samba - Dec 2018 - Samba AD DC replication error - 2, 'WERR_BADFILE'

Hai, 
 
As extra on Rowland comment.. 
Your config looks ok as said, i did see.. 
 
smb.conf
 map to guest = bad user         < remove it. 
 
Bad User - Means user logins with an invalid password are rejected, unless the
username does not exist, in
                      which case it is treated as a guest login and mapped into
the guest account.
and you want that for a AD DC setup?  you might result in all users are guests..
 
 
About your config, dc2 is just new installed ? the reboot the server and check
again.
You might have hit an old bug as i can remember. 
 
You can try also first 
systemctl stop samba bind9 
systemctl start bind9 samba
 
samba and bind9 wil bind9 is reloading zones is buggy..
fix it with :  systemctl edit bind9
add:
[Service]
ExecReload
sss in nsswitch while this is an AD DC, thats not supported, but if it works for
you, im not here to judge you..
Just saying winbind works fine on the DC's. 
 
 
Greetz, 
 
Louis
 
 
 
 
 
 

Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 16:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Thanks for the fast reply. Sorry - I was not aware that attachments are not
forwarded.
(All information you requested was included there)


I think I have already tried resync via "samba-tool drs replicate" -
but better see below the printout of previous attachment
"faiserver.log"
 
Thanks for help in advance :)


root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1 (2018-11-11)
x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d


==== INBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


==== OUTBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


==== KCC CONNECTION OBJECTS ===

Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled        : TRUE
Server DNS name : location-000001.example.corp
Server DN name  : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner.. 
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2 
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = faiserver (hostname -s and /etc/hosts and DNS
server)
This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and /etc/resolv.conf
and DNS server)
This server IP address(ses)   = 192.168.33.250  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf and
resolving)
The Ipadres of DC faiserver.example.corp        = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url}) &>/dev/null && cat
/tmp/samba-debug-info.txt
Collected config  --- 2018-12-20-13:49 -----------


Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250


-----------
Samba is running as an AD DC
Checking file: /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


-----------


Warning, /etc/devuan_version does not exist


-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
scope host lo
    inet6 ::1/128 scope host 
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
    inet MailScanner warning: numerical links are often malicious:
192.168.33.250/24 brd 192.168.33.255 scope global ens3
    inet6 fe80::5054:ff:fe87:4460/64 scope link 
-----------
Checking file: /etc/hosts 
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


-----------
Checking file: /etc/resolv.conf 


nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp


-----------
Checking file: /etc/krb5.conf 
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true


-----------
Checking file: /etc/nsswitch.conf 


passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files


hosts:          files dns
networks:       files


protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files


netgroup:       nis sss
sudoers:        files sss


-----------
Checking file: /etc/samba/smb.conf 




[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
   workgroup = EXAMPLE
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = active directory domain controller
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = No


[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S


[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700


[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no


[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol


-----------
No username map detected.


-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf 


include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf"; 


-----------
Checking file: /etc/bind/named.conf.options 
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;


auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { none; };
};


acl internals {
MailScanner warning: numerical links are often malicious: 127.0.0.1/8;
MailScanner warning: numerical links are often malicious: 192.168.33.0/24;
};


-----------
Checking file: /etc/bind/named.conf.local 






-----------
Checking file: /etc/bind/named.conf.default-zones 
zone "." {
type hint;
file "/etc/bind/db.root";
};




zone "localhost" {
type master;
file "/etc/bind/db.local";
};


zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};


zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};


zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};






-----------


Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  krb5-config                       2.6                            all       
  Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                  amd64     
  basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.52-3+b1                    amd64     
  Access control list shared library
ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2           amd64     
  Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                   1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba nameservice integration plugins
ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Windows domain authentication integration plugin
ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u4         amd64     
  Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u4         amd64     
  SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all       
  common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Directory Services Database
ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u4         amd64     
  command-line SMB/CIFS clients for Unix
ii  sssd-krb5                         1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                  1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos helpers
ii  winbind                           2:4.5.12+dfsg-2+deb9u4         amd64     
  service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#




Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Lets start with. .
The list does not accept attachments.. 

What is the running OS? 
The samba versions? 
And the smb.conf ? 

Depending on version you can force a re-sync but fist tell us more. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Martin Krämer via samba
> Verzonden: donderdag 20 december 2018 15:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> 
> Hello everyone,
> 
> I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> 
> faiserver.example.corp is one of them hosting all FSMO Roles.
> location-000001.example.corp is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from faiserver.example.corp ->
> location-000001.example.corp.
> In the other direction location-000001.example.corp ->
> faiserver.example.corp it does not work.
> I always end up with error:
> ----------
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> in run*
> *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
> sendDsReplicaSync*
> *    raise drsException("DsReplicaSync failed %s" % estr)*
> ----------
> I have already checked all topics I am aware of related to 
> correct name
> resolution (because that was what I found that the error I receive is
> related to on the web).
> The only interesting thing i found is that running "host -t SRV
> _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> currend DC while running it on location-000001.example.corp 
> prints both DCs
> ...never the less I am not sure if this might be a cause or 
> is just another
> bad result of the one way sync.
> Maybe someone has an idea?
> 
> Attached you can find two files (one for each DC) with all 
> information that
> I found could be relevant. If further information is required 
> please let me
> know.
> 
> Thanks for any hint pointing me into the right direction.
> 
> Kind Regards
> 
> mk-maddin
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,
>> map to guest = bad user         < remove it.
thanks - must have missed it on "faiserver" - on other DC
(location-000001)
this entry did not exist.
(I have sent whole config information about location-000001 server to:
https://lists.samba.org/archive/samba/2018-December/220084.html)
>> About your config, dc2 is just new installed ? the reboot the server
and
check again.
My second dc (location-000001) was just installed.
I have restarted whole server but not single services.
>> You can try also first
>> systemctl stop samba bind9
>> systemctl start bind9 samba
When running second command I recieve error:
*root at location-000001:~# systemctl start bind9 samba*
*Failed to start samba.service: Unit samba.service is masked.*
So I ran:
*systemctl start bind9 samba-ad-dc*
and yep - replication is working then!! :)

As soon as I restart the full server (location-000001) once again
"samba-ad-dc" runs into an error and does not start up correclty:
Dec 20 15:57:44 location-000001.example.corp systemd[1]: Starting Samba AD
Daemon...
Dec 20 15:57:45 location-000001.example.corp systemd[1]:
samba-ad-dc.service: Supervising process 472 which is not our child. We'll
most likely not notice when it exits.
Dec 20 15:57:45 location-000001.example.corp systemd[1]:
samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]:
samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: Stopped Samba AD
Daemon.

Rerunning "*systemctl stop bind9 samba-ad-dc && **systemctl start
bind9
samba-ad-dc" resolves the issue again.*
>> fix it with :  systemctl edit bind9
>> add:
>> [Service]
>> ExecReloadwhen executing "systemctl edit bind9" an empty file
within folder
"/etc/systemd/system/bind9.service.d" is opened in my editor.
Should I just but the content mentioned by you there?

