thr3ads.net - samba - [Samba] Problem with sync user account from Samba Master to Samba Slave [Aug 2019]

If this information is useful, please help other people find it:
Share via:

Miguel Coa M.

2019-Aug-23 19:55 UTC

[Samba] Problem with sync user account from Samba Master to Samba Slave

Hello,
i?ve Samba 4.7 with domain controller with 3 servers, 1 master (samba-ad) and
two slaves (samba-slave1) and (samba-slave2).  The problem is when create user
account from "samba-ad?  this account not sync to slave, but i create the
account on   "samba-slave1" or "samba-slave2? this is sync on all
server.

Samba version

[???????.]
root at samba-ad:~# samba -V
Version 4.7.6-Ubuntu

root at samba-slave1:~# samba -V
Version 4.7.6-Ubuntu

root at samba-slave2:~# samba -V
Version 4.7.6-Ubuntu

[???????.]


Example:

Create account on samba-ad (master server)

[???????.]
root at samba-ad:~# samba-tool user create steave ste at ave.10 --mail-address
"steave at domain.com" --given-name "Steave"
--must-change-at-next-login
User 'steave' created successfully

[???????.]


Search in samba-ad

[???????.]
root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
dn: CN=Steave,CN=Users,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steave
givenName: Steave
instanceType: 4
whenCreated: 20190823191136.0Z
whenChanged: 20190823191136.0Z
displayName: Steave
uSNCreated: 2928230
.....
.....
.....

[???????.]



Check on samba-slave1 -> Not sync

[???????.]
root at samba-slave1:~# ldapsearch -LLL -x -H ldap://10.13.250.111 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
# refldap://domain.com/CN=Configuration,DC=domain,DC=com

# refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com

# refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
[???????.]


Check on samba-slave2 -> Not sync

[???????.]
root at samba-slave2:~# ldapsearch -LLL -x -H ldap://10.13.250.112 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
# refldap://domain.com/CN=Configuration,DC=domain,DC=com

# refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com

# refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
[???????.]


Example N?2

Create user account on samba-slave2


[???????.]
root at samba-slave2:~# samba-tool user create alf alf at .10 --mail-address
"alf at domain.com" --given-name "Alf"
--must-change-at-next-login
User 'alf' created successfully
root at samba-slave2:~#
[???????.]


Check on samba-slave2 -> Sync ok


[???????.]
root at samba-slave2:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
dn: CN=Alf,CN=Users,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Alf
givenName: Alf
instanceType: 4
whenCreated: 20190823191926.0Z
[???????.]


Check on samba-slave1 -> Sync ok

[???????.]
root at samba-slave1:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
dn: CN=Alf,CN=Users,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Alf
givenName: Alf
instanceType: 4
whenCreated: 20190823191926.0Z
whenChanged: 20190823191926.0Z
displayName: Alf
uSNCreated: 1396773
[???????.]


Check on samba-ad -> Sync ok
[???????.]
root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx
<ldap://10.13.xxx>.xxx -b "DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
dn: CN=Alf,CN=Users,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Alf
givenName: Alf
instanceType: 4
whenCreated: 20190823191926.0Z
whenChanged: 20190823191926.0Z
displayName: Alf
uSNCreated: 2928583
uSNChanged: 2928583
[???????.]


From samba-ad the ?samba-tool drs showrepl? command not listed errors


Can you help me, please. 

Thanks.

