERR_DS_DRA_ACCESS_DENIED" - need help debugging

on DC2 in the log i found:

./source4/dsdb/common/util.c:4807: Failed to find account dn
(serverReference) for CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net, parent of DSA with objectGUID
c01a335e-1794-4997-9c7e-553be77fba04, sid S-1-5-21-
1608159440-4144762864-1017073214-18962
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for
sid S-1-5-21-1608159440-4144762864-1017073214-
18962 with GUID c01a335e-1794-4997-9c7e-553be77fba04


then i did the following test:

samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator -- filter=CN,DC,member
CONFIGURATION

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1622

Comparing:
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC1]
'CN=SAMBA3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=test,DC=net' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    serverReference
ERROR: Compare failed: -1




after a full sync from dc1 to dc2 (samba-tool drs replicate dc2 dc1
dc=gvcc,dc=net --full-sync --local) same result, serverReference on
CN=SAMBA3,CN=Servers,CN=Default-First-Site-
name,CN=Sites,CN=Configuration,DC=test,DC=net exists only on DC1


how can i fix this?



Am Dienstag, den 16.01.2018, 14:54 +0000 schrieb Heinz Hölzl via
samba:> Hi,
> 
> there is no firewall, all DCs are in the same subnet.
> 
> here ist the output of a test, you can see, the CNAME guid entries in 
> the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and 
> second DCs, SAMBA3 was added at last.
> 
> ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-
> ncs objectguid # record 1
> dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f
> 
> # record 2
> dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: 9ec652b4-146c-4ff1-babe-5abe291325be
> 
> # record 3
> dn: CN=NTDS Settings,CN=SAMBA3,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=test,DC=net
> objectGUID: c01a335e-1794-4997-9c7e-553be77fba04
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC1
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> DC2
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net
> SAMBA3
> 9e4b0aa7-629b-4535-b1d4-9cb5bf20cb7f._msdcs.test.net is an alias for 
> dc2.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC1
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> DC2
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net
> SAMBA3
> 9ec652b4-146c-4ff1-babe-5abe291325be._msdcs.test.net is an alias for 
> dc1.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC1
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> DC2
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> host -t CNAME c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net
> SAMBA3
> c01a335e-1794-4997-9c7e-553be77fba04._msdcs.test.net is an alias for 
> SAMBA3.test.net.
> 
> 
> Am Dienstag, den 16.01.2018, 12:10 +0100 schrieb Denis Cardon:
> > Hi Heinz,
> > 
> > > i have the same problem on samba 4.7.3 and 4.7.4.
> > > I start with 2 DCs and the sync works fine. After the join of a 
> > > third DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it 
> > > for 10 times.
> > > 
> > > in my case i have:
> > > DC1 (with any FSMO Roles)
> > > DC2
> > > 
> > > new join as DC:
> > > DC3
> > > 
> > > After the join, the sync from DC2 to DC3 fails.
> > > 
> > > samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK samba-tool 
> > > drs replicate dc1 dc2 dc=gvcc,dc=net : OK samba-tool drs
replicate
> > > dc2 dc3 dc=gvcc,dc=net : OK samba-tool drs replicate dc1 dc3 
> > > dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc1 
> > > dc=gvcc,dc=net : OK samba-tool drs replicate dc3 dc2 
> > > dc=gvcc,dc=net : NOT OK
> > 
> > like Rowland pointed you earlier, it is often an issue with missing 
> > DNS entries. Be sure to check that samba_dnsupdate on both servers 
> > is happy, especially with the CNAME guid entries in the _msdcs zone.
> > 
> > Another case I saw was that firewall had not been disable (or at 
> > least the port opening was not done right).
> > 
> > Cheers,
> > 
> > Denis
> > 
> > > 
> > > 
> > > 
> > > p.s. DC3 is a new server witch newer was member in the ADS.
> > > 
> > > 
> > > regards,
> > > heinz
> > > 
> > > Am Mittwoch, den 27.12.2017, 14:44 +0100 schrieb Dr. Johannes- 
> > > Ulrich Menzebach via samba:
> > > > Rowland,
> > > > 
> > > > - the DN "CN=DCNH1,..." exists on all 3 DCs
(pointing the Sites
> > > > and Services console to each of them).
> > > > - I also checked that "samba-tool dbcheck"
completes w/o showing
> > > > errors.
> > > > - the objectGUID DNS aliases of all DCs are resolvable
against
> > > > all 3 DCs' builtin DNS
> > > > - I forced a full sync from the FSMO holder (dcge1) to the 2
> > > > other DCs which finished w/o errors.
> > > > - after that, sync and also full sync dcdo1-->dcnh1
failed
> > > > exactly as earlier.
> > > > 
> > > > I'm wondering whether this is related to
> > > > https://bugzilla.samba.org/show_bug.cgi?id=12972 , however
I'm
> > > > running
> > > > 4.7.4 and the domain had been created under 4.7.3 (based on
the