Thanks for the workaround already :)

Am Do., 20. Dez. 2018 um 16:31 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:
> Hai,
>
> As extra on Rowland comment..
> Your config looks ok as said, i did see..
>
> smb.conf
>  map to guest = bad user         < remove it.
>
> Bad User - Means user logins with an invalid password are rejected, unless
> the username does not exist, in
>                       which case it is treated as a guest login and
> mapped into the guest account.
> and you want that for a AD DC setup?  you might result in all users are
> guests..
>
>
> About your config, dc2 is just new installed ? the reboot the server and
> check again.
> You might have hit an old bug as i can remember.
>
> You can try also first
> systemctl stop samba bind9
> systemctl start bind9 samba
>
> samba and bind9 wil bind9 is reloading zones is buggy..
> fix it with :  systemctl edit bind9
> add:
> [Service]
> ExecReload>
> sss in nsswitch while this is an AD DC, thats not supported, but if it
> works for you, im not here to judge you..
> Just saying winbind works fine on the DC's.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>
> Van: Martin Krämer [mailto:mk.maddin at gmail.com]
> Verzonden: donderdag 20 december 2018 16:10
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
>
>
>
> Thanks for the fast reply. Sorry - I was not aware that attachments are
> not forwarded.
> (All information you requested was included there)
>
>
> I think I have already tried resync via "samba-tool drs
replicate" - but
> better see below the printout of previous attachment
"faiserver.log"
>
> Thanks for help in advance :)
>
>
> root at faiserver:~# uname -a
> Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
> (2018-11-11) x86_64 GNU/Linux
> root at faiserver:~# hostname -f
> faiserver.example.corp
> root at faiserver:~# host 192.168.33.250
> 250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
> root at faiserver:~# host faiserver.example.corp
> faiserver.example.corp has address 192.168.33.250
> root at faiserver:~# host 192.168.34.250
> Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> root at faiserver:~# host location-000001.example.corp
> location-000001.example.corp has address 192.168.34.250
> root at faiserver:~# samba -V
> Version 4.5.12-Debian
> root at faiserver:~# samba-tool drs replicate faiserver.example.corp
> location-000001.example.corp DC=example,DC=corp
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line 368,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 83, in
> sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> root at faiserver:~# samba-tool drs replicate location-000001.example.corp
> faiserver.example.corp DC=example,DC=corp
> Replicate from faiserver.example.corp to location-000001.example.corp was
> successful.
> root at faiserver:~# samba-tool drs showrepl
> Default-First-Site-Name\FAISERVER
> DSA Options: 0x00000001
> DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
> DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
>
>
> ==== INBOUND NEIGHBORS ===>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 1 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== OUTBOUND NEIGHBORS ===>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== KCC CONNECTION OBJECTS ===>
>
> Connection --
> Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
> Enabled        : TRUE
> Server DNS name : location-000001.example.corp
> Server DN name  : CN=NTDS
>
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> root at faiserver:~# url="
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
> && wget --quiet "${url}" && chmod u+x
./$(basename ${url}) && ./$(basename
> ${url})
> Check hostnames : Ok
> ./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 192.168.33.1 : Ok
> Warning, no ping to gateway, this might be firewalled.
> check you internet connection, AD DNS might need it.
> ping nameserver1: 127.0.0.1 : Ok
> ping nameserver2: 8.8.4.4 : Ok
> Check ping google dns : 8.8.8.8 : Ok
> Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
> Check you internet connection, AD DNS might need it.
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- root root /etc/samba/lmhosts
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smbpasswd
> drwxr-xr-x root root /usr/bin
> drwxr-xr-x root root /var/cache/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
> drwxr-xr-x root root /var/run/samba
> drwxr-x--- root adm /var/log/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
> drwxr-xr-x root root /var/run/samba
> drwxr-xr-x root root /var/lib/samba/private
> drwxr-xr-x root root /usr/sbin
> drwxr-xr-x root root /var/lib/samba
> DCS faiserver.example.corp
> DC1 faiserver.example.corp
> DC2
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = faiserver (hostname -s and /etc/hosts and
> DNS server)
> This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
> /etc/hosts and DNS server)
> This server primary dnsdomain = example.corp (hostname -d and
> /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 192.168.33.250  Only one interface
> detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
> The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
> show)
> The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
> The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf
> and resolving)
> The Ipadres of DC faiserver.example.corp        = 192.168.33.250
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
> lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver
> root at faiserver:~# url="
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
> && wget --quiet "${url}" && chmod u+x
./$(basename ${url}) && ./$(basename
> ${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
> Collected config  --- 2018-12-20-13:49 -----------
>
>
> Hostname: faiserver
> DNS Domain: example.corp
> FQDN: faiserver.example.corp
> ipaddress: 192.168.33.250
>
>
> -----------
> Samba is running as an AD DC
> Checking file: /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
>
> -----------
>
>
> Warning, /etc/devuan_version does not exist
>
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group
> default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet MailScanner warning: numerical links are often malicious:
> 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
> UP group default qlen 1000
>     link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
>     inet MailScanner warning: numerical links are often malicious:
> 192.168.33.250/24 brd 192.168.33.255 scope global ens3
>     inet6 fe80::5054:ff:fe87:4460/64 scope link
> -----------
> Checking file: /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> -----------
> Checking file: /etc/resolv.conf
>
>
> nameserver 127.0.0.1
> nameserver 8.8.4.4
> domain example.corp
> search example.corp
>
>
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.CORP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> -----------
> Checking file: /etc/nsswitch.conf
>
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
>
> hosts:          files dns
> networks:       files
>
>
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
>
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> -----------
> Checking file: /etc/samba/smb.conf
>
>
>
>
> [global]
> realm = EXAMPLE.CORP
> kerberos method = secrets and keytab
> client use spnego = yes
> client signing = yes
> server services = -dns
> ldap server require strong auth = no
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls keyfile = tls/key.pem
> tls enabled = yes
> idmap_ldb:use rfc2307 = yes
>    workgroup = EXAMPLE
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = active directory domain controller
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
>    usershare allow guests = No
>
>
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
>
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
>
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
>
> [netlogon]
> read only = no
> path = /var/lib/samba/sysvol/example.corp/Scripts
> [sysvol]
> read only = no
> path = /var/lib/samba/sysvol
>
>
> -----------
> No username map detected.
>
>
> -----------
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
>
> -----------
> Checking file: /etc/bind/named.conf.options
> options {
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> forwarders { 8.8.4.4; };
> allow-query { internals; };
> allow-query-cache { internals; };
> recursion yes;
> allow-recursion { internals; };
> allow-transfer { internals; };
> listen-on { any; };
> directory "/var/cache/bind";
> dnssec-validation no;
>
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on-v6 { none; };
> };
>
>
> acl internals {
> MailScanner warning: numerical links are often malicious: 127.0.0.1/8;
> MailScanner warning: numerical links are often malicious: 192.168.33.0/24;
> };
>
>
> -----------
> Checking file: /etc/bind/named.conf.local
>
>
>
>
>
>
> -----------
> Checking file: /etc/bind/named.conf.default-zones
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
>
>
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
>
>
>
>
>
> -----------
>
>
> Installed packages, running: dpkg -l | egrep
> "samba|winbind|krb5|smb|acl|xattr"
> ii  krb5-config                       2.6                            all
>         Configuration files for Kerberos Version 5
> ii  krb5-user                         1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                     2.2.52-3+b1
> amd64        Access control list shared library
> ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2
>  amd64        Heimdal Kerberos - libraries
> ii  libkrb5-3:amd64                   1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64             1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba nameservice integration plugins
> ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba winbind client library
> ii  python-samba                      2:4.5.12+dfsg-2+deb9u4
>  amd64        Python bindings for Samba
> ii  samba                             2:4.5.12+dfsg-2+deb9u4
>  amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all
>         common files used by both the Samba server and client
> ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Directory Services Database
> ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba core libraries
> ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Virtual FileSystem plugins
> ii  smbclient                         2:4.5.12+dfsg-2+deb9u4
>  amd64        command-line SMB/CIFS clients for Unix
> ii  sssd-krb5                         1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos back end
> ii  sssd-krb5-common                  1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos helpers
> ii  winbind                           2:4.5.12+dfsg-2+deb9u4
>  amd64        service to resolve user and group information from Windows NT
> servers
> -----------
> root at faiserver:~#
>
>
>
>
> Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368,
> > in run*
> > *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83, in
> > sendDsReplicaSync*
> > *    raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints
only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hai, 
 