Rowland penny

2019-Aug-23 20:36 UTC

head link

[Samba] Problem with sync user account from Samba Master to Samba Slave

On 23/08/2019 20:55, Miguel Coa M. via samba wrote:> Hello,
> i?ve Samba 4.7 with domain controller with 3 servers, 1 DC (samba-ad) and
two other DCs (samba-1) and (samba-2).  The problem is when create user account
from "samba-ad?  this account not sync to other, but i create the account
on   "samba-1" or "samba-2? this is sync on all server.
>
> Samba version
>
> [???????.]
> root at samba-ad:~# samba -V
> Version 4.7.6-Ubuntu
>
> root at samba-1:~# samba -V
> Version 4.7.6-Ubuntu
>
> root at samba-2:~# samba -V
> Version 4.7.6-Ubuntu
>
> [???????.]
>
>
> Example:
>
> Create account on samba-ad (A DC that probably holds all the FSMO roles)
>
> [???????.]
> root at samba-ad:~# samba-tool user create steave ste at ave.10
--mail-address "steave at domain.com" --given-name "Steave"
--must-change-at-next-login
> User 'steave' created successfully
>
> [???????.]
>
>
> Search in samba-ad
>
> [???????.]
> root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
> dn: CN=Steave,CN=Users,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Steave
> givenName: Steave
> instanceType: 4
> whenCreated: 20190823191136.0Z
> whenChanged: 20190823191136.0Z
> displayName: Steave
> uSNCreated: 2928230
> .....
> .....
> .....
>
> [???????.]
>
>
>
> Check on samba-1 -> Not sync
>
> [???????.]
> root at samba-1:~# ldapsearch -LLL -x -H ldap://10.13.250.111 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
> # refldap://domain.com/CN=Configuration,DC=domain,DC=com
>
> # refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com
>
> # refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
> [???????.]
>
>
> Check on samba-2 -> Not sync
>
> [???????.]
> root at samba-2:~# ldapsearch -LLL -x -H ldap://10.13.250.112 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
> # refldap://domain.com/CN=Configuration,DC=domain,DC=com
>
> # refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com
>
> # refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
> [???????.]
>
>
> Example N?2
>
> Create user account on samba-2
>
>
> [???????.]
> root at samba-2:~# samba-tool user create alf alf at .10 --mail-address
"alf at domain.com" --given-name "Alf"
--must-change-at-next-login
> User 'alf' created successfully
> root at samba-2:~#
> [???????.]
>
>
> Check on samba-2 -> Sync ok
>
>
> [???????.]
> root at samba-2:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
> dn: CN=Alf,CN=Users,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Alf
> givenName: Alf
> instanceType: 4
> whenCreated: 20190823191926.0Z
> [???????.]
>
>
> Check on samba-1 -> Sync ok
>
> [???????.]
> root at samba-1:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
> dn: CN=Alf,CN=Users,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Alf
> givenName: Alf
> instanceType: 4
> whenCreated: 20190823191926.0Z
> whenChanged: 20190823191926.0Z
> displayName: Alf
> uSNCreated: 1396773
> [???????.]
>
>
> Check on samba-ad -> Sync ok
> [???????.]
> root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx
<ldap://10.13.xxx>.xxx -b "DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
> dn: CN=Alf,CN=Users,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Alf
> givenName: Alf
> instanceType: 4
> whenCreated: 20190823191926.0Z
> whenChanged: 20190823191926.0Z
> displayName: Alf
> uSNCreated: 2928583
> uSNChanged: 2928583
> [???????.]
>
>
>  From samba-ad the ?samba-tool drs showrepl? command not listed errors
>
>
> Can you help me, please.
I have helped you by first rewriting your post, you do not have a master 
DC and two slaves, you have three DCs, one of which probably holds all 
the FSMO roles, but any of them could hold any or all of the FSMO roles.

If replication is working then, no matter which DC you create a user on, 
the user should be replicated to the other DCs.

Please show the output of 'samba-tool drs showrepl <one ot the other 
DCS>' from each DC.

Rowland

Miguel Coa M.

2019-Aug-23 21:13 UTC

head link

[Samba] Problem with sync user account from Samba Master to Samba Slave

Hello, 
The list fsmo is:

[........................]
root at samba-ad:~# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
root at samba-ad:~#
[????????]


The "samba-tool drs showrepl" for three DC's . 


From samba-ad

[........................]
root at samba-ad:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:samba-ad.domain.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba-ad.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-ad.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-ad.domain.com<0x20>
Default-First-Site-Name\samba-ad
DSA Options: 0x00000001
DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
DSA invocationId: b0a91b8a-3bd6-4489-b846-ddba28dcf5a4

==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 17:00:23 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:23 2019 -04

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:00:23 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:23 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 17:01:54 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:01:54 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:00:27 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:27 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 17:00:27 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:27 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:00:39 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:39 2019 -04

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 17:00:39 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:39 2019 -04

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:00:44 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:44 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 17:00:44 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:44 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:00:49 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:00:49 2019 -04

==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 17:04:00 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 17:04:00 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:58:40 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:58:40 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:48:33 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:48:33 2019 -04

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-1 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: 36a4786c-c9de-4fc1-b2b7-390c0d7f4dba
	Enabled        : TRUE
	Server DNS name : SAMBA-1.domain.com
	Server DN name  : CN=NTDS
Settings,CN=SAMBA-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
	Connection name: f74e48dd-ca6a-43a3-8c7e-ddba4203a12f
	Enabled        : TRUE
	Server DNS name : SAMBA-2.domain.com
	Server DN name  : CN=NTDS
Settings,CN=SAMBA-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
[........................]



From samba-1

[........................]
root at samba-1:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:samba-1.domain.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba-1.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-1.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-1.domain.com<0x20>
Default-First-Site-Name\samba-1
DSA Options: 0x00000001
DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
DSA invocationId: 5ab872d5-dbc6-49d1-83e4-78cf6dbc5aa8

==== INBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:45:25 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:45:25 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:45:29 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:45:29 2019 -04

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:44:48 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:48 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:45:30 2019 -04 failed, result 58
(WERR_BAD_NET_RESP)
		2361 consecutive failure(s).
		Last success @ Fri Aug 23 13:34:38 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ Fri Aug 23 16:44:50 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:44:50 2019 -04

==== OUTBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-2 via RPC
		DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=domain,DC=com
	Default-First-Site-Name\SAMBA-AD via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: 4c77efe4-a389-496d-a90a-598c0e0c1aa3
	Enabled        : TRUE
	Server DNS name : SAMBA-2.domain.com
	Server DN name  : CN=NTDS
Settings,CN=SAMBA-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
	Connection name: 89d66174-24d7-4dde-a70f-a4bc104da89b
	Enabled        : TRUE
	Server DNS name : SAMBA-AD.domain.com
	Server DN name  : CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
[........................]



From samba-2

[........................]
root at samba-2:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:samba-2.domain.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba-2.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-2.domain.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba-2.domain.com<0x20>
Default-First-Site-Name\samba-2
DSA Options: 0x00000001
DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
DSA invocationId: 0ca5e964-c09b-42c0-a5ff-6eafdf5be5b8

==== INBOUND NEIGHBORS ===

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:49:47 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:49:47 2019 -04

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:49:45 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:49:45 2019 -04

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:46:10 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:46:10 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ Fri Aug 23 16:47:53 2019 -04 was successful
		0 consecutive failure(s).
		Last success @ Fri Aug 23 16:47:53 2019 -04

DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ Fri Aug 23 16:47:54 2019 -04 failed, result 58
(WERR_BAD_NET_RESP)
		7444 consecutive failure(s).
		Last success @ Fri Aug 16 09:19:49 2019 -04

==== OUTBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=domain,DC=com
	Default-First-Site-Name\samba-ad via RPC
		DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=domain,DC=com
	Default-First-Site-Name\samba-2 via RPC
		DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: 44d3df56-687e-4ed9-a0b8-310ff38a0c80
	Enabled        : TRUE
	Server DNS name : samba-2.domain.com
	Server DN name  : CN=NTDS
Settings,CN=samba-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
	Connection name: a34532a3-b02a-41dc-88a5-d20ebc5be347
	Enabled        : TRUE
	Server DNS name : samba-ad.domain.com
	Server DN name  : CN=NTDS
Settings,CN=samba-ad,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!
root at samba-2:~#
root at samba-2:~#

[........................]


From samba-1 and samba-2 show the error " (WERR_BAD_NET_RESP)?  to samba-ad
.


Thanks.

> El 23-08-2019, a las 16:36, Rowland penny via samba <samba at
lists.samba.org> escribi?:
> 
> On 23/08/2019 20:55, Miguel Coa M. via samba wrote:
>> Hello,
>> i?ve Samba 4.7 with domain controller with 3 servers, 1 DC (samba-ad)
and two other DCs (samba-1) and (samba-2).  The problem is when create user
account from "samba-ad?  this account not sync to other, but i create the
account on   "samba-1" or "samba-2? this is sync on all server.
>> 
>> Samba version
>> 
>> [???????.]
>> root at samba-ad:~# samba -V
>> Version 4.7.6-Ubuntu
>> 
>> root at samba-1:~# samba -V
>> Version 4.7.6-Ubuntu
>> 
>> root at samba-2:~# samba -V
>> Version 4.7.6-Ubuntu
>> 
>> [???????.]
>> 
>> 
>> Example:
>> 
>> Create account on samba-ad (A DC that probably holds all the FSMO
roles)
>> 
>> [???????.]
>> root at samba-ad:~# samba-tool user create steave ste at ave.10
--mail-address "steave at domain.com" --given-name "Steave"
--must-change-at-next-login
>> User 'steave' created successfully
>> 
>> [???????.]
>> 
>> 
>> Search in samba-ad
>> 
>> [???????.]
>> root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
>> dn: CN=Steave,CN=Users,DC=domain,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Steave
>> givenName: Steave
>> instanceType: 4
>> whenCreated: 20190823191136.0Z
>> whenChanged: 20190823191136.0Z
>> displayName: Steave
>> uSNCreated: 2928230
>> .....
>> .....
>> .....
>> 
>> [???????.]
>> 
>> 
>> 
>> Check on samba-1 -> Not sync
>> 
>> [???????.]
>> root at samba-1:~# ldapsearch -LLL -x -H ldap://10.13.250.111 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
>> # refldap://domain.com/CN=Configuration,DC=domain,DC=com
>> 
>> # refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com
>> 
>> # refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
>> [???????.]
>> 
>> 
>> Check on samba-2 -> Not sync
>> 
>> [???????.]
>> root at samba-2:~# ldapsearch -LLL -x -H ldap://10.13.250.112 -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wMyP at ssword 
"(sAMAccountName=steave)"
>> # refldap://domain.com/CN=Configuration,DC=domain,DC=com
>> 
>> # refldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com
>> 
>> # refldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
>> [???????.]
>> 
>> 
>> Example N?2
>> 
>> Create user account on samba-2
>> 
>> 
>> [???????.]
>> root at samba-2:~# samba-tool user create alf alf at .10 --mail-address
"alf at domain.com" --given-name "Alf"
--must-change-at-next-login
>> User 'alf' created successfully
>> root at samba-2:~#
>> [???????.]
>> 
>> 
>> Check on samba-2 -> Sync ok
>> 
>> 
>> [???????.]
>> root at samba-2:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
>> dn: CN=Alf,CN=Users,DC=domain,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Alf
>> givenName: Alf
>> instanceType: 4
>> whenCreated: 20190823191926.0Z
>> [???????.]
>> 
>> 
>> Check on samba-1 -> Sync ok
>> 
>> [???????.]
>> root at samba-1:~# ldapsearch -LLL -x -H ldap://10.13.xxx.xxx -b
"DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
>> dn: CN=Alf,CN=Users,DC=domain,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Alf
>> givenName: Alf
>> instanceType: 4
>> whenCreated: 20190823191926.0Z
>> whenChanged: 20190823191926.0Z
>> displayName: Alf
>> uSNCreated: 1396773
>> [???????.]
>> 
>> 
>> Check on samba-ad -> Sync ok
>> [???????.]
>> root at samba-ad:~# ldapsearch -LLL -x -H ldap://10.13.xxx
<ldap://10.13.xxx>.xxx -b "DC=domain,DC=com" -D
"CN=administrator,CN=Users,DC=domain,DC=com" -wyP at ssword 
"(sAMAccountName=alf)"
>> dn: CN=Alf,CN=Users,DC=domain,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Alf
>> givenName: Alf
>> instanceType: 4
>> whenCreated: 20190823191926.0Z
>> whenChanged: 20190823191926.0Z
>> displayName: Alf
>> uSNCreated: 2928583
>> uSNChanged: 2928583
>> [???????.]
>> 
>> 
>> From samba-ad the ?samba-tool drs showrepl? command not listed errors
>> 
>> 
>> Can you help me, please.
> 
> I have helped you by first rewriting your post, you do not have a master DC
and two slaves, you have three DCs, one of which probably holds all the FSMO
roles, but any of them could hold any or all of the FSMO roles.
> 
> If replication is working then, no matter which DC you create a user on,
the user should be replicated to the other DCs.
> 
> Please show the output of 'samba-tool drs showrepl <one ot the other
DCS>' from each DC.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Maybe Matching Threads

Search for more seemingly similar threads

samba - Aug 2019 - Problem with sync user account from Samba Master to Samba Slave

[Samba] Problem with sync user account from Samba Master to Samba Slave

[Samba] Problem with sync user account from Samba Master to Samba Slave

[Samba] Problem with sync user account from Samba Master to Samba Slave

Maybe Matching Threads