samba - Jul 2020 - Replication only working one way

Checking the databases against each other throws up pages and pages of
errors. The two are completely out of sync now.

What I have seen is that for no apparent reason, one of the servers
suddenly decided it would sync with the Windows server, which appears to
have updated the schema. Yesterday when I compared the databases on the two
linux servers they only had a couple of errors, today, many errors and now
the schema says it is a different size:

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://genesis:

    dSASignature
    serverReference

Attributes with different values:

    msDS-NC-Replica-Locations
    extraColumns
    mS-DS-ReplicatesNCReason
    adminPropertyPages
    appliesTo
    attributeDisplayNames
    masteredBy
    interSiteTopologyGenerator
    adminContextMenu
    msDs-masteredBy
    classDisplayName
    revision

* Comparing [SCHEMA] context...

* DN lists have different size: 1789 != 1569
    CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local

Genesis is, I believe, correct. Is there a way to force Luke to update
itself from Genesis completely?

On Tue, Jul 14, 2020 at 10:46 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/07/2020 18:37, Peter Pollock via samba wrote:
> >    OK, tried that. Kicked myself for not trying earlier... but it
didn't
> > work.
> >
> > In fact, the error has got worse.
> >
> > Now when I try to go from Genesis to Luke I get:
> >
> >   sudo samba-tool drs replicate luke genesis DC=kcs,DC=local
> -Udomainadmin
> > .
> > .
> > ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (1359,
'WERR_INTERNAL_ERROR')
> >    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 386, in
> > run
> >      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> >    File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
> in
> > sendDsReplicaSync
> >      raise drsException("DsReplicaSync failed %s" % estr)
> >
> > and when I go the other way I get a different error:
> >
> >   sudo samba-tool drs replicate genesis luke DC=kcs,DC=local
> -Udomainadmin
> > .
> > .
> > ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
> > drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
> >    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 386, in
> > run
> >      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> >    File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 85,
> in
> > sendDsReplicaSync
> >      raise drsException("DsReplicaSync failed %s" % estr)
> >
> >
> OK, try checking the databases against each other, you can do this with
> samba-tool:
>
> samba-tool ldapcmp ldap://DC1 ldap://DC2
>
> Replace DC1 & DC2 with the hostnames of the DC's
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 14/07/2020 19:07, Peter Pollock wrote:
> Checking the databases against each other throws up pages and pages of 
> errors. The two are completely out of sync now.
>
> What I have seen is that for no apparent reason, one of the servers 
> suddenly decided it would sync with the Windows server, which appears 
> to have updated the schema. Yesterday when I compared the databases on 
> the two linux servers they only had a couple of errors, today, many 
> errors and now the schema says it is a different size:
>
> * Result for [CONFIGURATION]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes found only in ldap://genesis:
>
> ? ? dSASignature
> ? ? serverReference
>
> Attributes with different values:
>
> ? ? msDS-NC-Replica-Locations
> ? ? extraColumns
> ? ? mS-DS-ReplicatesNCReason
> ? ? adminPropertyPages
> ? ? appliesTo
> ? ? attributeDisplayNames
> ? ? masteredBy
> ? ? interSiteTopologyGenerator
> ? ? adminContextMenu
> ? ? msDs-masteredBy
> ? ? classDisplayName
> ? ? revision
>
> * Comparing [SCHEMA] context...
>
> * DN lists have different size: 1789 != 1569
> CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local
>
> Genesis is, I believe, correct. Is there a way to force Luke to update 
> itself from Genesis completely?
You said 'Mathew' was a Windows 2008R2 DC, but
'CN=Dns-Zone-Scope' only
appeared with Windows 2016, which Samba does not yet support. You have, 
undoubtedly and unwittingly, borked your Samba DC's.

If you wish to continue using Samba DC's, you will need to remove the 
Windows 2016 DC from the domain and then use 'Luke' as the main DC, 
hopefully this is still functioning correctly. Seize the FSMO roles to 
Luke, demote the other two DC's and clean them up, then join them to the 
domain again. If everything works okay, then you have been lucky, if it 
doesn't, then do you have backups from before the Windows 2016 dc was 
added ?

Rowland

I knew you were going to say that... but was really hoping you wouldn't!

I've never demoted a Samba DC before, is this the best guide, do you think?
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

Thank you so much for your help, by the way. I really appreciate it

On Tue, Jul 14, 2020 at 11:28 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/07/2020 19:07, Peter Pollock wrote:
> > Checking the databases against each other throws up pages and pages of
> > errors. The two are completely out of sync now.
> >
> > What I have seen is that for no apparent reason, one of the servers
> > suddenly decided it would sync with the Windows server, which appears
> > to have updated the schema. Yesterday when I compared the databases on
> > the two linux servers they only had a couple of errors, today, many
> > errors and now the schema says it is a different size:
> >
> > * Result for [CONFIGURATION]: FAILURE
> >
> > SUMMARY
> > ---------
> >
> > Attributes found only in ldap://genesis:
> >
> >     dSASignature
> >     serverReference
> >
> > Attributes with different values:
> >
> >     msDS-NC-Replica-Locations
> >     extraColumns
> >     mS-DS-ReplicatesNCReason
> >     adminPropertyPages
> >     appliesTo
> >     attributeDisplayNames
> >     masteredBy
> >     interSiteTopologyGenerator
> >     adminContextMenu
> >     msDs-masteredBy
> >     classDisplayName
> >     revision
> >
> > * Comparing [SCHEMA] context...
> >
> > * DN lists have different size: 1789 != 1569
> > CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local
> >
> > Genesis is, I believe, correct. Is there a way to force Luke to update
> > itself from Genesis completely?
>
> You said 'Mathew' was a Windows 2008R2 DC, but
'CN=Dns-Zone-Scope' only
> appeared with Windows 2016, which Samba does not yet support. You have,
> undoubtedly and unwittingly, borked your Samba DC's.
>
> If you wish to continue using Samba DC's, you will need to remove the
> Windows 2016 DC from the domain and then use 'Luke' as the main DC,
> hopefully this is still functioning correctly. Seize the FSMO roles to
> Luke, demote the other two DC's and clean them up, then join them to
the
> domain again. If everything works okay, then you have been lucky, if it
> doesn't, then do you have backups from before the Windows 2016 dc was
> added ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

OK, I demoted the windows server (which has now been unplugged and thrown
out of the window), leaving the two Linux servers.

I finally managed to demote Genesis but then the rejoin failed and it was
stuck.

So I restored from a backup.

Problem is, Genesis came back believing it was still part of the AD but
Luke doesn't recognize it.

Any ideas what steps I can take? Please.

sudo samba-tool drs replicate genesis luke dc=kcs,dc=local --full-sync
-Udomainadmin
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:genesis[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name genesis<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name genesis<0x20>
Password for [KCS\domainadmin]:
Server ldap/GENESIS at KCS.LOCAL is not registered with our KDC:
 Miscellaneous failure (see text): Server (ldap/GENESIS at KCS.LOCAL) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/GENESIS failed
(next[ntlmssp]): NT_STATUS_INVALID_PARAMETER

On Tue, Jul 14, 2020 at 11:28 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/07/2020 19:07, Peter Pollock wrote:
> > Checking the databases against each other throws up pages and pages of
> > errors. The two are completely out of sync now.
> >
> > What I have seen is that for no apparent reason, one of the servers
> > suddenly decided it would sync with the Windows server, which appears
> > to have updated the schema. Yesterday when I compared the databases on
> > the two linux servers they only had a couple of errors, today, many
> > errors and now the schema says it is a different size:
> >
> > * Result for [CONFIGURATION]: FAILURE
> >
> > SUMMARY
> > ---------
> >
> > Attributes found only in ldap://genesis:
> >
> >     dSASignature
> >     serverReference
> >
> > Attributes with different values:
> >
> >     msDS-NC-Replica-Locations
> >     extraColumns
> >     mS-DS-ReplicatesNCReason
> >     adminPropertyPages
> >     appliesTo
> >     attributeDisplayNames
> >     masteredBy
> >     interSiteTopologyGenerator
> >     adminContextMenu
> >     msDs-masteredBy
> >     classDisplayName
> >     revision
> >
> > * Comparing [SCHEMA] context...
> >
> > * DN lists have different size: 1789 != 1569
> > CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local
> >
> > Genesis is, I believe, correct. Is there a way to force Luke to update
> > itself from Genesis completely?
>
> You said 'Mathew' was a Windows 2008R2 DC, but
'CN=Dns-Zone-Scope' only
> appeared with Windows 2016, which Samba does not yet support. You have,
> undoubtedly and unwittingly, borked your Samba DC's.
>
> If you wish to continue using Samba DC's, you will need to remove the
> Windows 2016 DC from the domain and then use 'Luke' as the main DC,
> hopefully this is still functioning correctly. Seize the FSMO roles to
> Luke, demote the other two DC's and clean them up, then join them to
the
> domain again. If everything works okay, then you have been lucky, if it
> doesn't, then do you have backups from before the Windows 2016 dc was
> added ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>