 
> When running second command I recieve error:
> root at location-000001:~# systemctl start bind9 samba
> Failed to start samba.service: Unit samba.service is masked.
 
ah yes, sorry, that is offcourse samba-ad-dc 
 
>and yep - replication is working then!! :)
what i expected the old bug. ;-) 
 
About the other start up for both DC's do the following.  type :
 
systemctl edit --full samba-ad-dc
This copies the original and creates a file in /etc/systemd/system
 
 
Add this:  ( i changed : After=network.target bind9.service added bind9.service,
now samba starts always after bind9 )
 
# /etc/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
After=network.target bind9.service
 
[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
 
[Install]
WantedBy=multi-user.target

that should fix it. 
 
>> fix it with :  systemctl edit bind9
>> add:
>> [Service]
>> ExecReload
>when executing "systemctl edit bind9" an empty file within folder
"/etc/systemd/system/bind9.service.d" is opened in my editor.
>Should I just but the content mentioned by you there?
 
Yes, 
just add :  
# /etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload
Or like the samba-ad-dc edit --full 

then its systemctl edit --full bind9.service 
 
# /lib/systemd/system/bind9.service
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target 
Wants=nss-lookup.target
Before=nss-lookup.target
 
[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReloadExecStop=/usr/sbin/rndc stop
 
[Install]
WantedBy=multi-user.target

What you want. ;-) 
 
 
Greetz, 
 
Louis
 


 

Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 17:04
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Hi,
>> map to guest = bad user         < remove it. 
thanks - must have missed it on "faiserver" - on other DC
(location-000001) this entry did not exist.
(I have sent whole config information about location-000001 server
to: https://lists.samba.org/archive/samba/2018-December/220084.html)

>> About your config, dc2 is just new installed ? the reboot the server
and check again. 
My second dc (location-000001) was just installed.
I have restarted whole server but not single services. 
 
>> You can try also first 
>> systemctl stop samba bind9 
>> systemctl start bind9 samba

When running second command I recieve error:
root at location-000001:~# systemctl start bind9 samba
Failed to start samba.service: Unit samba.service is masked.

So I ran:
systemctl start bind9 samba-ad-dc

and yep - replication is working then!! :)


As soon as I restart the full server (location-000001) once again
"samba-ad-dc" runs into an error and does not start up correclty:
Dec 20 15:57:44 location-000001.example.corp systemd[1]: Starting Samba AD
Daemon...
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Supervising process 472 which is not our child. We'll most likely not notice
when it exits.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: Stopped Samba AD
Daemon.


Rerunning "systemctl stop bind9 samba-ad-dc && systemctl start
bind9 samba-ad-dc" resolves the issue again.

>> fix it with :  systemctl edit bind9
>> add:
>> [Service]
>> ExecReload
when executing "systemctl edit bind9" an empty file within folder
"/etc/systemd/system/bind9.service.d" is opened in my editor.
Should I just but the content mentioned by you there?


Thanks for the workaround already :)






Am Do., 20. Dez. 2018 um 16:31 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Hai, 
 
As extra on Rowland comment.. 
Your config looks ok as said, i did see.. 
 
smb.conf
 map to guest = bad user         < remove it. 
 
Bad User - Means user logins with an invalid password are rejected, unless the
username does not exist, in
                      which case it is treated as a guest login and mapped into
the guest account.
and you want that for a AD DC setup?  you might result in all users are guests..
 
 
About your config, dc2 is just new installed ? the reboot the server and check
again.
You might have hit an old bug as i can remember. 
 
You can try also first 
systemctl stop samba bind9 
systemctl start bind9 samba
 
samba and bind9 wil bind9 is reloading zones is buggy..
fix it with :  systemctl edit bind9
add:
[Service]
ExecReload
sss in nsswitch while this is an AD DC, thats not supported, but if it works for
you, im not here to judge you..
Just saying winbind works fine on the DC's. 
 
 
Greetz, 
 
Louis
 
 
 
 
 
 

Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 16:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Thanks for the fast reply. Sorry - I was not aware that attachments are not
forwarded.
(All information you requested was included there)


I think I have already tried resync via "samba-tool drs replicate" -
but better see below the printout of previous attachment
"faiserver.log"
 
Thanks for help in advance :)


root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1 (2018-11-11)
x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d


==== INBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


==== OUTBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


==== KCC CONNECTION OBJECTS ===

Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled        : TRUE
Server DNS name : location-000001.example.corp
Server DN name  : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner.. 
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2 
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = faiserver (hostname -s and /etc/hosts and DNS
server)
This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and /etc/resolv.conf
and DNS server)
This server IP address(ses)   = 192.168.33.250  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf and
resolving)
The Ipadres of DC faiserver.example.corp        = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url}) &>/dev/null && cat
/tmp/samba-debug-info.txt
Collected config  --- 2018-12-20-13:49 -----------


Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250


-----------
Samba is running as an AD DC
Checking file: /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


-----------


Warning, /etc/devuan_version does not exist


-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: MailScanner
warning: numerical links are often malicious: 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
    inet MailScanner warning: numerical links are often malicious: MailScanner
warning: numerical links are often malicious: 192.168.33.250/24 brd
192.168.33.255 scope global ens3
    inet6 fe80::5054:ff:fe87:4460/64 scope link 
-----------
Checking file: /etc/hosts 
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


-----------
Checking file: /etc/resolv.conf 


nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp


-----------
Checking file: /etc/krb5.conf 
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true


-----------
Checking file: /etc/nsswitch.conf 


passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files


hosts:          files dns
networks:       files


protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files


netgroup:       nis sss
sudoers:        files sss


-----------
Checking file: /etc/samba/smb.conf 




[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
   workgroup = EXAMPLE
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = active directory domain controller
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = No


[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S


[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700


[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no


[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol


-----------
No username map detected.


-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf 


include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf"; 


-----------
Checking file: /etc/bind/named.conf.options 
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;


auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { none; };
};


acl internals {
MailScanner warning: numerical links are often malicious: MailScanner warning:
numerical links are often malicious: 127.0.0.1/8; MailScanner warning: numerical
links are often malicious: MailScanner warning: numerical links are often
malicious: 192.168.33.0/24;
};


-----------
Checking file: /etc/bind/named.conf.local 






-----------
Checking file: /etc/bind/named.conf.default-zones 
zone "." {
type hint;
file "/etc/bind/db.root";
};




zone "localhost" {
type master;
file "/etc/bind/db.local";
};


zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};


zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};


zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};






-----------


Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  krb5-config                       2.6                            all       
  Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                  amd64     
  basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.52-3+b1                    amd64     
  Access control list shared library
ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2           amd64     
  Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                   1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba nameservice integration plugins
ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Windows domain authentication integration plugin
ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u4         amd64     
  Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u4         amd64     
  SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all       
  common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Directory Services Database
ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u4         amd64     
  command-line SMB/CIFS clients for Unix
ii  sssd-krb5                         1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                  1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos helpers
ii  winbind                           2:4.5.12+dfsg-2+deb9u4         amd64     
  service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#




Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Lets start with. .
The list does not accept attachments.. 

