Hi,
I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
existing samba AD domain that has 2 existing DCs. One of the existing DCs is
running 4.8.7 and the other is running 4.7.7. Everything looks OK except
that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
following output:
(vdc4 pts4) # samba-tool drs showrepl
Default-First-Site-Name\VDC4
DSA Options: 0x00000001
DSA object GUID: a57c74ed-3343-4497-965d-e7e50a1f84ae
DSA invocationId: 1f0384bb-1f0b-4d8f-a498-d7b02ae53930
==== INBOUND NEIGHBORS ===
CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
168 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
0 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
167 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
0 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
351 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
0 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ Wed May 15 16:09:25 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
4603 consecutive failure(s).
Last success @ Wed May 15 16:09:25 2019 EDT
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ Wed May 15 16:09:25 2019 EDT was successful
0 consecutive failure(s).
Last success @ Wed May 15 16:09:25 2019 EDT
DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
168 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
0 consecutive failure(s).
Last success @ Wed May 15 16:05:17 2019 EDT
==== OUTBOUND NEIGHBORS ===
CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC1 via RPC
DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
Default-First-Site-Name\VDC2 via RPC
DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 4b94d656-40a2-49b2-b904-23a5d7074997
Enabled : TRUE
Server DNS name : vdc2.kmg.mydomain.com
Server DN name : CN=NTDS
Settings,CN=VDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 1cde66a3-415d-42ff-84c6-5b90c06ac44d
Enabled : TRUE
Server DNS name : vdc1.kmg.mydomain.com
Server DN name : CN=NTDS
Settings,CN=VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
(vdc4 pts4) #
I see errors similar to below in the logs:
[2019/05/15 16:19:58.683401, 2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
[2019/05/15 16:19:58.695818, 2]
../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on
<GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
gave 2 objects (done 2/2) 0 links (done 0/0 (as
S-1-5-21-3052942767-4183929206-737583365-1279))
[2019/05/15 16:20:01.245656, 2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.260687, 2]
../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
Replicated 2 objects (0 linked attributes) for
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.271512, 0]
../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:08.692911, 2]
../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on
DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)
Given the above errors this looks like a permissions problem but so far I have
not
been able to find it.
Does anyone have any ideas how to troubleshoot this and fix it?
Regards,
--
Tom me at tdiehl.org
On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba <samba at lists.samba.org> wrote:> > Hi, > > I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an > existing samba AD domain that has 2 existing DCs. One of the existing DCs is > running 4.8.7 and the other is running 4.7.7. Everything looks OK except > that when I run samba-tool drs showrepl on the new DC (VDC4) I get the > following output:"self-compiled" can include a lot of sins, especially if trying to place it alongside *or* in place of the provided libraries for tevent, ldb, tdb, and talloc. Let me point you to my git repo, https:/github.com/nkadel/samba4repo/, with submodules for samba itself, talloc, tevent, etc., etc. It's built to use the official upstream tarballs from www.samba.org, not tarballs from *me*, and that also will give you a good git repo you can use to manage any compilation options in the ".spec" file.> I see errors similar to below in the logs: > [2019/05/15 16:19:58.683401, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects) > ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465) > [2019/05/15 16:19:58.695818, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges) > DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279)) > [2019/05/15 16:20:01.245656, 2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit) > Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com > [2019/05/15 16:20:06.260687, 2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit) > Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com > [2019/05/15 16:20:06.271512, 0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done) > UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com > [2019/05/15 16:20:08.692911, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects) > ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467) > > Given the above errors this looks like a permissions problem but so far I have not > been able to find it.Hmm. some classic questions include "is SELinux on", and "which Kerberos did you use, the supported internal Heimdal Kerberos or the experimental support for MIT kerberos?> Does anyone have any ideas how to troubleshoot this and fix it? > > Regards, > > -- > Tom me at tdiehl.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sat, 18 May 2019, Nico Kadel-Garcia wrote:> On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba > <samba at lists.samba.org> wrote: >> >> Hi, >> >> I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an >> existing samba AD domain that has 2 existing DCs. One of the existing DCs is >> running 4.8.7 and the other is running 4.7.7. Everything looks OK except >> that when I run samba-tool drs showrepl on the new DC (VDC4) I get the >> following output: > > "self-compiled" can include a lot of sins, especially if trying to > place it alongside *or* in place of the provided libraries for tevent, > ldb, tdb, and talloc. Let me point you to my git repo,Well OK maybe I should have said self compiled using the instructions @ https://wiki.samba.org/index.php/Build_Samba_from_Source#configure and the package list from https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_7_.2F_CentOS_7_.2F_Scientific_Linux_7 substituting python36-devel for python-devel and adding python32-dns to get the samba-tool dns module to work. None of the distro samba packages are installed. TBH, I am guessng about the package list given the change from python2 to python3 as it does not look like the wiki has been updated for 4.10.x.> https:/github.com/nkadel/samba4repo/, with submodules for samba > itself, talloc, tevent, etc., etc. It's built to use the official > upstream tarballs from www.samba.org, not tarballs from *me*, and that > also will give you a good git repo you can use to manage any > compilation options in the ".spec" file.Is there a way to only build the Centos bits using your git repo? I have no Fedora machines and so far I have not been successful in getting the above to build on a Centos 7 VM using the version of Mock supplied by the Centos project.> >> I see errors similar to below in the logs: >> [2019/05/15 16:19:58.683401, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects) >> ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465) >> [2019/05/15 16:19:58.695818, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges) >> DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279)) >> [2019/05/15 16:20:01.245656, 2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit) >> Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com >> [2019/05/15 16:20:06.260687, 2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit) >> Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com >> [2019/05/15 16:20:06.271512, 0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done) >> UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com >> [2019/05/15 16:20:08.692911, 2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects) >> ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467) >> >> Given the above errors this looks like a permissions problem but so far I have not >> been able to find it. > > Hmm. some classic questions include "is SELinux on", and "which > Kerberos did you use, the supported internal Heimdal Kerberos or the > experimental support for MIT kerberos?SELinux is in permissive and my configure line is simply ./configure so no MIT here. IMO no one in their right mind would try to use MIT in production. Regards, -- Tom me at tdiehl.org