samba - Jun 2021 - Replication between DCs seems broken after deleting a domain member

Hi,

I recently upgraded my Samba 4.3 to samba 4.13 (I really did 4.11, 4.12 
and then 4.13). Everything seems to work fine for now, but there is a 
problem in the samba log on all but one of my DCs.

I have 4 DCs: addc08, addc12, addc13 and addc16

all of the DCs are on a different AD Site. addc13 is int he same site 
with the member hydra.

I deleted the member hydra and added it back a few weeks ago because we 
had problems with some users logging into it from other sites. It seemed 
to have worked at that time. hydra is running as a linux AD member 
fileserver.

addc08 shows this:

[2021/06/07 15:23:03.219420,  0] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
   ldb: No objectClass found in replPropertyMetaData for 
CN=hydra,CN=Computers,DC=int,DC=company,DC=de!

[2021/06/07 15:23:03.220149,  0] 
../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger)
   Failed to commit objects: 
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE


while addc16 and addc12 show this (only the timestamp doesn't match):

[2021/06/07 15:22:12.356301,  0] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
   ldb: No objectClass found in replPropertyMetaData for 
CN=hydra\0ADEL:2daab3d0-b214-45ab-8f1b-0eef7da9ecd6,CN=Deleted 
Objects,DC=int,DC=company,DC=de!

[2021/06/07 15:22:12.357966,  0] 
../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger)
   Failed to commit objects: 
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

there is no such message in the logs of addc13.

My knowledge is limited here, but it looks like the replication of the 
deletion of the member hydra is not working? Is there a good way to 
repair this?

Thanks in advance for your help.

Arne

Well, this computer is deleted.

CN=hydra\0ADEL:2daab3d0-b214-45ab-8f1b-0eef7da9ecd6,CN=Deleted 
Objects,DC=int,DC=company,DC=de! 

https://wiki.samba.org/index.php/Samba_Features_added/changed#Dynamic_DNS_record_scavenging_support

Did you enable it? because, dus a bug in older version, timestamps are wrong and
static entries (with wrong time stamps in it) get deleted.

It looks like you hitted something like this. 

Verify in the DNS the server's A and PTR record. 
Verify in Windows RSAT tools if the computer object still exists. 
Verify in windows all Sites and Services

Lets start there. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne 
> Zachlod via samba
> Verzonden: maandag 7 juni 2021 15:30
> Aan: samba
> Onderwerp: [Samba] Replication between DCs seems broken after 
> deleting a domain member
> 
> Hi,
> 
> I recently upgraded my Samba 4.3 to samba 4.13 (I really did 
> 4.11, 4.12 
> and then 4.13). Everything seems to work fine for now, but there is a 
> problem in the samba log on all but one of my DCs.
> 
> I have 4 DCs: addc08, addc12, addc13 and addc16
> 
> all of the DCs are on a different AD Site. addc13 is int he same site 
> with the member hydra.
> 
> I deleted the member hydra and added it back a few weeks ago 
> because we 
> had problems with some users logging into it from other 
> sites. It seemed 
> to have worked at that time. hydra is running as a linux AD member 
> fileserver.
> 
> addc08 shows this:
> 
> [2021/06/07 15:23:03.219420,  0] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: No objectClass found in replPropertyMetaData for 
> CN=hydra,CN=Computers,DC=int,DC=company,DC=de!
> 
> [2021/06/07 15:23:03.220149,  0] 
> ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_p
> ull_source_apply_changes_trigger)
>    Failed to commit objects: 
> WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> 
> while addc16 and addc12 show this (only the timestamp doesn't match):
> 
> [2021/06/07 15:22:12.356301,  0] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
>    ldb: No objectClass found in replPropertyMetaData for 
> CN=hydra\0ADEL:2daab3d0-b214-45ab-8f1b-0eef7da9ecd6,CN=Deleted 
> Objects,DC=int,DC=company,DC=de!
> 
> [2021/06/07 15:22:12.357966,  0] 
> ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_p
> ull_source_apply_changes_trigger)
>    Failed to commit objects: 
> WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> there is no such message in the logs of addc13.
> 
> My knowledge is limited here, but it looks like the 
> replication of the 
> deletion of the member hydra is not working? Is there a good way to 
> repair this?
> 
> Thanks in advance for your help.
> 
> Arne
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 07/06/2021 14:29, Arne Zachlod via samba wrote:
> Hi,
>
> I recently upgraded my Samba 4.3 to samba 4.13 (I really did 4.11, 
> 4.12 and then 4.13). Everything seems to work fine for now, but there 
> is a problem in the samba log on all but one of my DCs.
>
> I have 4 DCs: addc08, addc12, addc13 and addc16
>
> all of the DCs are on a different AD Site. addc13 is int he same site 
> with the member hydra.
>
> I deleted the member hydra and added it back a few weeks ago because 
> we had problems with some users logging into it from other sites. It 
> seemed to have worked at that time. hydra is running as a linux AD 
> member fileserver.

How did you delete the computer ?
>
> addc08 shows this:
>
> [2021/06/07 15:23:03.219420,? 0] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ?ldb: No objectClass found in replPropertyMetaData for 
> CN=hydra,CN=Computers,DC=int,DC=company,DC=de!
>
> [2021/06/07 15:23:03.220149,? 0] 
>
../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger)
> ?Failed to commit objects: 
> WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
>
> while addc16 and addc12 show this (only the timestamp doesn't match):
>
> [2021/06/07 15:22:12.356301,? 0] 
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ?ldb: No objectClass found in replPropertyMetaData for 
> CN=hydra\0ADEL:2daab3d0-b214-45ab-8f1b-0eef7da9ecd6,CN=Deleted 
> Objects,DC=int,DC=company,DC=de!

'\0ADEL' means a deleted object and for further proof it is in 
'CN=Deleted Objects'

Try running this on a DC:

samba-tool domain tombstones expunge 
--tombstone-lifetime=TOMBSTONE_LIFETIME -U administrator

Where 'TOMBSTONE_LIFETIME' is the number of days to keep tombstone 
records for, the lower the number, the more tombstone records will be 
removed.

Rowland