What is the running OS? 
The samba versions? 
And the smb.conf ? 

Depending on version you can force a re-sync but fist tell us more. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Martin Krämer via samba
> Verzonden: donderdag 20 december 2018 15:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> 
> Hello everyone,
> 
> I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> 
> faiserver.example.corp is one of them hosting all FSMO Roles.
> location-000001.example.corp is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from faiserver.example.corp ->
> location-000001.example.corp.
> In the other direction location-000001.example.corp ->
> faiserver.example.corp it does not work.
> I always end up with error:
> ----------
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> in run*
> *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
> sendDsReplicaSync*
> *    raise drsException("DsReplicaSync failed %s" % estr)*
> ----------
> I have already checked all topics I am aware of related to 
> correct name
> resolution (because that was what I found that the error I receive is
> related to on the web).
> The only interesting thing i found is that running "host -t SRV
> _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> currend DC while running it on location-000001.example.corp 
> prints both DCs
> ...never the less I am not sure if this might be a cause or 
> is just another
> bad result of the one way sync.
> Maybe someone has an idea?
> 
> Attached you can find two files (one for each DC) with all 
> information that
> I found could be relevant. If further information is required 
> please let me
> know.
> 
> Thanks for any hint pointing me into the right direction.
> 
> Kind Regards
> 
> mk-maddin
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,
thanks for the detailed instruction.

I have edited using "systemctl edit --full bind9.service" and
"systemctl
edit --full samba-ad-dc.service".
Unfortunately it does not seem to resolve - after restart samba-ad-dc
service still fails with previous error.

This is how service files look like:

root at location-000001:~# cat /etc/systemd/system/bind9.service
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReloadExecStop=/usr/sbin/rndc stop

[Install]
WantedBy=multi-user.target
root at location-000001:~# cat /etc/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
After=network.target bind9.service

[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
root at location-000001:~#

Am Do., 20. Dez. 2018 um 17:19 Uhr schrieb L.P.H. van Belle via samba <
samba at lists.samba.org>:
> Hai,
>
>
> > When running second command I recieve error:
> > root at location-000001:~# systemctl start bind9 samba
> > Failed to start samba.service: Unit samba.service is masked.
>
> ah yes, sorry, that is offcourse samba-ad-dc
>
> >and yep - replication is working then!! :)
> what i expected the old bug. ;-)
>
> About the other start up for both DC's do the following.  type :
>
> systemctl edit --full samba-ad-dc
> This copies the original and creates a file in /etc/systemd/system
>
>
> Add this:  ( i changed : After=network.target bind9.service added
> bind9.service, now samba starts always after bind9 )
>
> # /etc/systemd/system/samba-ad-dc.service
> [Unit]
> Description=Samba AD Daemon
> Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
> After=network.target bind9.service
>
> [Service]
> Type=notify
> NotifyAccess=all
> PIDFile=/var/run/samba/samba.pid
> LimitNOFILE=16384
> EnvironmentFile=-/etc/default/samba
> ExecStart=/usr/sbin/samba $SAMBAOPTIONS
> ExecReload=/bin/kill -HUP $MAINPID
>
> [Install]
> WantedBy=multi-user.target
>
> that should fix it.
>
> >> fix it with :  systemctl edit bind9
> >> add:
> >> [Service]
> >> ExecReload>
> >when executing "systemctl edit bind9" an empty file within
folder
> "/etc/systemd/system/bind9.service.d" is opened in my editor.
> >Should I just but the content mentioned by you there?
>
> Yes,
> just add :
> # /etc/systemd/system/bind9.service.d/override.conf
> [Service]
> ExecReload>
> Or like the samba-ad-dc edit --full
>
> then its systemctl edit --full bind9.service
>
> # /lib/systemd/system/bind9.service
> [Unit]
> Description=BIND Domain Name Server
> Documentation=man:named(8)
> After=network.target
> Wants=nss-lookup.target
> Before=nss-lookup.target
>
> [Service]
> EnvironmentFile=/etc/default/bind9
> ExecStart=/usr/sbin/named -f $OPTIONS
> ExecReload> ExecStop=/usr/sbin/rndc stop
>
> [Install]
> WantedBy=multi-user.target
>
> What you want. ;-)
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Martin Krämer [mailto:mk.maddin at gmail.com]
> Verzonden: donderdag 20 december 2018 17:04
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
>
>
>
> Hi,
>
> >> map to guest = bad user         < remove it.
> thanks - must have missed it on "faiserver" - on other DC
> (location-000001) this entry did not exist.
> (I have sent whole config information about location-000001 server to:
> https://lists.samba.org/archive/samba/2018-December/220084.html)
>
>
> >> About your config, dc2 is just new installed ? the reboot the
server
> and check again.
> My second dc (location-000001) was just installed.
> I have restarted whole server but not single services.
>
> >> You can try also first
> >> systemctl stop samba bind9
> >> systemctl start bind9 samba
>
>
> When running second command I recieve error:
> root at location-000001:~# systemctl start bind9 samba
> Failed to start samba.service: Unit samba.service is masked.
>
> So I ran:
> systemctl start bind9 samba-ad-dc
>
> and yep - replication is working then!! :)
>
>
> As soon as I restart the full server (location-000001) once again
> "samba-ad-dc" runs into an error and does not start up correclty:
> Dec 20 15:57:44 location-000001.example.corp systemd[1]: Starting Samba AD
> Daemon...
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Supervising process 472 which is not our child.
We'll
> most likely not notice when it exits.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]:
> samba-ad-dc.service: Killing process 472 (samba) with signal SIGKILL.
> Dec 20 15:57:45 location-000001.example.corp systemd[1]: Stopped Samba AD
> Daemon.
>
>
> Rerunning "systemctl stop bind9 samba-ad-dc && systemctl start
bind9
> samba-ad-dc" resolves the issue again.
>
>
> >> fix it with :  systemctl edit bind9
> >> add:
> >> [Service]
> >> ExecReload>
> when executing "systemctl edit bind9" an empty file within folder
> "/etc/systemd/system/bind9.service.d" is opened in my editor.
> Should I just but the content mentioned by you there?
>
>
> Thanks for the workaround already :)
>
>
>
>
>
>
> Am Do., 20. Dez. 2018 um 16:31 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
> Hai,
>
> As extra on Rowland comment..
> Your config looks ok as said, i did see..
>
> smb.conf
>  map to guest = bad user         < remove it.
>
> Bad User - Means user logins with an invalid password are rejected, unless
> the username does not exist, in
>                       which case it is treated as a guest login and
> mapped into the guest account.
> and you want that for a AD DC setup?  you might result in all users are
> guests..
>
>
> About your config, dc2 is just new installed ? the reboot the server and
> check again.
> You might have hit an old bug as i can remember.
>
> You can try also first
> systemctl stop samba bind9
> systemctl start bind9 samba
>
> samba and bind9 wil bind9 is reloading zones is buggy..
> fix it with :  systemctl edit bind9
> add:
> [Service]
> ExecReload>
> sss in nsswitch while this is an AD DC, thats not supported, but if it
> works for you, im not here to judge you..
> Just saying winbind works fine on the DC's.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>
> Van: Martin Krämer [mailto:mk.maddin at gmail.com]
> Verzonden: donderdag 20 december 2018 16:10
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
>
>
>
> Thanks for the fast reply. Sorry - I was not aware that attachments are
> not forwarded.
> (All information you requested was included there)
>
>
> I think I have already tried resync via "samba-tool drs
replicate" - but
> better see below the printout of previous attachment
"faiserver.log"
>
> Thanks for help in advance :)
>
>
> root at faiserver:~# uname -a
> Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1
> (2018-11-11) x86_64 GNU/Linux
> root at faiserver:~# hostname -f
> faiserver.example.corp
> root at faiserver:~# host 192.168.33.250
> 250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
> root at faiserver:~# host faiserver.example.corp
> faiserver.example.corp has address 192.168.33.250
> root at faiserver:~# host 192.168.34.250
> Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> root at faiserver:~# host location-000001.example.corp
> location-000001.example.corp has address 192.168.34.250
> root at faiserver:~# samba -V
> Version 4.5.12-Debian
> root at faiserver:~# samba-tool drs replicate faiserver.example.corp
> location-000001.example.corp DC=example,DC=corp
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line 368,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 83, in
> sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> root at faiserver:~# samba-tool drs replicate location-000001.example.corp
> faiserver.example.corp DC=example,DC=corp
> Replicate from faiserver.example.corp to location-000001.example.corp was
> successful.
> root at faiserver:~# samba-tool drs showrepl
> Default-First-Site-Name\FAISERVER
> DSA Options: 0x00000001
> DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
> DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d
>
>
> ==== INBOUND NEIGHBORS ===>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 1 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== OUTBOUND NEIGHBORS ===>
>
> DC=ForestDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=DomainDnsZones,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Schema,CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> CN=Configuration,DC=example,DC=corp
> Default-First-Site-Name\LOCATION-000001 via RPC
> DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
> Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
> 29 consecutive failure(s).
> Last success @ NTTIME(0)
>
>
> ==== KCC CONNECTION OBJECTS ===>
>
> Connection --
> Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
> Enabled        : TRUE
> Server DNS name : location-000001.example.corp
> Server DN name  : CN=NTDS
>
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> root at faiserver:~# url="
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
> && wget --quiet "${url}" && chmod u+x
./$(basename ${url}) && ./$(basename
> ${url})
> Check hostnames : Ok
> ./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
> Checking detected host ipnumbers from resolv.conf and default gateway
> Ping gateway ip : 192.168.33.1 : Ok
> Warning, no ping to gateway, this might be firewalled.
> check you internet connection, AD DNS might need it.
> ping nameserver1: 127.0.0.1 : Ok
> ping nameserver2: 8.8.4.4 : Ok
> Check ping google dns : 8.8.8.8 : Ok
> Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
> Check you internet connection, AD DNS might need it.
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smb.conf
> Checking file owner..
> -rw-r--r-- root root /etc/samba/lmhosts
> Checking file owner..
> -rw-r--r-- root root /etc/samba/smbpasswd
> drwxr-xr-x root root /usr/bin
> drwxr-xr-x root root /var/cache/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
> drwxr-xr-x root root /var/run/samba
> drwxr-x--- root adm /var/log/samba
> drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
> drwxr-xr-x root root /var/run/samba
> drwxr-xr-x root root /var/lib/samba/private
> drwxr-xr-x root root /usr/sbin
> drwxr-xr-x root root /var/lib/samba
> DCS faiserver.example.corp
> DC1 faiserver.example.corp
> DC2
> Samba AD DC info:             =  detected (command and where to look)
> This server hostname          = faiserver (hostname -s and /etc/hosts and
> DNS server)
> This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
> /etc/hosts and DNS server)
> This server primary dnsdomain = example.corp (hostname -d and
> /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 192.168.33.250  Only one interface
> detected (hostname -i (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
> The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo
> show)
> The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
> The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf
> and resolving)
> The Ipadres of DC faiserver.example.corp        = 192.168.33.250
> SAMBA_SERVER_ROLE: active directory domain controller
> SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
> lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver
> root at faiserver:~# url="
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
> && wget --quiet "${url}" && chmod u+x
./$(basename ${url}) && ./$(basename
> ${url}) &>/dev/null && cat /tmp/samba-debug-info.txt
> Collected config  --- 2018-12-20-13:49 -----------
>
>
> Hostname: faiserver
> DNS Domain: example.corp
> FQDN: faiserver.example.corp
> ipaddress: 192.168.33.250
>
>
> -----------
> Samba is running as an AD DC
> Checking file: /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
>
> -----------
>
>
> Warning, /etc/devuan_version does not exist
>
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group
> default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet MailScanner warning: numerical links are often malicious:
> MailScanner warning: numerical links are often malicious: 127.0.0.1/8
> scope host lo
>     inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
> UP group default qlen 1000
>     link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
>     inet MailScanner warning: numerical links are often malicious:
> MailScanner warning: numerical links are often malicious:
> 192.168.33.250/24 brd 192.168.33.255 scope global ens3
>     inet6 fe80::5054:ff:fe87:4460/64 scope link
> -----------
> Checking file: /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> -----------
> Checking file: /etc/resolv.conf
>
>
> nameserver 127.0.0.1
> nameserver 8.8.4.4
> domain example.corp
> search example.corp
>
>
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.CORP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> -----------
> Checking file: /etc/nsswitch.conf
>
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
>
> hosts:          files dns
> networks:       files
>
>
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
>
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> -----------
> Checking file: /etc/samba/smb.conf
>
>
>
>
> [global]
> realm = EXAMPLE.CORP
> kerberos method = secrets and keytab
> client use spnego = yes
> client signing = yes
> server services = -dns
> ldap server require strong auth = no
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls keyfile = tls/key.pem
> tls enabled = yes
> idmap_ldb:use rfc2307 = yes
>    workgroup = EXAMPLE
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = active directory domain controller
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
>    usershare allow guests = No
>
>
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
>
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
>
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
>
> [netlogon]
> read only = no
> path = /var/lib/samba/sysvol/example.corp/Scripts
> [sysvol]
> read only = no
> path = /var/lib/samba/sysvol
>
>
> -----------
> No username map detected.
>
>
> -----------
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
>
> -----------
> Checking file: /etc/bind/named.conf.options
> options {
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> forwarders { 8.8.4.4; };
> allow-query { internals; };
> allow-query-cache { internals; };
> recursion yes;
> allow-recursion { internals; };
> allow-transfer { internals; };
> listen-on { any; };
> directory "/var/cache/bind";
> dnssec-validation no;
>
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on-v6 { none; };
> };
>
>
> acl internals {
> MailScanner warning: numerical links are often malicious: MailScanner
> warning: numerical links are often malicious: 127.0.0.1/8; MailScanner
> warning: numerical links are often malicious: MailScanner warning:
> numerical links are often malicious: 192.168.33.0/24;
> };
>
>
> -----------
> Checking file: /etc/bind/named.conf.local
>
>
>
>
>
>
> -----------
> Checking file: /etc/bind/named.conf.default-zones
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
>
>
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
>
>
>
>
>
> -----------
>
>
> Installed packages, running: dpkg -l | egrep
> "samba|winbind|krb5|smb|acl|xattr"
> ii  krb5-config                       2.6                            all
>         Configuration files for Kerberos Version 5
> ii  krb5-user                         1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                     2.2.52-3+b1
> amd64        Access control list shared library
> ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2
>  amd64        Heimdal Kerberos - libraries
> ii  libkrb5-3:amd64                   1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64             1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba nameservice integration plugins
> ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4
>  amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba winbind client library
> ii  python-samba                      2:4.5.12+dfsg-2+deb9u4
>  amd64        Python bindings for Samba
> ii  samba                             2:4.5.12+dfsg-2+deb9u4
>  amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all
>         common files used by both the Samba server and client
> ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Directory Services Database
> ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba core libraries
> ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4
>  amd64        Samba Virtual FileSystem plugins
> ii  smbclient                         2:4.5.12+dfsg-2+deb9u4
>  amd64        command-line SMB/CIFS clients for Unix
> ii  sssd-krb5                         1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos back end
> ii  sssd-krb5-common                  1.15.0-3
>  amd64        System Security Services Daemon -- Kerberos helpers
> ii  winbind                           2:4.5.12+dfsg-2+deb9u4
>  amd64        service to resolve user and group information from Windows NT
> servers
> -----------
> root at faiserver:~#
>
>
>
>
> Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
> Lets start with. .
> The list does not accept attachments..
>
> What is the running OS?
> The samba versions?
> And the smb.conf ?
>
> Depending on version you can force a re-sync but fist tell us more.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Martin Krämer via samba
> > Verzonden: donderdag 20 december 2018 15:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> >
> > Hello everyone,
> >
> > I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> >
> > faiserver.example.corp is one of them hosting all FSMO Roles.
> > location-000001.example.corp is the second one.
> > Both are in different subnets but can reach each other.
> > Unfortunately replication only works from faiserver.example.corp ->
> > location-000001.example.corp.
> > In the other direction location-000001.example.corp ->
> > faiserver.example.corp it does not work.
> > I always end up with error:
> > ----------
> > *ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368,
> > in run*
> > *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)*
> > *  File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83, in
> > sendDsReplicaSync*
> > *    raise drsException("DsReplicaSync failed %s" % estr)*
> > ----------
> > I have already checked all topics I am aware of related to
> > correct name
> > resolution (because that was what I found that the error I receive is
> > related to on the web).
> > The only interesting thing i found is that running "host -t SRV
> > _kerberos._udp.example.corp" on faiserver.example.corp prints
only the
> > currend DC while running it on location-000001.example.corp
> > prints both DCs
> > ...never the less I am not sure if this might be a cause or
> > is just another
> > bad result of the one way sync.
> > Maybe someone has an idea?
> >
> > Attached you can find two files (one for each DC) with all
> > information that
> > I found could be relevant. If further information is required
> > please let me
> > know.
> >
> > Thanks for any hint pointing me into the right direction.
> >
> > Kind Regards
> >
> > mk-maddin
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Ok, some more resolving things to fix. 
 
