Hi list,
I'm running into issues with Samba 4.5.16-Debian. I am trying to get 3 DCs
to talk to each other and replicate. DC1 and DC3 are on the same subnet;
DC2 is on another subnet, accessible by IP. Currently, no firewalls on any
of the DCs.
Issue 1 - When I run "samba-tool drs showrepl", I get various results:
DC1 -
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]
NT_STATUS_IO_TIMEOUT
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc3.ad.example.com failed - drsException: DRS connection to
dc3.ad.example.com failed: (-1073741643, '{Device Timeout} The specified
I/O operation on %hs was not completed before the time-out period expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
41, in
drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in
drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
==============================================================
DC2 -
Valemount\DC2
DSA Options: 0x00000001
DSA object GUID: 617c7792-2980-4625-917d-21418ac96f06
DSA invocationId: b5e8a8b6-ada3-472f-bee8-4e7d9ab813bc
==== INBOUND NEIGHBORS ===
CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:51 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6664 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:51 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:52 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6665 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:52 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:52 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6666 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:52 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:52 2019 PDT
DC=ForestDnsZones,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:50 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6668 consecutive failure(s).
Last success @ Sun Aug 11 15:40:50 2019 PDT
DC=ForestDnsZones,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:50 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:50 2019 PDT
DC=DomainDnsZones,dc=ad,dc=example,dc=com
McBride\DC1 via RPC
DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213
Last attempt @ Sun Aug 11 15:40:51 2019 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
6666 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
DC=DomainDnsZones,dc=ad,dc=example,dc=com
McBride\DC3 via RPC
DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e
Last attempt @ Sun Aug 11 15:40:51 2019 PDT was successful
0 consecutive failure(s).
Last success @ Sun Aug 11 15:40:51 2019 PDT
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 715f06d2-cb2e-4cb5-b1d7-8bae66efd634
Enabled : TRUE
Server DNS name : dc1.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: a4f43954-9213-4622-a455-3bd319ab3018
Enabled : TRUE
Server DNS name : dc3.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: DC1
Enabled : TRUE
Server DNS name : dc1.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
Connection --
Connection name: DC3
Enabled : TRUE
Server DNS name : dc3.ad.example.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuration,dc=ad,dc=example,dc=com
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
====================================================================
DC3 -
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]
NT_STATUS_IO_TIMEOUT
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc3.ad.example.com failed - drsException: DRS connection to
dc3.ad.example.com failed: (-1073741643, '{Device Timeout} The specified
I/O operation on %hs was not completed before the time-out period expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
41, in
drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in
drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
============
When I attempt to manually replicate, I can get DC3 to talk to DC2, but no
other communication. DC1 -> DC2 fails; DC1 to DC3 fails; DC2 to DC1 fails;
DC2 to DC3 fails. DC3 cannot replicate to DC1.
Users created on the various DCs do not show up under Active Directory
Users and Computers on other DCs. If I attempt to create a user under the
ADUC tool, I get an error saying:
Windows cannot verify that the user name is unique because the following
error occurred while contacting the global catalog: The user name or
password is incorrect
This is after ensuring I can log in as the DOMAIN\Administrator account.
There are two sites, one is "McBride", one is "Valemount".
DC2 is in
McBride, the others are in Valemount.
Finally, the file contents on the DCs:
/etc/hosts:
# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.4 dc2.ad.example.com dc2
10.1.10.3 dc1.ad.example.com dc1
10.1.10.10 dc3.ad.example.com dc3
# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# cat /etc/samba/smb.conf
# Global parameters
[global]
ntlm auth = yes
disable netbios = yes
bind interfaces only = Yes
interfaces = lo eth0
netbios name = DC2
realm = AD.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
server role = active directory domain controller
winbind separator = /
idmap_ldb:use rfc2307 = yes
Try this. On all DC's set the first resolver in /et/resolv.conf to the DC with FSMO roles. Run : kinit Administrator samba_dnsupdate --verbose Stop en start samba-ad-dc Check again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luke > Barone via samba > Verzonden: maandag 12 augustus 2019 0:54 > Aan: samba > Onderwerp: [Samba] Can't replicate DCs > > Hi list, > > I'm running into issues with Samba 4.5.16-Debian. I am trying > to get 3 DCs > to talk to each other and replicate. DC1 and DC3 are on the > same subnet; > DC2 is on another subnet, accessible by IP. Currently, no > firewalls on any > of the DCs. > > Issue 1 - When I run "samba-tool drs showrepl", I get various results: > > DC1 - > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.examp > le.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]> NT_STATUS_IO_TIMEOUT > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to > dc3.ad.example.com failed - drsException: DRS connection to > dc3.ad.example.com failed: (-1073741643, '{Device Timeout} > The specified > I/O operation on %hs was not completed before the time-out > period expired.') > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in > drsuapi_connect > (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) > drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", > line 54, in > drsuapi_connect > raise drsException("DRS connection to %s failed: %s" % > (server, e)) > > > ==============================================================> > DC2 - > > Valemount\DC2 > DSA Options: 0x00000001 > DSA object GUID: 617c7792-2980-4625-917d-21418ac96f06 > DSA invocationId: b5e8a8b6-ada3-472f-bee8-4e7d9ab813bc > > ==== INBOUND NEIGHBORS ===> > CN=Configuration,dc=ad,dc=example,dc=com > McBride\DC1 via RPC > DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213 > Last attempt @ Sun Aug 11 15:40:51 2019 PDT > failed, result > 8453 (WERR_DS_DRA_ACCESS_DENIED) > 6664 consecutive failure(s). > Last success @ Sun Aug 11 15:40:51 2019 PDT > > CN=Configuration,dc=ad,dc=example,dc=com > McBride\DC3 via RPC > DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e > Last attempt @ Sun Aug 11 15:40:51 2019 PDT > was successful > 0 consecutive failure(s). > Last success @ Sun Aug 11 15:40:51 2019 PDT > > CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com > McBride\DC1 via RPC > DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213 > Last attempt @ Sun Aug 11 15:40:52 2019 PDT > failed, result > 8453 (WERR_DS_DRA_ACCESS_DENIED) > 6665 consecutive failure(s). > Last success @ Sun Aug 11 15:40:51 2019 PDT > > CN=Schema,CN=Configuration,dc=ad,dc=example,dc=com > McBride\DC3 via RPC > DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e > Last attempt @ Sun Aug 11 15:40:52 2019 PDT > was successful > 0 consecutive failure(s). > Last success @ Sun Aug 11 15:40:52 2019 PDT > > dc=ad,dc=example,dc=com > McBride\DC1 via RPC > DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213 > Last attempt @ Sun Aug 11 15:40:52 2019 PDT > failed, result > 8453 (WERR_DS_DRA_ACCESS_DENIED) > 6666 consecutive failure(s). > Last success @ Sun Aug 11 15:40:52 2019 PDT > > dc=ad,dc=example,dc=com > McBride\DC3 via RPC > DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e > Last attempt @ Sun Aug 11 15:40:52 2019 PDT > was successful > 0 consecutive failure(s). > Last success @ Sun Aug 11 15:40:52 2019 PDT > > DC=ForestDnsZones,dc=ad,dc=example,dc=com > McBride\DC1 via RPC > DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213 > Last attempt @ Sun Aug 11 15:40:50 2019 PDT > failed, result > 8453 (WERR_DS_DRA_ACCESS_DENIED) > 6668 consecutive failure(s). > Last success @ Sun Aug 11 15:40:50 2019 PDT > > DC=ForestDnsZones,dc=ad,dc=example,dc=com > McBride\DC3 via RPC > DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e > Last attempt @ Sun Aug 11 15:40:50 2019 PDT > was successful > 0 consecutive failure(s). > Last success @ Sun Aug 11 15:40:50 2019 PDT > > DC=DomainDnsZones,dc=ad,dc=example,dc=com > McBride\DC1 via RPC > DSA object GUID: a908c575-ddb1-4e89-98e1-97d3e55bf213 > Last attempt @ Sun Aug 11 15:40:51 2019 PDT > failed, result > 8453 (WERR_DS_DRA_ACCESS_DENIED) > 6666 consecutive failure(s). > Last success @ Sun Aug 11 15:40:51 2019 PDT > > DC=DomainDnsZones,dc=ad,dc=example,dc=com > McBride\DC3 via RPC > DSA object GUID: 76c41b36-54e8-4e7c-a9ea-4b2e26b0097e > Last attempt @ Sun Aug 11 15:40:51 2019 PDT > was successful > 0 consecutive failure(s). > Last success @ Sun Aug 11 15:40:51 2019 PDT > > ==== OUTBOUND NEIGHBORS ===> > ==== KCC CONNECTION OBJECTS ===> > Connection -- > Connection name: 715f06d2-cb2e-4cb5-b1d7-8bae66efd634 > Enabled : TRUE > Server DNS name : dc1.ad.example.com > Server DN name : CN=NTDS > Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio > n,dc=ad,dc=example,dc=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > Connection -- > Connection name: a4f43954-9213-4622-a455-3bd319ab3018 > Enabled : TRUE > Server DNS name : dc3.ad.example.com > Server DN name : CN=NTDS > Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio > n,dc=ad,dc=example,dc=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > Connection -- > Connection name: DC1 > Enabled : TRUE > Server DNS name : dc1.ad.example.com > Server DN name : CN=NTDS > Settings,CN=DC1,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio > n,dc=ad,dc=example,dc=com > TransportType: RPC > options: 0x00000000 > Warning: No NC replicated for Connection! > Connection -- > Connection name: DC3 > Enabled : TRUE > Server DNS name : dc3.ad.example.com > Server DN name : CN=NTDS > Settings,CN=DC3,CN=Servers,CN=McBride,CN=Sites,CN=Configuratio > n,dc=ad,dc=example,dc=com > TransportType: RPC > options: 0x00000000 > Warning: No NC replicated for Connection! > > ====================================================================> > DC3 - > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:10.1.10.10[1024,seal,target_hostname=dc3.ad.examp > le.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.1.10.10]> NT_STATUS_IO_TIMEOUT > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to > dc3.ad.example.com failed - drsException: DRS connection to > dc3.ad.example.com failed: (-1073741643, '{Device Timeout} > The specified > I/O operation on %hs was not completed before the time-out > period expired.') > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in > drsuapi_connect > (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) > drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", > line 54, in > drsuapi_connect > raise drsException("DRS connection to %s failed: %s" % > (server, e)) > > > ============> > When I attempt to manually replicate, I can get DC3 to talk > to DC2, but no > other communication. DC1 -> DC2 fails; DC1 to DC3 fails; DC2 > to DC1 fails; > DC2 to DC3 fails. DC3 cannot replicate to DC1. > > Users created on the various DCs do not show up under Active Directory > Users and Computers on other DCs. If I attempt to create a > user under the > ADUC tool, I get an error saying: > > Windows cannot verify that the user name is unique because > the following > error occurred while contacting the global catalog: The user name or > password is incorrect > > This is after ensuring I can log in as the > DOMAIN\Administrator account. > > There are two sites, one is "McBride", one is "Valemount". DC2 is in > McBride, the others are in Valemount. > > Finally, the file contents on the DCs: > > /etc/hosts: > > # cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.4 dc2.ad.example.com dc2 > 10.1.10.3 dc1.ad.example.com dc1 > 10.1.10.10 dc3.ad.example.com dc3 > > # cat /etc/krb5.conf > [libdefaults] > default_realm = AD.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > # cat /etc/samba/smb.conf > # Global parameters > [global] > ntlm auth = yes > disable netbios = yes > bind interfaces only = Yes > interfaces = lo eth0 > netbios name = DC2 > realm = AD.EXAMPLE.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > server role = active directory domain controller > winbind separator = / > idmap_ldb:use rfc2307 = yes > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 11/08/2019 23:53, Luke Barone via samba wrote:> Hi list, > > I'm running into issues with Samba 4.5.16-Debian. I am trying to get 3 DCs > to talk to each other and replicate. DC1 and DC3 are on the same subnet; > DC2 is on another subnet, accessible by IP. Currently, no firewalls on any > of the DCs. > > Issue 1 - When I run "samba-tool drs showrepl", I get various results: > > > Finally, the file contents on the DCs: > > /etc/hosts: > > # cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.4 dc2.ad.example.com dc2 > 10.1.10.3 dc1.ad.example.com dc1 > 10.1.10.10 dc3.ad.example.com dc3Remove the other DCs info from each DCs /etc/hosts file, the DCs should find each other via dns.> # cat /etc/samba/smb.conf > # Global parameters > [global] > ntlm auth = yesWhy do you need 'ntlm auth' ?> disable netbios = yesNot how you do it on a DC> bind interfaces only = Yes > interfaces = lo eth0 > netbios name = DC2 > realm = AD.EXAMPLE.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdateAs you are using Bind9, can you post your named.conf files. Rowland