> > > > Samba Wiki). Apart from the sync issue I'm VERY happy
with
> > > > Samba4/AD.
> > > > 
> > > > Many thanks,
> > > > 
> > > > Uli
> > > > 
> > > > 
> > > > 
> > > > On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:
> > > > > On Wed, 27 Dec 2017 13:00:05 +0100 "Dr.
Johannes-Ulrich
> > > > > Menzebach via samba" <samba at lists.samba.
> > > > > or
> > > > > g>
> > > > > wrote:
> > > > > 
> > > > > > There is additional info in the logs of the source
DC
> > > > > > (dcdo1, log level 2, manually triggered another 
> > > > > > replication):
> > > > > > ===================> > > > > >
[2017/12/27 12:31:29.695121,  2]
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchan
> > > > > > ge
> > > > > > s_co
> > > > > > llect_objects)
> > > > > >    
../source4/rpc_server/drsuapi/getncchanges.c:1731:
> > > > > > getncchanges on
> > > > > > DC=ad,DC=kdu,DC=com using filter
(uSNChanged>=5415)
> > > > > > [2017/12/27 12:31:29.698828,  2] 
> > > > > >
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_dr
> > > > > > su
> > > > > > api_
> > > > > > DsGetNCChanges)
> > > > > >     DsGetNCChanges with uSNChanged >= 5415
flags 0x80000064
> > > > > > on
> > > > > >
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-
> > > > > >
454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> > > > > > gave 0 objects (done 0/0) 0 links (done 0/0 (as
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112))
> > > > > > [2017/12/27 12:31:29.733157,  1]
> > > > > >
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
> > > > > >     ../source4/dsdb/common/util.c:4807: Failed to
find
> > > > > > account dn
> > > > > > (serverReference) for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> > > > > > parent of DSA with objectGUID
0acce4bc-1193-4609-8e4d-
> > > > > > a0771bb6fb76, sid 
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112
> > > > > > [2017/12/27 12:31:29.733198,  0] 
> > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsua
> > > > > > pi
> > > > > > _DsR
> > > > > > eplicaUpdateRefs)
> > > > > >    
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > Refusing
> > > > > > DsReplicaUpdateRefs for sid
> > > > > > S-1-5-21-454945863-777199239-1595221609-1112 with
GUID
> > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > 
> > > > > > According to what I see in the "Sites and
Services" RSAT
> > > > > > console the DN for
> > > > > > CN=DCNH1,CN=Servers,CN=Default-First-Site-
> > > > > > Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > seems to exist.
> > > > > > 
> > > > > > Any ideas?
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > >       Uli
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich
Menzebach via
> > > > > > samba
> > > > > > wrote:
> > > > > > > We have 3 ADCs based on Samba-4.7.4 (compiled
from
> > > > > > > source,internal
> > > > > > > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1
holds all
> > > > > > > FSMO
> > > > > > > roles.
> > > > > > > The 3 ADCs are on different locations
connected via IPSec
> > > > > > > based
> > > > > > > VPN. No traffic is filtered out.
> > > > > > > 
> > > > > > > All 3 ADCs replicate fine except dcdo1
-->dcnh1. Symptom:
> > > > > > > 
> > > > > > > [root at dcdo1 ~]# samba-tool drs replicate
dcnh1.ad.kdu.com
> > > > > > > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > > > > > > ERROR(<class
'samba.drs_utils.drsException'>):
> > > > > > > DsReplicaSync
> > > > > > > failed
> > > > > > > - drsException: DsReplicaSync failed (8453,
> > > > > > > 'WERR_DS_DRA_ACCESS_DENIED') File
> > > > > > >
"/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py",
> > > > > > > line
> > > > > > > 386,
> > > > > > > in run
drs_utils.sendDsReplicaSync(server_bind,
> > > > > > > server_bind_handle,
> > > > > > > source_dsa_guid, NC, req_options)
> > > > > > >    File "/usr/lib64/python2.7/site-
> > > > > > > packages/samba/drs_utils.py",
> > > > > > > line 85, in sendDsReplicaSync
> > > > > > >      raise drsException("DsReplicaSync
failed %s" % estr)
> > > > > > > 
> > > > > > > Log on dcdo1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:56.335895,  0]
> > > > > > >
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drs
> > > > > > > ua
> > > > > > > pi_D
> > > > > > > sReplicaUpdateRefs)
> > > > > > >   
../source4/rpc_server/drsuapi/updaterefs.c:374:
> > > > > > > Refusing
> > > > > > > DsReplicaUpdateRefs for sid
> > > > > > > S-1-5-21-454945863-777199239-1595221609-1112
with GUID
> > > > > > > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> > > > > > > 
> > > > > > > Log on target DC dcnh1:
> > > > > > > =============> > > > > >
> [2017/12/27 08:20:55.278559,  5]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp]
user [NT
> > > > > > > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at
[Wed, 27 Dec
> > > > > > > 2017
> > > > > > > 08:20:55.278538 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:36196]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:135]
> > > > > > > [2017/12/27 08:20:55.278641,  5]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.278587+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:135",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:36196",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType":
"ncacn_ip_tcp", "domain": "NT AUTHORITY",
> > > > > > > "account":
> > > > > > > "ANONYMOUS LOGON", "sid":
"S-1-5-7", "logonServer":
> > > > > > > "DCNH1",
> > > > > > > "transportProtection":
"NONE", "accountFlags":
> > > > > > > "0x00000010"}}
> > > > > > > [2017/12/27 08:20:55.278660,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.337740,
> > > > > > > 3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:55.337873,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:55.506117,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.506420,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.506501,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.536259,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.536320,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically sealed
> > > > > > > [2017/12/27 08:20:55.538591,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538644,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538712,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.538762,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538819,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538864,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538909,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.538967,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.539029,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.539087,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.539289,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [DCE/RPC,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.539277 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:57364]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:49152]
> > > > > > > [2017/12/27 08:20:55.539359,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.539334+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:49152",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:57364",
"serviceDescription":
> > > > > > > "DCE/RPC",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SEAL", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.539398,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.568937,
> > > > > > > 3]
> > > > > > >
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_
> > > > > > > dr
> > > > > > > suap
> > > > > > > i_DsBind)
> > > > > > >   
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89:
> > > > > > > doing
> > > > > > > DsBind
> > > > > > > with system_session
> > > > > > > [2017/12/27 08:20:55.641297,  3]
> > > > > > >
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> > > > > > >    ldb_wrap open of secrets.ldb
> > > > > > > [2017/12/27 08:20:55.644257,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn> > > >
> > > filter=(|(objectClass=*)(distinguishedName=*))
> > > > > > > [2017/12/27
> > > > > > > 08:20:55.706421,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706573,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.706777,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48486 for
ldap/dcnh1.ad.kdu.com at AD.kd
> > > > > > > u.
> > > > > > > COM
> > > > > > > [canonicalize] [2017/12/27 08:20:55.708186, 
6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708670,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.708795,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.709594,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.710027,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.740222,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.740440,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.770764,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771034,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771283,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > > > > > > ipv4:192.168.172.14:48488 for
krbtgt/AD.kdu.COM at AD.kdu.CO
> > > > > > > M
> > > > > > > [forwarded, forwardable] [2017/12/27
08:20:55.771576,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.771786,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772103,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.772257,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773194,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: DC=ad,DC=kdu,DC=com NULL
-> 1
> > > > > > > [2017/12/27 08:20:55.773691,  3]
> > > > > > >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_
> > > > > > > de
> > > > > > > bug_
> > > > > > > wrapper)
> > > > > > >    Kerberos: TGS-REQ authtime:
2017-12-27T08:20:54
> > > > > > > starttime:
> > > > > > > 2017-12-27T08:20:55 endtime:
2017-12-27T18:20:54 renew
> > > > > > > till:
> > > > > > > unset
> > > > > > > [2017/12/27 08:20:55.804565,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:55.804774,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate:
reason[kdc_tcp_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:55.806137,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC mechanism spnego