On both DC's few things to edit. 
In resolv.conf, the order is important here and dont point to nameserver
127.0.0.1 for the DC's.
 
DC1. 
file: /etc/resolv.conf 
search example.corp
nameserver IP_DC1
nameserver IP_DC2
nameserver 8.8.4.4

/etc/hosts
IP_DC1 hostname.internal.example.com hostname 
IP_DC2 hostname.internal.example.com hostname 

 

 
DC2
file: /etc/resolv.conf 
search example.corp
nameserver IP_DC2
nameserver IP_DC1
nameserver 8.8.4.4

/etc/hosts
IP_DC2 hostname.internal.example.com hostname 

IP_DC1 hostname.internal.example.com hostname 
 

change /etc/nsswitch.conf to this. 
passwd:         compat winbind
group:          compat winbind
shadow:         compat
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

 
Both DC's. 

/etc/bind/named.conf 
see bit below, ive posted my config for you as example. 
 
This is my bind config, because im seeing more now,
cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";        << This
one. If you enable this one, is MUST be the last one.. ALWAYS.

 
cat /etc/bind/named.conf.options
// Defined ACL Begin
acl thisserverip {
        192.168.0.1;
        };
acl all-networks {
        192.168.0.0/24;
        };
// Defined ACL End
 
options {
        directory "/var/cache/bind";
        version "0.0.7";
 
        // ISP DNS forwarders 
        forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
 
        dnssec-validation no;
        auth-nxdomain yes;    # conform to RFC1035 =no but we are the
Authoritive server.
        listen-on-v6 { "none"; };
        listen-on port 53 { "thisserverip"; 127.0.0.1; };
        notify no;
        empty-zones-enable no;
 
        //  Add any subnets or hosts you want to allow to use this DNS server
        allow-query { "all-networks"; 127.0.0.1/32; };
        //  Add any subnets or hosts you want to allow to use recursive queries
        allow-recursion {  "all-networks"; 127.0.0.1/32; };
 
        // https://wiki.samba.org/index.php/Dns-backend_bind
        // DNS dynamic updates via Kerberos (optional, but recommended)
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
 
};
 
include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};

cat "/etc/bind/named.conf.local"
//
// Do any local configuration here
//
 
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";  
 
// adding the dlopen ( Bind DLZ ) module for samba.
include "/var/lib/samba/private/named.conf";

 
reboot server 1. 
wait untill its up, wait 1 min more. 
 
reboot server 2. 
 
then after the reboot, on both dc's run :  
cat /var/log/syslog|grep named

and post the outputs. 
 
test it again, If you see the same problem. 
 
systemctl stop samba bind9 
 
Then follow these steps. 
On DC2, 
edit /etc/resolv.conf   change the order of DC1 and DC2 
DC2
file: /etc/resolv.conf 
search example.corp
nameserver IP_DC1
nameserver IP_DC2
nameserver 8.8.4.4

 
reboot. 
Yes, reboot, starting stopping does not always work, dont ask why i dont know. 
rebooting always worked for me.  ( as of 4.1.x ) since 4.7 well, i even like 
4.8 more.
 
The replication needs some info from DC1 the first time, ones its replicated you
can change it back.
Or leave it with DC1 as first resolver both work, but i preffer resolving over
the servers own ip first.

 
I think this is your fix. 
 
 
I'll explain a bit more why i think that. 
Your hosts files are missing the hostnames/ip of the DC. 
 
When samba starts and bind isnt started ( and even if its started ) 
If it needs to resolv the hostname it fails.
 
Why..  
the service start settings..
After=network.target 
 
If samba/bind needs to replicate and/is trying to, After=network.target
 only initilized the network, it does not wait untill its fully started, for
that you need After=network-online.target

One of the points. 
 
your bind9 config is fautly, some wrong orders missing setting. 
Not a big deal normaly but in the AD-DC setups is the most important part.. 
 
I suggest try the above things. ! backup you old  and let my howto guide you to
a better setup.
https://github.com/thctlo/samba4/tree/master/howtos  these are getting a bit
old, but it a setup based on the official debian 4.5.12 pacakges.
Reviewing this wont harm... 
 
Now, make the needed changes and let us know what the result is. 
the smb.conf might need also a bit of cleaning up, but that depends also a bit
if you use the DC's as file server.
 
 
 
Greetz, 
 
Louis
 
 
 
Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 17:41
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Hi, thanks for the detailed instruction.


I have edited using "systemctl edit --full bind9.service" and
"systemctl edit --full samba-ad-dc.service".
Unfortunately it does not seem to resolve - after restart samba-ad-dc service
still fails with previous error.



This is how service files look like:


root at location-000001:~# cat /etc/systemd/system/bind9.service
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target


[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReloadExecStop=/usr/sbin/rndc stop


[Install]
WantedBy=multi-user.target
root at location-000001:~# cat /etc/systemd/system/samba-ad-dc.service 
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
After=network.target bind9.service


[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID


[Install]
WantedBy=multi-user.target
root at location-000001:~#





Am Do., 20. Dez. 2018 um 17:19 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Hai, 
 
 
> When running second command I recieve error:
> root at location-000001:~# systemctl start bind9 samba
> Failed to start samba.service: Unit samba.service is masked.
 
ah yes, sorry, that is offcourse samba-ad-dc 
 
>and yep - replication is working then!! :)
what i expected the old bug. ;-) 
 
About the other start up for both DC's do the following.  type :
 
systemctl edit --full samba-ad-dc
This copies the original and creates a file in /etc/systemd/system
 
 
Add this:  ( i changed : After=network.target bind9.service added bind9.service,
now samba starts always after bind9 )
 
# /etc/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
After=network.target bind9.service
 
[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba $SAMBAOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
 
[Install]
WantedBy=multi-user.target

that should fix it. 
 
>> fix it with :  systemctl edit bind9
>> add:
>> [Service]
>> ExecReload
>when executing "systemctl edit bind9" an empty file within folder
"/etc/systemd/system/bind9.service.d" is opened in my editor.
>Should I just but the content mentioned by you there?
 
Yes, 
just add :  
# /etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload
Or like the samba-ad-dc edit --full 

then its systemctl edit --full bind9.service 
 
# /lib/systemd/system/bind9.service
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target 
Wants=nss-lookup.target
Before=nss-lookup.target
 
[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReloadExecStop=/usr/sbin/rndc stop
 
[Install]
WantedBy=multi-user.target

What you want. ;-) 
 
 
Greetz, 
 
Louis
 


 

Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 17:04
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Hi,
>> map to guest = bad user         < remove it. 
thanks - must have missed it on "faiserver" - on other DC
(location-000001) this entry did not exist.
(I have sent whole config information about location-000001 server
to: https://lists.samba.org/archive/samba/2018-December/220084.html)

>> About your config, dc2 is just new installed ? the reboot the server
and check again. 
My second dc (location-000001) was just installed.
I have restarted whole server but not single services. 
 
>> You can try also first 
>> systemctl stop samba bind9 
>> systemctl start bind9 samba

When running second command I recieve error:
root at location-000001:~# systemctl start bind9 samba
Failed to start samba.service: Unit samba.service is masked.

So I ran:
systemctl start bind9 samba-ad-dc

and yep - replication is working then!! :)


As soon as I restart the full server (location-000001) once again
"samba-ad-dc" runs into an error and does not start up correclty:
Dec 20 15:57:44 location-000001.example.corp systemd[1]: Starting Samba AD
Daemon...
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Supervising process 472 which is not our child. We'll most likely not notice
when it exits.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: samba-ad-dc.service:
Killing process 472 (samba) with signal SIGKILL.
Dec 20 15:57:45 location-000001.example.corp systemd[1]: Stopped Samba AD
Daemon.


Rerunning "systemctl stop bind9 samba-ad-dc && systemctl start
bind9 samba-ad-dc" resolves the issue again.

>> fix it with :  systemctl edit bind9
>> add:
>> [Service]
>> ExecReload
when executing "systemctl edit bind9" an empty file within folder
"/etc/systemd/system/bind9.service.d" is opened in my editor.
Should I just but the content mentioned by you there?


Thanks for the workaround already :)






Am Do., 20. Dez. 2018 um 16:31 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Hai, 
 
As extra on Rowland comment.. 
Your config looks ok as said, i did see.. 
 
smb.conf
 map to guest = bad user         < remove it. 
 
Bad User - Means user logins with an invalid password are rejected, unless the
username does not exist, in
                      which case it is treated as a guest login and mapped into
the guest account.
and you want that for a AD DC setup?  you might result in all users are guests..
 
 
About your config, dc2 is just new installed ? the reboot the server and check
again.
You might have hit an old bug as i can remember. 
 
You can try also first 
systemctl stop samba bind9 
systemctl start bind9 samba
 
samba and bind9 wil bind9 is reloading zones is buggy..
fix it with :  systemctl edit bind9
add:
[Service]
ExecReload
sss in nsswitch while this is an AD DC, thats not supported, but if it works for
you, im not here to judge you..
Just saying winbind works fine on the DC's. 
 
 
Greetz, 
 
Louis
 
 
 
 
 
 

Van: Martin Krämer [mailto:mk.maddin at gmail.com] 
Verzonden: donderdag 20 december 2018 16:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD DC replication error - 2, 'WERR_BADFILE'



Thanks for the fast reply. Sorry - I was not aware that attachments are not
forwarded.
(All information you requested was included there)


I think I have already tried resync via "samba-tool drs replicate" -
but better see below the printout of previous attachment
"faiserver.log"
 
Thanks for help in advance :)


root at faiserver:~# uname -a
Linux faiserver.example.corp 4.9.0-8-amd64 #1 SMP Debian 4.9.135-1 (2018-11-11)
x86_64 GNU/Linux
root at faiserver:~# hostname -f
faiserver.example.corp
root at faiserver:~# host 192.168.33.250
250.33.168.192.in-addr.arpa domain name pointer faiserver.example.corp.
root at faiserver:~# host faiserver.example.corp
faiserver.example.corp has address 192.168.33.250
root at faiserver:~# host 192.168.34.250
Host 250.34.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
root at faiserver:~# host location-000001.example.corp
location-000001.example.corp has address 192.168.34.250
root at faiserver:~# samba -V
Version 4.5.12-Debian
root at faiserver:~# samba-tool drs replicate faiserver.example.corp
location-000001.example.corp DC=example,DC=corp
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
368, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
root at faiserver:~# samba-tool drs replicate location-000001.example.corp
faiserver.example.corp DC=example,DC=corp
Replicate from faiserver.example.corp to location-000001.example.corp was
successful.
root at faiserver:~# samba-tool drs showrepl
Default-First-Site-Name\FAISERVER
DSA Options: 0x00000001
DSA object GUID: 5543435c-fccd-446a-bf71-777f4c6a3862
DSA invocationId: 20bce62d-cf4a-404a-8884-3552f409179d


==== INBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


==== OUTBOUND NEIGHBORS ===

DC=ForestDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=DomainDnsZones,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)


CN=Schema,CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


CN=Configuration,DC=example,DC=corp
Default-First-Site-Name\LOCATION-000001 via RPC
DSA object GUID: 2fbf25e8-acff-485b-8dea-2bc116869f5c
Last attempt @ Thu Dec 20 13:49:46 2018 UTC failed, result 2 (WERR_BADFILE)
29 consecutive failure(s).
Last success @ NTTIME(0)


