Figured it out myself ;-)
The problem was:
I use virtualbox for my VMs. My VMs all have two NICs, the first is a
NAT-device with allways the sam IP "10.0.2.15" this device is only
used
to get packages from the internet. Then the second NIC is a
HostOnly-device I use to setup differet domains in different subnet.
Wehen I du the provision, or the join Samba is taking all devices. So I
wrot an ansible task to add "interfaces = <ip>" and "bind
interfaces
only = yes" to avoid the NAT-device. BUT ^^ there was a typo in my
Ansible-task, so the parameters where not set, so my second DC took the
IP from the NAT-device as the main IP and everything fu*** up :-(. Now
after fixing the typo it works and I can setup a domain, starting with
the provision of the first DC, and many more DCs to come.
So always watch yout IPs ;-)
Am 21.10.20 um 19:02 schrieb Stefan Kania via samba:> Hello,
>
> I set up a domain with two DCs (dns-backend is BIND9_DLZ) on a Debian 10
> system. I used either the Debian-packages or the Packages from Louis
> (4.12.8). I created an Ansible-role to setup everything, starting from
> installing the packages over doing the provision/join up to change the
> settings for bind9. The first DC runs fine. After the reboot services
> are all present, allthe SRV Record for the first DC are present.
> Then I do the join with the second DC. The join worked fine I find the
> DC in the DNS I can see the account for the DC. On the second DC I see
> all SRV-Records for both DCs, BUT on the first DC I only see the
> SRV-Records for the first DC. When I check replication I see:
> ------------------
> root at addc-01:~# samba-tool drs showrepl --summary
> There are failing connections
> Failing inbound connection:
> DC=ForestDnsZones,DC=example,DC=net
> Default-First-Site-Name\ADDC-02 via RPC
> DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
> Last attempt @ Wed Oct 21 18:47:05 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
> 11 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=example,DC=net
> Default-First-Site-Name\ADDC-02 via RPC
> DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
> Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
> 11 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=example,DC=net
> Default-First-Site-Name\ADDC-02 via RPC
> DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
> Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
> 11 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=DomainDnsZones,DC=example,DC=net
> Default-First-Site-Name\ADDC-02 via RPC
> DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
> Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
> 11 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=example,DC=net
> Default-First-Site-Name\ADDC-02 via RPC
> DSA object GUID: 3394efb8-7f31-48f9-aa11-2791c2426be8
> Last attempt @ Wed Oct 21 18:47:06 2020 CEST failed,
> result 31 (WERR_GEN_FAILURE)
> 14 consecutive failure(s).
> Last success @ NTTIME(0)
> ------------------
>
> On DC2 the same only with "ADCD-01" as servername.
>
> If I do a replication from dc1 to dc2 everything seems to work:
> -------------
> root at addc-01:~# samba-tool drs replicate addc-02 addc-01
dc=example,dc=net
> Replicate from addc-01 to addc-02 was successful.
> -------------
>
> But in the other direction I get:
> -------------
> root at addc-01:~# samba-tool drs replicate addc-01 addc-02
dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line 568,
> in run
> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 88,
> in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
> -------------
>
> On the second DC I got an errormessage in both directions:
> -------------
> root at addc-02:~# samba-tool drs replicate addc-02 addc-01
dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line 568,
> in run
> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 88,
> in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
>
> root at addc-02:~# samba-tool drs replicate addc-01 addc-02
dc=example,dc=net
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>
ncacn_ip_tcp:10.0.2.15[49152,seal,target_hostname=addc-01,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.0.2.15]
> NT_STATUS_UNSUCCESSFUL
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to addc-01
> failed - drsException: DRS connection to addc-01 failed: (3221225473,
> '{Operation Failed} The requested operation was unsuccessful.')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line 47,
> in drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) >
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 59,
> in drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" %
(server, e))
> -------------
>
> No changes where made to smb.conf all default.
>
> samba_updatedns --verbose --all-names
>
> is running on both DCs without any error.
> Time is exactly the same on both DCs.
>
> These are the packages I installed via Ansible:
> --------------
> #Installing all needed packages for Samba-DC with bind9
> - name: install samba- and bind9-package for ADDC
> apt:
> name:
> - samba
> - libpam-heimdal
> - heimdal-clients
> - ldb-tools
> - winbind
> - libpam-winbind
> - smbclient
> - libnss-winbind
> - bind9
> - dnsutils
> --------------
>
> This is the provision:
> --------------
> # Provison the first DC with bind9 als DNS-backend
> - name: Do the provision if first DC
> command: samba-tool domain provision --dns-backend=BIND9_DLZ
> --realm={{kerberos_realm}} --domain={{domain_name}}
> --adminpass={{admin_password}} --server-role=dc
> when:
> - is_dc.stdout == "0" and
> group_first_dc in group_names
> --------------
>
> And this ist the join:
> --------------
> # Join DC to existing domain with bind9 as DNS-backend
> - name: Do the join all other DC
> command: samba-tool domain join {{dns_name}} --dns-backend=BIND9_DLZ
> DC --realm={{kerberos_realm}} -U administrator
> --password={{admin_password}}
> when:
> - is_dc.stdout == "0" and
> group_other_dc in group_names
> --------------
>
> I'm out of any idea :-( Need help :-)
>
> Stefan
>
>
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html