> > > > > > > [2017/12/27 08:20:55.806296,  5]
> > > > > > >
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> > > > > > >    Starting GENSEC submechanism gssapi_krb5
> > > > > > > [2017/12/27 08:20:55.807170,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    gensec_gssapi: credentials were delegated
> > > > > > > [2017/12/27 08:20:55.807242,  5]
> > > > > > >
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_
> > > > > > > up
> > > > > > > date
> > > > > > > _internal)
> > > > > > >    GSSAPI Connection will be
cryptographically signed
> > > > > > > [2017/12/27 08:20:55.810168,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_T\04\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810265,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_\04\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810353,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\
> > > > > > > 87
> > > > > > > \1ES
> > > > > > > .i\26\15_<\02\00\00
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.810428,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810507,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810582,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810674,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > > > > > > [2017/12/27 08:20:55.810745,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00
> > > > > > > ->
> > > > > > > 0
> > > > > > > [2017/12/27 08:20:55.810826,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\0
> > > > > > > 0
> > > > > > > -> 1
> > > > > > > [2017/12/27 08:20:55.810901,  6]
> > > > > > > ../lib/util/util_ldb.c:60(gendb_search_v)
> > > > > > >    gendb_search_v: NULL
> > > > > > >
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\0
> > > > > > > 0
> > > > > > > -> 0
> > > > > > > [2017/12/27 08:20:55.811125,  4]
> > > > > > >
../auth/auth_log.c:860(log_successful_authz_event_human_r
> > > > > > > ea
> > > > > > > dabl
> > > > > > > e)
> > > > > > >    Successful AuthZ: [LDAP,krb5] user
[AD]\[DCDO1$]
> > > > > > >
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed,
> > > > > > > 27
> > > > > > > Dec
> > > > > > > 2017
> > > > > > > 08:20:55.811108 CET] Remote host
> > > > > > > [ipv4:192.168.172.14:56798]
> > > > > > > local
> > > > > > > host [ipv4:192.168.152.15:389]
> > > > > > > [2017/12/27 08:20:55.811301,  4]
> > > > > > > ../auth/auth_log.c:220(log_json)
> > > > > > >    JSON Authorization:
{"timestamp":
> > > > > > > "2017-12-27T08:20:55.811228+0100",
"type":
> > > > > > > "Authorization",
> > > > > > > "Authorization":
{"version": {"major": 1, "minor": 0},
> > > > > > > "localAddress":
"ipv4:192.168.152.15:389",
> > > > > > > "remoteAddress":
> > > > > > > "ipv4:192.168.172.14:56798",
"serviceDescription":
> > > > > > > "LDAP",
> > > > > > > "authType": "krb5",
"domain": "AD", "account": "DCDO1$",
> > > > > > > "sid":
> > > > > > >
"S-1-5-21-454945863-777199239-1595221609-1108",
> > > > > > > "logonServer":
> > > > > > > "DCDO1",
"transportProtection": "SIGN", "accountFlags":
> > > > > > > "0x00002100"}} [2017/12/27
08:20:55.811385,
> > > > > > > 3]
../auth/auth_log.c:139(get_auth_event_server)
> > > > > > > get_auth_event_server: Failed to find
'auth_event'
> > > > > > > registered
> > > > > > > on
> > > > > > > the message bus to send JSON authentication
events to:
> > > > > > > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27
> > > > > > > 08:20:55.841539,
> > > > > > > 5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request BASE dn=
filter=(objectClass=*)
> > > > > > > [2017/12/27 08:20:55.871177,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request SUB
> > > > > > > dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)
> > > > > > > (d
> > > > > > > NSHo
> > > > > > > stName=dcdo1.ad.kdu.com)))
> > > > > > > [2017/12/27 08:20:55.902579,  5]
> > > > > > >
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > )
> > > > > > >    ldb_request ONE
> > > > > > > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-
> > > > > > >
Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > > > > > >
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSAR
> > > > > > > O)
> > > > > > > )
> > > > > > > [2017/12/27 08:20:55.932550,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dis
> > > > > > > pa
> > > > > > > tch)
> > > > > > >    function drsuapi_DsReplicaSync will reply
async
> > > > > > > [2017/12/27 08:20:55.932676,  3]
> > > > > > >
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_
> > > > > > > re
> > > > > > > plic
> > > > > > > ation)
> > > > > > >    _drepl_schedule_replication: forcing sync
of partition
> > > > > > > (141bbe37-5eda-42b8-b904-0b75e26b1e2d,
> > > > > > > dc=ad,dc=kdu,dc=com,
> > > > > > >
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > > > > > > [2017/12/27 08:20:55.932697,  4]
> > > > > > >
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendin
> > > > > > > go
> > > > > > > ps_s
> > > > > > > chedule)
> > > > > > >    dreplsrv_pending_schedule(1) scheduled
for: Wed Dec 27
> > > > > > > 08:20:57
> > > > > > > 2017 CET
> > > > > > > [2017/12/27 08:20:56.971645,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > extended_replicated_objects)
> > > > > > >    linked_attributes_count=0
> > > > > > > [2017/12/27 08:20:56.971966,  4]
> > > > > > >
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(r
> > > > > > > ep
> > > > > > > lmd_
> > > > > > > replicated_uptodate_modify)
> > > > > > >    DRS replication uptodate modify message:
> > > > > > >    dn: DC=ad,DC=kdu,DC=com
> > > > > > >    changetype: modify
> > > > > > >    replace: replUpToDateVector
> > > > > > >    replUpToDateVector::
> > > > > > >
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > > > > > >
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEV
> > > > > > > rz
> > > > > > > S7KY
> > > > > > > P2wnvCZRbBYAAA
> > > > > > > 
> > > > > > >     AAAAAAgD7V3rGdAQ=> > > > >
> >    -
> > > > > > >    replace: repsFrom
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > 0AAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAA
> > > > > > > AB
> > > > > > > rFgA
> > > > > > > AAAAAAKQMPrx0t
> > > > > > > 
> > > > > > >
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AABi
> > > > > > > YzNlMGNhNC1iNT
> > > > > > > 
> > > > > > >
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    repsFrom::
> > > > > > >
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AA
> > > > > > > AB
> > > > > > > kAAA
> > > > > > > AERE
> > > > > > >
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > > > > > > ER
> > > > > > > ERER
> > > > > > > ERERERERERERER
> > > > > > > 
> > > > > > >
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAA
> > > > > > > AD
> > > > > > > 4FAA
> > > > > > > AAAAAABNWUx36g
> > > > > > > 
> > > > > > >
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAAD
> > > > > > > oA
> > > > > > > AAAx
> > > > > > > ZDUzNTYxMy04MW
> > > > > > > 
> > > > > > >
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5
> > > > > > > jb
> > > > > > > 20A
> > > > > > >    -
> > > > > > > 
> > > > > > > 
> > > > > > > [2017/12/27 08:20:56.974912,  2]
> > > > > > >
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_repli
> > > > > > > ca
> > > > > > > ted_
> > > > > > > objects_commit)
> > > > > > >    Replicated 0 objects (0 linked attributes)
for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.004974,  0]
> > > > > > >
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_up
> > > > > > > da
> > > > > > > te_r
> > > > > > > efs_done)
> > > > > > >    UpdateRefs failed with
WERR_DS_DRA_ACCESS_DENIED/NT
> > > > > > > code
> > > > > > > 0xc0002105 for
> > > > > > >
0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > > > > > > DC=ad,DC=kdu,DC=com [2017/12/27
08:20:57.005468,  4]
> > > > > > >
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pendin
> > > > > > > g_
> > > > > > > op_c
> > > > > > > allback)
> > > > > > >   
dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > > > > > > DC=ad,DC=kdu,DC=com
> > > > > > > [2017/12/27 08:20:57.009507,  5]
> > > > > > >
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_re
> > > > > > > pl
> > > > > > > y)
> > > > > > >    function drsuapi_DsReplicaSync replied
async
> > > > > > > [2017/12/27 08:20:57.053246,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection - 'dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27
> > > > > > > 08:20:57.053478,  3]
> > > > > > >
../source4/smbd/process_single.c:114(single_terminate)
> > > > > > >    single_terminate: reason[dcesrv:
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27
> > > > > > > 08:20:57.053528,  3]
> > > > > > >
../source4/smbd/service_stream.c:65(stream_terminate_conn
> > > > > > > ec
> > > > > > > tion
> > > > > > > )
> > > > > > >    Terminating connection -
'ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > > > > [2017/12/27 08:20:57.053760,  2]
> > > > > > >
../source4/smbd/process_standard.c:473(standard_terminate
> > > > > > > )
> > > > > > >    standard_terminate:
reason[ldapsrv_call_loop:
> > > > > > > tstream_read_pdu_blob_recv() -
> > > > > > > NT_STATUS_CONNECTION_DISCONNECTED]
> > > > > > > [2017/12/27 08:20:57.057842,  2]
> > > > > > >
../source4/smbd/process_standard.c:157(standard_child_pip
> > > > > > > e_
> > > > > > > hand
> > > > > > > ler)
> > > > > > >    Child 900 () exited with status 0
> > > > > > > 
> > > > > > > Any hints/ideas very much appreciated ...
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > 
> > > > > > > Uli
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > Couple of thoughts, try reading this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_
> > > > > DN
> > > > > S_Re
> > > > > cord
> > > > > 
> > > > > and this:
> > > > > 
> > > > >
https://wiki.samba.org/index.php/Manually_Replicating_Directo
> > > > > ry
> > > > > _Par
> > > > > titions
> > > > > 
> > > > > Does the missing 'CN' exist on the other two
DCs ?
> > > > > 
> > > > > Rowland
> > > > > 
> > > > 
> > > > 
> > 
> > -- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland Penny

2018-Apr-04 12:50 UTC

head link

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

On Wed, 4 Apr 2018 14:32:22 +0200
Dirk Laurenz via samba <samba at lists.samba.org> wrote:
> Same error here...
> 
> root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02
> -Uadministrator --filter=CN,DC,member CONFIGURATION Password for
> [LAURENZ\administrator]:
> 
Firstly, I wouldn't have joined the new DC's with the names of the old
DC's.

Have you checked if
'63f4e656-6590-4c1d-a362-c3b97b5e464d._msdcs.local.laurenz.ws' is a
valid GUID ?
Is it something left over from an old join ?

Rowland

Dirk Laurenz

2018-Apr-04 13:06 UTC

head link

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Yes - is valid

root at samba03:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC
=laurenz,DC=ws
objectGUID: 63f4e656-6590-4c1d-a362-c3b97b5e464d

# record 2
dn: CN=NTDS
Settings,CN=SAMBA01,CN=Servers,CN=Zuhause,CN=Sites,CN=Configuration,DC=local
,DC=laurenz,DC=ws
objectGUID: 2f342b05-98f4-430d-8613-7fceff09f982

# record 3
dn: CN=NTDS
Settings,CN=SAMBA02,CN=Servers,CN=Zuhause,CN=Sites,CN=Configuration,DC=local
,DC=laurenz,DC=ws
objectGUID: 948e49d3-e161-46c1-a2a0-91072eb408cc

# returned 3 records
# 3 entries
# 0 referrals

If tried this serverReference fix .... seems to help

-----Ursprüngliche Nachricht-----
Von: Rowland Penny <rpenny at samba.org> 
Gesendet: Mittwoch, 4. April 2018 14:50
An: samba at lists.samba.org
Cc: Dirk Laurenz <samba at laurenz.ws>
Betreff: Re: [Samba] AD replication problem
"WERR_DS_DRA_ACCESS_DENIED" -
need help debugging

On Wed, 4 Apr 2018 14:32:22 +0200
Dirk Laurenz via samba <samba at lists.samba.org> wrote:
> Same error here...
> 
> root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02 
> -Uadministrator --filter=CN,DC,member CONFIGURATION Password for
> [LAURENZ\administrator]:
> 
Firstly, I wouldn't have joined the new DC's with the names of the old
DC's.

Have you checked if
'63f4e656-6590-4c1d-a362-c3b97b5e464d._msdcs.local.laurenz.ws' is a
valid
GUID ?
Is it something left over from an old join ?

Rowland

samba - Apr 2018 - AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

[Samba] AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging