samba - May 2023 - Replication issue after upgrade - 3221225524 / WERR_FILE_NOT_FOUND

On 28/05/2023 11:43, Alexandros Karypidis via samba
wrote:
> Hello,
> I have a domain with two controllers (DC1/DC2) based on Turnkey Linux
domain controller V16.2 (Samba v4.9.5). I just finished upgrading toV17.1 (Samba
v4.17.3) using a new temporary controller DC3.
> Things seem to have worked, I have DC1/DC2 running the new version and can
login to the domain (computer accounts are present, users/groups seem fine,
etc). HOWEVER, when I try replication now I get the following errors:
> ERROR 1: Try sync from DC1 to DC2 - error 3221225524 (some object not
found):
> root at dc1 ~# samba-tool drs replicate DC2 DC1 DC=ad,DC=home,DC=lan
--full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to DC2 failed - drsException: DRS connection to DC2 failed: (3221225524,
'The object name is not found.')? File
"/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 55, in
drsuapi_connect? ? (ctx.drsuapi, ctx.drsuapi_handle,
ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp,
ctx.creds)? File "/usr/lib/python3/dist-packages/samba/drs_utils.py",
line 71, in drsuapi_connect? ? raise drsException("DRS connection to %s
failed: %s" % (server, e))
> ERROR 2: Try sync from DC2 to DC1 - error? WERR_FILE_NOT_FOUND:
> root at dc1 ~# samba-tool drs replicate DC1 DC2 DC=ad,DC=home,DC=lan
--full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_FILE_NOT_FOUND')?
File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570,
in run? ? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)? File
"/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in
sendDsReplicaSync? ? raise drsException("DsReplicaSync failed %s" %
estr)
> Any idea why replication now fails? Logging in with RSAT's "Active
Directory Users and Computers" seem to show the contents fine on both
controllers.
> ------------------- The process used to perform the upgrade is below:
> - Create a third DC3 using V17.1 and transfer all FSMO to it- Demote/remove
DC1- Demote/remove DC2- Recreate DC1 with V17.1 and rejoin domain- Recreate DC2
with V17.1 and rejoin domain- Transfer all FSMO to DC1- Demote/remove DC3
> Now, one thing I noticed is that when demoting a DC it was still a member
of the domain, so to completely remove it I used the RSAT app on WIndows to
delete the computer (including subtree). That was the only "quirk"
during the process. After removing the DC I ran a "dbcheck" to fix any
references to the removed name...
> 
Can you post your /etc/hosts, /etc/hostname, /etc/resolv.conf and 
/etc/krb5.conf files, sanitised if need be.

Rowland

Hello,
Thank you, the requested info (see /etc/krb5.conf?below) clearly shows the
issue: when setting up DC1 I must've pressed enter on the default value for
the domain...
Is this fixable by stopping the daemon, editing the file and restarting? Should
I make DC2 the FSMO, delete DC1 and then recreate it using DC2 as the golden
copy (with the proper domain)?


root at dc1 ~# cat /etc/hosts127.0.0.1 localhost127.0.1.1 dc1 dc1.default.lan
#Required for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0
ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2
ip6-allroutersff02::3 ip6-allhosts# --- BEGIN PVE ---192.168.9.201
dc1.ad.home.lan dc1# --- END PVE ---
root at dc2 ~# cat /etc/hosts127.0.0.1 localhost127.0.1.1 dc2 dc2.ad.home.lan
#Required for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0
ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2
ip6-allroutersff02::3 ip6-allhosts# --- BEGIN PVE ---192.168.42.201
dc2.ad.home.lan dc2# --- END PVE ---
=============================================root at dc1 ~# cat /etc/hostnamedc1
root at dc2 ~# cat /etc/hostnamedc2
=============================================root at dc1 ~# cat
/etc/resolv.conf# --- BEGIN PVE ---search ad.home.lannameserver 127.0.0.1# ---
END PVE ---
root at dc2 ~# cat /etc/resolv.conf# --- BEGIN PVE ---search
ad.home.lannameserver 127.0.0.1# --- END PVE ---
=============================================
root at dc1 ~# cat /etc/krb5.conf[libdefaults]? ? ? ? default_realm =
DEFAULT.LAN? ? ? ? dns_lookup_realm = false? ? ? ? dns_lookup_kdc = true
[realms]DEFAULT.LAN = {? ? ? ? default_domain = default.lan}
[domain_realm]? ? ? ? dc1 = DEFAULT.LAN

root at dc2 ~# cat /etc/krb5.conf[libdefaults]? ? ? ? default_realm =
AD.HOME.LAN? ? ? ? dns_lookup_realm = false? ? ? ? dns_lookup_kdc = true
[realms]AD.HOME.LAN = {? ? ? ? default_domain = ad.home.lan}
[domain_realm]? ? ? ? DC2 = AD.HOME.LAN





    On Sunday, 28 May 2023 at 13:06:24 BST, Rowland Penny via samba <samba at
lists.samba.org> wrote:
 
 

On 28/05/2023 11:43, Alexandros Karypidis via samba
wrote:
> Hello,
> I have a domain with two controllers (DC1/DC2) based on Turnkey Linux
domain controller V16.2 (Samba v4.9.5). I just finished upgrading toV17.1 (Samba
v4.17.3) using a new temporary controller DC3.
> Things seem to have worked, I have DC1/DC2 running the new version and can
login to the domain (computer accounts are present, users/groups seem fine,
etc). HOWEVER, when I try replication now I get the following errors:
> ERROR 1: Try sync from DC1 to DC2 - error 3221225524 (some object not
found):
> root at dc1 ~# samba-tool drs replicate DC2 DC1 DC=ad,DC=home,DC=lan
--full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
to DC2 failed - drsException: DRS connection to DC2 failed: (3221225524,
'The object name is not found.')? File
"/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 55, in
drsuapi_connect? ? (ctx.drsuapi, ctx.drsuapi_handle,
ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp,
ctx.creds)? File "/usr/lib/python3/dist-packages/samba/drs_utils.py",
line 71, in drsuapi_connect? ? raise drsException("DRS connection to %s
failed: %s" % (server, e))
> ERROR 2: Try sync from DC2 to DC1 - error? WERR_FILE_NOT_FOUND:
> root at dc1 ~# samba-tool drs replicate DC1 DC2 DC=ad,DC=home,DC=lan
--full-sync
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_FILE_NOT_FOUND')?
File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570,
in run? ? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)? File
"/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in
sendDsReplicaSync? ? raise drsException("DsReplicaSync failed %s" %
estr)
> Any idea why replication now fails? Logging in with RSAT's "Active
Directory Users and Computers" seem to show the contents fine on both
controllers.
> ------------------- The process used to perform the upgrade is below:
> - Create a third DC3 using V17.1 and transfer all FSMO to it- Demote/remove
DC1- Demote/remove DC2- Recreate DC1 with V17.1 and rejoin domain- Recreate DC2
with V17.1 and rejoin domain- Transfer all FSMO to DC1- Demote/remove DC3
> Now, one thing I noticed is that when demoting a DC it was still a member
of the domain, so to completely remove it I used the RSAT app on WIndows to
delete the computer (including subtree). That was the only "quirk"
during the process. After removing the DC I ran a "dbcheck" to fix any
references to the removed name...
> 
Can you post your /etc/hosts, /etc/hostname, /etc/resolv.conf and 
/etc/krb5.conf files, sanitised if need be.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

I've removed the annoying html formatting.

I have backups of my LXC containers from immediately before the upgrade attempt.
I think the best option is to restore DC1/DC2 from them and try the upgrade
again. No point in wasting people's time with silly mistakes.

Thank you for helping me spot this by asking for the basic files.