OK, tried that. Kicked myself for not trying earlier... but it didn't
work.
In fact, the error has got worse.
Now when I try to go from Genesis to Luke I get:
sudo samba-tool drs replicate luke genesis DC=kcs,DC=local -Udomainadmin
.
.
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (1359, 'WERR_INTERNAL_ERROR')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
386, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
and when I go the other way I get a different error:
sudo samba-tool drs replicate genesis luke DC=kcs,DC=local -Udomainadmin
.
.
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
386, in
run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
in
sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
On Mon, Jul 13, 2020 at 11:32 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/07/2020 03:35, Peter Pollock via samba wrote:
> > Hi,
> >
> > I have been trying for days to solve this to no avail. I have taken
over
> > the IT responsibilities at a small school and am trying to get my head
> > around their network and why they are having problems.
> > They have 3 servers, Matthew, Genesis and Luke.
> >
> > Matthew is a Windows 2008 R2 server and holds all the FSMO roles but
> > appears to be screwed up. It won't replicate with anything and
randomly
> > restarts itself. It wasn't doing much anyway so I want to
decommission
> it.
> >
> > Genesis and Luke are both running Ubuntu 18.04.4 LTS and Samba 4.7.6
> >
> > When I replicate from genesis to luke, everything works fine (or says
it
> > does)
> >
> > When I replicate from luke to genesis though, I get a failure message:
> >
> > sudo samba-tool drs replicate genesis luke dc=kcs,dc=local
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:genesis[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
genesis<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
genesis<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
genesis<0x20>
> > ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
> > File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 386, in
> > run
> > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> > File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
> in
> > sendDsReplicaSync
> > raise drsException("DsReplicaSync failed %s" % estr)
> >
> > However, new users I create on either genesis or luke replicate to the
> > other with no problems.
> >
> > I have no idea what is wrong or how to go about fixing it. Can anyone
> help?
>
> Try running the command again, but this time add '-UAdministrator'
on
> the end.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 14/07/2020 18:37, Peter Pollock via samba wrote:> OK, tried that. Kicked myself for not trying earlier... but it didn't > work. > > In fact, the error has got worse. > > Now when I try to go from Genesis to Luke I get: > > sudo samba-tool drs replicate luke genesis DC=kcs,DC=local -Udomainadmin > . > . > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (1359, 'WERR_INTERNAL_ERROR') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 386, in > run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85, in > sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > and when I go the other way I get a different error: > > sudo samba-tool drs replicate genesis luke DC=kcs,DC=local -Udomainadmin > . > . > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 386, in > run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85, in > sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > >OK, try checking the databases against each other, you can do this with samba-tool: samba-tool ldapcmp ldap://DC1 ldap://DC2 Replace DC1 & DC2 with the hostnames of the DC's Rowland
Checking the databases against each other throws up pages and pages of
errors. The two are completely out of sync now.
What I have seen is that for no apparent reason, one of the servers
suddenly decided it would sync with the Windows server, which appears to
have updated the schema. Yesterday when I compared the databases on the two
linux servers they only had a couple of errors, today, many errors and now
the schema says it is a different size:
* Result for [CONFIGURATION]: FAILURE
SUMMARY
---------
Attributes found only in ldap://genesis:
dSASignature
serverReference
Attributes with different values:
msDS-NC-Replica-Locations
extraColumns
mS-DS-ReplicatesNCReason
adminPropertyPages
appliesTo
attributeDisplayNames
masteredBy
interSiteTopologyGenerator
adminContextMenu
msDs-masteredBy
classDisplayName
revision
* Comparing [SCHEMA] context...
* DN lists have different size: 1789 != 1569
CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local
Genesis is, I believe, correct. Is there a way to force Luke to update
itself from Genesis completely?
On Tue, Jul 14, 2020 at 10:46 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/07/2020 18:37, Peter Pollock via samba wrote:
> > OK, tried that. Kicked myself for not trying earlier... but it
didn't
> > work.
> >
> > In fact, the error has got worse.
> >
> > Now when I try to go from Genesis to Luke I get:
> >
> > sudo samba-tool drs replicate luke genesis DC=kcs,DC=local
> -Udomainadmin
> > .
> > .
> > ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (1359,
'WERR_INTERNAL_ERROR')
> > File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 386, in
> > run
> > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> > File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
> in
> > sendDsReplicaSync
> > raise drsException("DsReplicaSync failed %s" % estr)
> >
> > and when I go the other way I get a different error:
> >
> > sudo samba-tool drs replicate genesis luke DC=kcs,DC=local
> -Udomainadmin
> > .
> > .
> > ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
> > File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 386, in
> > run
> > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> > File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
> in
> > sendDsReplicaSync
> > raise drsException("DsReplicaSync failed %s" % estr)
> >
> >
> OK, try checking the databases against each other, you can do this with
> samba-tool:
>
> samba-tool ldapcmp ldap://DC1 ldap://DC2
>
> Replace DC1 & DC2 with the hostnames of the DC's
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>