==== KCC CONNECTION OBJECTS ===

Connection --
Connection name: 6c51da6c-3fe9-41f8-a9ac-a99949a235e4
Enabled        : TRUE
Server DNS name : location-000001.example.corp
Server DN name  : CN=NTDS
Settings,CN=LOCATION-000001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=corp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-checkup.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url})
Check hostnames : Ok
./samba-setup-checkup.sh: line 91: [: !=: unary operator expected
Checking detected host ipnumbers from resolv.conf and default gateway
Ping gateway ip : 192.168.33.1 : Ok
Warning, no ping to gateway, this might be firewalled.
check you internet connection, AD DNS might need it.
ping nameserver1: 127.0.0.1 : Ok
ping nameserver2: 8.8.4.4 : Ok
Check ping google dns : 8.8.8.8 : Ok
Warning, no ping to internet dns 8.8.8.8, this might be firewalled.
Check you internet connection, AD DNS might need it.
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smb.conf
Checking file owner.. 
-rw-r--r-- root root /etc/samba/lmhosts
Checking file owner.. 
-rw-r--r-- root root /etc/samba/smbpasswd
drwxr-xr-x root root /usr/bin
drwxr-xr-x root root /var/cache/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu
drwxr-xr-x root root /var/run/samba
drwxr-x--- root adm /var/log/samba
drwxr-xr-x root root /usr/lib/x86_64-linux-gnu/samba
drwxr-xr-x root root /var/run/samba
drwxr-xr-x root root /var/lib/samba/private
drwxr-xr-x root root /usr/sbin
drwxr-xr-x root root /var/lib/samba
DCS faiserver.example.corp
DC1 faiserver.example.corp
DC2 
Samba AD DC info:             =  detected (command and where to look)
This server hostname          = faiserver (hostname -s and /etc/hosts and DNS
server)
This server FQDN (hostname)   = faiserver.example.corp (hostname -f and
/etc/hosts and DNS server)
This server primary dnsdomain = example.corp (hostname -d and /etc/resolv.conf
and DNS server)
This server IP address(ses)   = 192.168.33.250  Only one interface detected
(hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        = FAISERVER (samba-tool fsmo show)
The DC (with FSMO) Site name  = Default-First-Site-Name (samba-tool fsmo show)
The Default Naming Context    = DC=example,DC=corp (samba-tool fsmo show)
The Kerberos REALM name used  = EXAMPLE.CORP    (kinit and /etc/krb5.conf and
resolving)
The Ipadres of DC faiserver.example.corp        = 192.168.33.250
SAMBA_SERVER_ROLE: active directory domain controller
SAMBA_SERVER_SERVICES: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
SAMBA_DCERPC_ENDPOINT_SERVERS: epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
root at faiserver:~#
url="https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh"
&& wget --quiet "${url}" && chmod u+x ./$(basename
${url}) && ./$(basename ${url}) &>/dev/null && cat
/tmp/samba-debug-info.txt
Collected config  --- 2018-12-20-13:49 -----------


Hostname: faiserver
DNS Domain: example.corp
FQDN: faiserver.example.corp
ipaddress: 192.168.33.250


-----------
Samba is running as an AD DC
Checking file: /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


-----------


Warning, /etc/devuan_version does not exist


-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: MailScanner
warning: numerical links are often malicious: MailScanner warning: numerical
links are often malicious: 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 52:54:00:87:44:60 brd ff:ff:ff:ff:ff:ff
    inet MailScanner warning: numerical links are often malicious: MailScanner
warning: numerical links are often malicious: MailScanner warning: numerical
links are often malicious: 192.168.33.250/24 brd 192.168.33.255 scope global
ens3
    inet6 fe80::5054:ff:fe87:4460/64 scope link 
-----------
Checking file: /etc/hosts 
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


-----------
Checking file: /etc/resolv.conf 


nameserver 127.0.0.1
nameserver 8.8.4.4
domain example.corp
search example.corp


-----------
Checking file: /etc/krb5.conf 
[libdefaults]
default_realm = EXAMPLE.CORP
dns_lookup_realm = false
dns_lookup_kdc = true


-----------
Checking file: /etc/nsswitch.conf 


passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files


hosts:          files dns
networks:       files


protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files


netgroup:       nis sss
sudoers:        files sss


-----------
Checking file: /etc/samba/smb.conf 




[global]
realm = EXAMPLE.CORP
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
server services = -dns
ldap server require strong auth = no
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls keyfile = tls/key.pem
tls enabled = yes
idmap_ldb:use rfc2307 = yes
   workgroup = EXAMPLE
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = active directory domain controller
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = No


[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S


[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700


[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no


[netlogon]
read only = no
path = /var/lib/samba/sysvol/example.corp/Scripts
[sysvol]
read only = no
path = /var/lib/samba/sysvol


-----------
No username map detected.


-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf 


include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf"; 


-----------
Checking file: /etc/bind/named.conf.options 
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
forwarders { 8.8.4.4; };
allow-query { internals; };
allow-query-cache { internals; };
recursion yes;
allow-recursion { internals; };
allow-transfer { internals; };
listen-on { any; };
directory "/var/cache/bind";
dnssec-validation no;


auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { none; };
};


acl internals {
MailScanner warning: numerical links are often malicious: MailScanner warning:
numerical links are often malicious: MailScanner warning: numerical links are
often malicious: 127.0.0.1/8; MailScanner warning: numerical links are often
malicious: MailScanner warning: numerical links are often malicious: MailScanner
warning: numerical links are often malicious: 192.168.33.0/24;
};


-----------
Checking file: /etc/bind/named.conf.local 






-----------
Checking file: /etc/bind/named.conf.default-zones 
zone "." {
type hint;
file "/etc/bind/db.root";
};




zone "localhost" {
type master;
file "/etc/bind/db.local";
};


zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};


zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};


zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};






-----------


Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  krb5-config                       2.6                            all       
  Configuration files for Kerberos Version 5
ii  krb5-user                         1.15-1+deb9u1                  amd64     
  basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.52-3+b1                    amd64     
  Access control list shared library
ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2           amd64     
  Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                   1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.15-1+deb9u1                  amd64     
  MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba nameservice integration plugins
ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u4         amd64     
  Windows domain authentication integration plugin
ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u4         amd64     
  Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u4         amd64     
  SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u4         all       
  common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Directory Services Database
ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u4         amd64     
  Samba Virtual FileSystem plugins
ii  smbclient                         2:4.5.12+dfsg-2+deb9u4         amd64     
  command-line SMB/CIFS clients for Unix
ii  sssd-krb5                         1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                  1.15.0-3                       amd64     
  System Security Services Daemon -- Kerberos helpers
ii  winbind                           2:4.5.12+dfsg-2+deb9u4         amd64     
  service to resolve user and group information from Windows NT servers
-----------
root at faiserver:~#




Am Do., 20. Dez. 2018 um 15:19 Uhr schrieb L.P.H. van Belle via samba <samba
at lists.samba.org>:

Lets start with. .
The list does not accept attachments.. 

What is the running OS? 
The samba versions? 
And the smb.conf ? 

Depending on version you can force a re-sync but fist tell us more. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Martin Krämer via samba
> Verzonden: donderdag 20 december 2018 15:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba AD DC replication error - 2,
'WERR_BADFILE'
> 
> Hello everyone,
> 
> I have setup two Samba AD DC's with BIND9_DLZ dns backend.
> 
> faiserver.example.corp is one of them hosting all FSMO Roles.
> location-000001.example.corp is the second one.
> Both are in different subnets but can reach each other.
> Unfortunately replication only works from faiserver.example.corp ->
> location-000001.example.corp.
> In the other direction location-000001.example.corp ->
> faiserver.example.corp it does not work.
> I always end up with error:
> ----------
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368,
> in run*
> *    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)*
> *  File 
> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in
> sendDsReplicaSync*
> *    raise drsException("DsReplicaSync failed %s" % estr)*
> ----------
> I have already checked all topics I am aware of related to 
> correct name
> resolution (because that was what I found that the error I receive is
> related to on the web).
> The only interesting thing i found is that running "host -t SRV
> _kerberos._udp.example.corp" on faiserver.example.corp prints only the
> currend DC while running it on location-000001.example.corp 
> prints both DCs
> ...never the less I am not sure if this might be a cause or 
> is just another
> bad result of the one way sync.
> Maybe someone has an idea?
> 
> Attached you can find two files (one for each DC) with all 
> information that
> I found could be relevant. If further information is required 
> please let me
> know.
> 
> Thanks for any hint pointing me into the right direction.
> 
> Kind Regards
> 
> mk-maddin
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba