Martin Krämer
2018-Dec-20 13:59 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Hello everyone,
I have setup two Samba AD DC's with BIND9_DLZ dns backend.
faiserver.example.corp is one of them hosting all FSMO Roles.
location-000001.example.corp is the second one.
Both are in different subnets but can reach each other.
Unfortunately replication only works from faiserver.example.corp ->
location-000001.example.corp.
In the other direction location-000001.example.corp ->
faiserver.example.corp it does not work.
I always end up with error:
----------
*ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
* File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368,
in run*
* drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)*
* File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83, in
sendDsReplicaSync*
* raise drsException("DsReplicaSync failed %s" % estr)*
----------
I have already checked all topics I am aware of related to correct name
resolution (because that was what I found that the error I receive is
related to on the web).
The only interesting thing i found is that running "host -t SRV
_kerberos._udp.example.corp" on faiserver.example.corp prints only the
currend DC while running it on location-000001.example.corp prints both DCs
...never the less I am not sure if this might be a cause or is just another
bad result of the one way sync.
Maybe someone has an idea?
Attached you can find two files (one for each DC) with all information that
I found could be relevant. If further information is required please let me
know.
Thanks for any hint pointing me into the right direction.
Kind Regards
mk-maddin
L.P.H. van Belle
2018-Dec-20 14:19 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Lets start with. . The list does not accept attachments.. What is the running OS? The samba versions? And the smb.conf ? Depending on version you can force a re-sync but fist tell us more. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Martin Krämer via samba > Verzonden: donderdag 20 december 2018 15:00 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE' > > Hello everyone, > > I have setup two Samba AD DC's with BIND9_DLZ dns backend. > > faiserver.example.corp is one of them hosting all FSMO Roles. > location-000001.example.corp is the second one. > Both are in different subnets but can reach each other. > Unfortunately replication only works from faiserver.example.corp -> > location-000001.example.corp. > In the other direction location-000001.example.corp -> > faiserver.example.corp it does not work. > I always end up with error: > ---------- > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')* > * File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, > in run* > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options)* > * File > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in > sendDsReplicaSync* > * raise drsException("DsReplicaSync failed %s" % estr)* > ---------- > I have already checked all topics I am aware of related to > correct name > resolution (because that was what I found that the error I receive is > related to on the web). > The only interesting thing i found is that running "host -t SRV > _kerberos._udp.example.corp" on faiserver.example.corp prints only the > currend DC while running it on location-000001.example.corp > prints both DCs > ...never the less I am not sure if this might be a cause or > is just another > bad result of the one way sync. > Maybe someone has an idea? > > Attached you can find two files (one for each DC) with all > information that > I found could be relevant. If further information is required > please let me > know. > > Thanks for any hint pointing me into the right direction. > > Kind Regards > > mk-maddin > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Dec-20 14:19 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
On Thu, 20 Dec 2018 14:59:52 +0100 Martin Krämer via samba <samba at lists.samba.org> wrote:> Hello everyone, > > I have setup two Samba AD DC's with BIND9_DLZ dns backend. > > faiserver.example.corp is one of them hosting all FSMO Roles. > location-000001.example.corp is the second one. > Both are in different subnets but can reach each other. > Unfortunately replication only works from faiserver.example.corp -> > location-000001.example.corp. > In the other direction location-000001.example.corp -> > faiserver.example.corp it does not work. > I always end up with error: > ---------- > *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')* > * File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 368, in run* > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options)* > * File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line > 83, in sendDsReplicaSync* > * raise drsException("DsReplicaSync failed %s" % estr)* > ----------> Attached you can find two files (one for each DC) with all > information that I found could be relevant. If further information is > required please let me know.This mailing list strips all attachments, so you are going to have to post any info a post How have set up bind9 ? What OS ? What Samba version(s) ? post the contents of these files (from both DC's) /etc/hostname /etc/hosts/ /etc/resolv.conf /etc/krb5.conf your named.conf file(s) smb.conf Rowland
Martin Krämer
2018-Dec-20 15:10 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Thanks for the fast reply.
Sorry - I was not aware that attachments are not forwarded.
(All information you requested was included there)
I think I have already tried resync via "samba-tool drs replicate" -
but
better see below the printout of previous attachment "faiserver.log"
Thanks for help in advance :)
root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
(2018-11-11) x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled : TRUE
Server DNS name : location-000001.example.corp
Server DN name : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename
${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2
Samba AD DC info: = detected (command and where to look)
This server hostname = faiserver (hostname -s and /etc/hosts and
DNS server)
This server FQDN (hostname) = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.33.250 Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used = EXAMPLE.CORP (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC faiserver.example.corp = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename
${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
Collected config --- 2018-12-20-13:49 -----------
Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250
-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.33.250/24 brd 192.168.33.255 scope global ens3
inet6 fe80::5054:ff:fe87:4460/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
workgroup = EXAMPLE
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = No
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
-----------
No username map detected.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
acl internals {
127.0.0.1/8; 192.168.33.0/24;
};
-----------
Checking file: /etc/bind/named.conf.local
-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2 amd64
Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u4 amd64
Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u4 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u4 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u4 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.5.12+dfsg-2+deb9u4 amd64
command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3 amd64
System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3 amd64
System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.12+dfsg-2+deb9u4 amd64
service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#
Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:
> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > * File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368,
> > in run*
> > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > * File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83, in
> > sendDsReplicaSync*
> > * raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints
only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2018-Dec-20 15:29 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Hai,
As extra on Rowland comment..
Your config looks ok as said, i did see..
smb.conf
map to guest = bad user < remove it.
Bad User - Means user logins with an invalid password are rejected, unless the
username does not exist, in
which case it is treated as a guest login and mapped into
the guest account.
and you want that for a AD DC setup? you might result in all users are guests..
About your config, dc2 is just new installed ? the reboot the server and check
again.
You might have hit an old bug as i can remember.
You can try also first
systemctl stop samba bind9
systemctl start bind9 samba
samba and bind9 wil bind9 is reloading zones is buggy..
fix it with : systemctl edit bind9
add:
[Service]
ExecReload
sss in nsswitch while this is an AD DC, thats not supported, but if it works for
you, im not here to judge you..
Just saying winbind works fine on the DC's.
Greetz,
Louis
Van: Martin Krämer [mailto:mk.maddin at gmail.com]
Verzonden: donderdag 20 december 2018 16:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Thanks for the fast reply. Sorry - I was not aware that attachments are not
forwarded.
(All information you requested was included there)
I think I have already tried resync via "samba-tool drs replicate" -
but better see below the printout of previous attachment
"faiserver.log"
Thanks for help in advance :)
root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1 (2018-11-11)
x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled : TRUE
Server DNS name : location-000001.example.corp
Server DN name : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2
Samba AD DC info: = detected (command and where to look)
This server hostname = faiserver (hostname -s and /etc/hosts and DNS
server)
This server FQDN (hostname) = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and /etc/resolv.conf
and DNS server)
This server IP address(ses) = 192.168.33.250 Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used = EXAMPLE.CORP (kinit and /etc/krb5.conf and
resolving)
The Ipadres of DC faiserver.example.corp = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url}) &>/dev/null && cat
/tmp/samba-debug-info.txt
Collected config --- 2018-12-20-13:49 -----------
Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250
-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
inet MailScanner warning: numerical links are often malicious:
192.168.33.250/24 brd 192.168.33.255 scope global ens3
inet6 fe80::5054:ff:fe87:4460/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
workgroup = EXAMPLE
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = No
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol
-----------
No username map detected.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
acl internals {
MailScanner warning: numerical links are often malicious: 127.0.0.1/8;
MailScanner warning: numerical links are often malicious: 192.168.33.0/24;
};
-----------
Checking file: /etc/bind/named.conf.local
-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2 amd64
Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u4 amd64
Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u4 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u4 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u4 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u4 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u4 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.5.12+dfsg-2+deb9u4 amd64
command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3 amd64
System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3 amd64
System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.12+dfsg-2+deb9u4 amd64
service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#
Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:
Lets start with. .
The list does not accept attachments..
What is the running OS?
The samba versions?
And the smb.conf ?
Depending on version you can force a re-sync but fist tell us more.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Martin Krämer via samba
> Verzonden: donderdag 20 december 2018 15:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
>
> Hello everyone,
>
> I have setup two Samba AD DC's with BIND9_DLZ dns backend.
>
> faiserver.example.corp is one of them hosting all FSMO Roles.
> location-000001.example.corp is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from faiserver.example.corp ->
> location-000001.example.corp.
> In the other direction location-000001.example.corp ->
> faiserver.example.corp it does not work.
> I always end up with error:
> ----------
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> * File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> in run*
> * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)*
> * File
> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
> sendDsReplicaSync*
> * raise drsException("DsReplicaSync failed %s" % estr)*
> ----------
> I have already checked all topics I am aware of related to
> correct name
> resolution (because that was what I found that the error I receive is
> related to on the web).
> The only interesting thing i found is that running "host -t SRV
> _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> currend DC while running it on location-000001.example.corp
> prints both DCs
> ...never the less I am not sure if this might be a cause or
> is just another
> bad result of the one way sync.
> Maybe someone has an idea?
>
> Attached you can find two files (one for each DC) with all
> information that
> I found could be relevant. If further information is required
> please let me
> know.
>
> Thanks for any hint pointing me into the right direction.
>
> Kind Regards
>
> mk-maddin
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Martin Krämer
2018-Dec-20 15:49 UTC
[Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'
Hi,
thanks for reply.
Bind9 was installed by debian package and then simply used
--dnsbackend="BIND9_DLZ" parameter from samba-tool command.
"faiserver" information printout I provided in other mail - see:
https://lists.samba.org/archive/samba/2018-December/220081.html
See the printout information about "location-000001" below.
root at location-000001:~# hostname -f
location-000001.example.corp
root at location-000001:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at location-000001:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at location-000001:~# host 192.168.34.250
250.34.168.192.in-addr.arpa domain name pointer
location-000001.example.corp.
root at location-000001:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at location-000001:~# samba -V
Version 4.5.12-Debian
root at location-000001:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:faiserver.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
faiserver.example.corp<0x20>
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
root at location-000001:~# samba-tool drs replicate
location-000001.example.corp faiserver.example.corp DC=example,DC=corp
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:location-000001.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at location-000001:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:location-000001.example.corp[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Default-First-Site-Name\LOCATION-000001
DSA Options: 0x00000001
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
DSA invocationId: a0493168-f680-400e-a5f4-c2ce0d501302
==== INBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:32 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:32 2018 UTC
CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\FAISERVER via RPC
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
Last attempt @ Thu Dec 20 13:52:23 2018 UTC was successful
0 consecutive failure(s).
Last success @ Thu Dec 20 13:52:23 2018 UTC
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: f70c4744-7864-410c-ba9f-1635def8689c
Enabled : TRUE
Server DNS name : faiserver.example.corp
Server DN name : CN=NTDS
Settings,CN=FAISERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at location-000001:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename
${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.34.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver3: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner..
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner..
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner..
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
ldb_wrap open of secrets.ldb
ldb_wrap open of secrets.ldb
ldb_wrap open of secrets.ldb
DCS location-000001.example.corp
faiserver.example.corp
DC1 location-000001.example.corp
DC2 faiserver.example.corp
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
location-000001.example.corp<0x20>
Samba AD DC info: = detected (command and where to look)
This server hostname = location-000001 (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname) = location-000001.example.corp (hostname -f
and /etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses) = 192.168.34.250 Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name = Default-First-Site-Name (samba-tool fsmo
show)
The Default Naming Context = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used = EXAMPLE.CORP (kinit and /etc/krb5.conf
and resolving)
The Ipadres of DC location-000001.example.corp = 192.168.34.250
The Ipadres of DC faiserver.example.corp = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at location-000001:~# url="
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename
${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
Collected config --- 2018-12-20-13:52 -----------
Hostname: location-000001
DNS Domain: example.corp
FQDN: location-000001.example.corp
ipaddress: 192.168.34.250
-----------
Samba is running as an AD DC
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 52:54:00:55:3c:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.34.250/24 brd 192.168.34.255 scope global ens3
inet6 fe80::5054:ff:fe55:3c32/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.33.250 faiserver.example.corp faiserver
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.33.250
nameserver 8.8.4.4
domain example.corp
search example.corp
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
[global]
usershare allow guests = No
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
netbios name = LOCATION-000001
realm = EXAMPLE.CORP
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
log level = 3
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/example.corp/Scripts
read only = no
[sysvol]
path = /var/lib/samba/sysvol
read only = no
-----------
No username map detected.
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 192.168.33.250; 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
acl internals {
127.0.0.1/8; 192.168.34.0/24;
};
-----------
Checking file: /etc/bind/named.conf.local
-----------
Checking file: /etc/bind/named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u4
amd64 Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u4
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u4
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u4
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u4
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u4
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u4
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.5.12+dfsg-2+deb9u4
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.15.0-3
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3
amd64 System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.5.12+dfsg-2+deb9u4
amd64 service to resolve user and group information from Windows NT
servers
-----------
root at location-000001:~#
Am Do., 20. Dez. 2018 um 15:20 Uhr schrieb Rowland Penny via samba <
samba at lists.samba.org>:
> On Thu, 20 Dec 2018 14:59:52 +0100
> Martin Krämer via samba <samba at lists.samba.org> wrote:
>
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > * File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> > 368, in run*
> > * drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > * File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> > 83, in sendDsReplicaSync*
> > * raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
>
> > Attached you can find two files (one for each DC) with all
> > information that I found could be relevant. If further information is
> > required please let me know.
>
> This mailing list strips all attachments, so you are going to have to
> post any info a post
>
> How have set up bind9 ?
> What OS ?
> What Samba version(s) ?
>
> post the contents of these files (from both DC's)
> /etc/hostname
> /etc/hosts/
> /etc/resolv.conf
> /etc/krb5.conf
> your named.conf file(s)
> smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba