Adam Abramson
2024-Oct-11 09:12 UTC
[Samba] Problem with a domain controller that is located in a separate site
I decided to look for something about the reps-to attribute and this is what I came across in ms ADTS, it turns out that the attribute should be filled in, but for some reason this does not happen in samba when one is on a separate site, who can I contact who is working on kcc? It seems to me that this is the problem there, Rowland, what do you think? A precondition for event-driven replication involves server's repsTo abstract attribute, specified in [MS-DRSR] section 5.173. The repsTo abstract attribute is a sequence tuples, like repsFrom. Like repsFrom, each repsTo tuple contains a field uuidDsa that contains the objectGUID of an nTDSDSA object. The nTDSDSA object represents a DC as specified in section 6.1. If server's repsTo abstract attribute contains a tuple whose uuidDsa field contains the objectGUID of client's nTDSDSA object, server performs event-driven replication to client. It remains to specify how a DC's repsTo abstract attribute is populated, and to specify the events that trigger event-driven replication. A DC's repsTo abstract attribute is populated as follows: 1. A DC server's repsTo abstract attribute is populated for event-driven replication to client if client's repsFrom tuple for server has the DRS_ADD_REF bit set in its replicaFlags field, and client calls the IDL_DRSGetNCChanges method on server during scheduled replication. The DC client sets the DRS_ADD_REF bit in Request.ulFlags on the scheduled call to IDL_DRSGetNCChanges on server ([MS-DRSR] section 4.1.10.4.1) and server updates repsTo for event-driven replication to client as a result ([MS-DRSR] section 4.1.10.5.2). Since the KCC running on client writes client's repsFrom, this behavior is controlled by the state of KCC objects as specified in section 6.2. 2. A DC server's repsTo abstract attribute is populated for event-driven replication to DC client if the IDL_DRSReplicaAdd method ([MS-DRSR] section 4.1.19.2) is called on client, specifying server as the replication source (either pmsgIn.V1.pszSourceDsaAddress or pmsgIn.V2.pszDsaSrc, depending upon the request version used). If the IDL_DRSReplicaAdd adds a new tuple to client's repsFrom, it proceeds to call IDL_DRSUpdateRefs ([MS-DRSR] section 4.1.26.2) on server to update server's repsTo abstract attribute. Since IDL_DRSReplicaAdd is an RPC method, this behavior is controlled by any authorized requester of this method. Within Active Directory itself, IDL_DRSReplicaAdd is called by the KCC to maintain repsFrom. On Thu, Oct 10, 2024 at 4:56?PM Adam Abramson <abramsona30 at gmail.com> wrote:> I was running samba 4.21 as a domain controller and now I see this > situation, I have empty outbound neighbors, but if you look from the > windows side, then this is the difference between windows controllers and > samba, for some reason the repsTo attribute is not filled, for example, > the configuration context, although windows controllers have both > attributes fully filled, although they are the same there are some on the > site, I also attach screenshots > https://ibb.co/kyMDMpR > https://ibb.co/CKL5BL9 > https://ibb.co/fM4B3BV > https://ibb.co/Pr9JhXG are there any thoughts on this? > > > On Thu, Oct 10, 2024 at 3:11?PM Adam Abramson <abramsona30 at gmail.com> > wrote: > >> it seems like I reduced the replication period to 15 minutes between >> sites and everything was successful, all connections appeared, I will test >> this behavior by creating another samba-based domain controller in a >> separate site >> >> On Thu, Oct 10, 2024 at 2:13?PM Adam Abramson <abramsona30 at gmail.com> >> wrote: >> >>> no, I did not try to run samba_k?c because there is no samba at the >>> moment in this structure, I wanted to see how it would work in windows, but >>> for some reason it does not work as I expect, ntds-connections did not >>> appear from all sides and this is strange, I also tried to run repadmin /kcc >>> Maybe I just don't understand something? >>> >>> On Thu, Oct 10, 2024 at 2:06?PM Christian Naumer via samba < >>> samba at lists.samba.org> wrote: >>> >>>> Have you tried running "samba_kcc"? Just this command and nothing else. >>>> For me it did create the topology. >>>> >>>> Regards >>>> >>>> Christian >>>> >>>> >>>> Am 10.10.24 um 12:48 schrieb Adam Abramson via samba: >>>> > thanks for the video provided, I watched it, I didn't understand >>>> > something very well, but still, as I understand it, >>>> > in order for the sites to start communicating with each other, >>>> > a linked site link is needed, and also if there is >>>> > only one dc on the site, we tell him to act as breadgehead, which I >>>> > did in the screenshots below, but this did not affect the creation of >>>> > ntdsconnections, but as I understand it, replication somehow functions >>>> > anyway, maybe there are some guesses why ntds connection is not being >>>> > created? >>>> > win2019-1 sites and services >>>> > https://ibb.co/QMbFy4J >>>> > https://ibb.co/7n28sZP >>>> > https://ibb.co/gM2BC8r >>>> > https://ibb.co/S3nfWfz >>>> > https://ibb.co/dgMJs1h >>>> > win2019-2 sites and services >>>> > https://ibb.co/BngP67j >>>> > https://ibb.co/FDRCxgB >>>> > >>>> > I am observing a discrepancy in the data >>>> > >>>> > On Thu, Oct 10, 2024 at 1:24?PM Adam Abramson <abramsona30 at gmail.com> >>>> wrote: >>>> > >>>> >> thanks for the video provided, I watched it, I didn't understand >>>> >> something very well, but still, as I understand it, in order for the >>>> sites >>>> >> to start communicating with each other, a linked site link is >>>> needed, and >>>> >> also if there is only one dc on the site, we tell him to act as >>>> >> breadgehead, which I did in the screenshots below, but this did not >>>> affect >>>> >> the creation of ntdsconnections, but as I understand it, replication >>>> >> somehow functions anyway, maybe there are some guesses why ntds >>>> connection >>>> >> is not being created? >>>> >> >>>> >> On Thu, Oct 10, 2024 at 12:04?PM Kees van Vloten via samba < >>>> >> samba at lists.samba.org> wrote: >>>> >> >>>> >>> >>>> >>> On 10-10-2024 10:35, Adam Abramson via samba wrote: >>>> >>>> it turns out that the main thing that is needed for replication is >>>> the >>>> >>>> created connections? And everything else is already samba magic? I >>>> just >>>> >>>> tried the same trick on the windows side and it seems like after >>>> some >>>> >>> time >>>> >>>> this attribute was still filled in, but I may be wrong, it turns >>>> out >>>> >>> that >>>> >>>> this is the norm for samba and should not interfere with full >>>> >>> functioning? >>>> >>> >>>> >>> This video from SambaXP 2024 explains how stuff gets replicated: >>>> >>> https://www.youtube.com/watch?v=k2YIGSDkjOE >>>> >>> >>>> >>> - Kees. >>>> >>>> >>>> >>>> On Thu, Oct 10, 2024 at 11:20?AM Rowland Penny via samba < >>>> >>>> samba at lists.samba.org> wrote: >>>> >>>> >>>> >>>>> On Wed, 9 Oct 2024 19:58:46 +0300 >>>> >>>>> Adam Abramson <abramsona30 at gmail.com> wrote: >>>> >>>>> >>>> >>>>>> And how does replication occur if repsTo is not filled, does it >>>> turn >>>> >>>>>> out that replication from a local DC should not occur to a >>>> remote DC >>>> >>>>>> in another site, or am I not thinking about this quite correctly? >>>> >>>>>> >>>> >>>>> It is my understanding that replication does not rely on the >>>> repsTo >>>> >>>>> attribute, there is deeper underlying code that carries this out, >>>> but >>>> >>>>> if repsTo is set, then the DC will always replicate everything to >>>> the >>>> >>>>> DC (which will be a local DC in its 'site') in that attribute >>>> before >>>> >>>>> all others. >>>> >>>>> >>>> >>>>> Or I could just say it is magic ;-) >>>> >>>>> >>>> >>>>> Rowland >>>> >>>>> >>>> >>>>> >>>> >>>>> -- >>>> >>>>> To unsubscribe from this list go to the following URL and read the >>>> >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>>> >>>> >>> >>>> >>> -- >>>> >>> To unsubscribe from this list go to the following URL and read the >>>> >>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>>> >> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>
Rowland Penny
2024-Oct-11 09:59 UTC
[Samba] Problem with a domain controller that is located in a separate site
On Fri, 11 Oct 2024 12:12:17 +0300 Adam Abramson via samba <samba at lists.samba.org> wrote:> I decided to look for something about the reps-to attribute and this > is what I came across in ms ADTS, it turns out that the attribute > should be filled in, but for some reason this does not happen in > samba when one is on a separate site, > who can I contact who is working on kcc? It seems to me that this is > the problem there, Rowland, what do you think? >The thing is, according to this Microsoft page here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/302391a9-f6e1-4c0c-a1b2-5604a42e982b the 'repsTo' attribute is optional and, as far as I can find, is used to replicate to another DC in the same site, so if you don't have another DC in the same site, it should be empty (aka not there). There are, as far as I can see, two types of replication, intersite and intrasite, the first just replicates to DCs in the same site and the other can replicate to any DC, no matter what site they are in. However, I am nowhere near being expert on this, so if you feel that Samba isn't doing what Windows does, then please feel free to open a bug report on the subject. Rowland
Reasonably Related Threads
- Problem with a domain controller that is located in a separate site
- Problem with a domain controller that is located in a separate site
- Problem with a domain controller that is located in a separate site
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"