thr3ads.net - samba - [Samba] Replication issue after rejoining a DC [Oct 2025]

If this information is useful, please help other people find it:
Share via:

Cedric Puchalver

2025-Oct-08 13:53 UTC

[Samba] Replication issue after rejoining a DC

Hello,

I have 2 Samba DCs running on two different sites. They are both running 
Samba compiled from source and I decided to use Samba from Debian 
Bookworm backports instead.

I demoted the DC that wasn't holding FSMO roles by following the wiki : 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Online_Domain_Controller

I installed Samba packages from Debian repos and followed the wiki to 
join the domain again.

Everything went fine but when I started the freshly-joined DC I have 
errors in the log :

[2025/10/08 07:30:08.906866,? 1] 
source4/auth/gensec/gensec_gssapi.c:852(gensec_gssapi_update_internal)
 ? GSS server Update(krb5)(1) Update failed:? Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2025/10/08 07:30:08.907110,? 0] 
source4/librpc/rpc/dcerpc_util.c:697(dcerpc_pipe_auth_recv)
 ? Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ncacn_ip_tcp:192.168.20.5[49153,seal,krb5,target_hostname=e6af5447-965a-451b-8d60-3bef78100504._msdcs.season-of-mist.intranet,target_principal=GC/dc3.season-of-mist.intranet/season-of-mist.intranet,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.20.5]
NT_STATUS_UNSUCCESSFUL

It seems that the replication between DCs is failing.

samba-tool drs showrepl returns this on the DC that holds FSMO roles :

Default-First-Site-Name\DC3
DSA Options: 0x00000001
DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
DSA invocationId: f427c422-6111-417b-9885-f96405e956f4

==== INBOUND NEIGHBORS ===
DC=season-of-mist,DC=intranet
 ??????? Chaos-Theory\DC2 via RPC
 ??????????????? DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
 ??????????????? Last attempt @ Wed Oct? 8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
 ??????????????? 30 consecutive failure(s).
 ??????????????? Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=season-of-mist,DC=intranet
 ??????? Chaos-Theory\DC2 via RPC
 ??????????????? DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
 ??????????????? Last attempt @ Wed Oct? 8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
 ??????????????? 30 consecutive failure(s).
 ??????????????? Last success @ NTTIME(0)

DC=ForestDnsZones,DC=season-of-mist,DC=intranet
 ??????? Chaos-Theory\DC2 via RPC
 ??????????????? DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
 ??????????????? Last attempt @ Wed Oct? 8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
 ??????????????? 30 consecutive failure(s).
 ??????????????? Last success @ NTTIME(0)

CN=Configuration,DC=season-of-mist,DC=intranet
 ??????? Chaos-Theory\DC2 via RPC
 ??????????????? DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
 ??????????????? Last attempt @ Wed Oct? 8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
 ??????????????? 30 consecutive failure(s).
 ??????????????? Last success @ NTTIME(0)

DC=DomainDnsZones,DC=season-of-mist,DC=intranet
 ??????? Chaos-Theory\DC2 via RPC
 ??????????????? DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
 ??????????????? Last attempt @ Wed Oct? 8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
 ??????????????? 30 consecutive failure(s).
 ??????????????? Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
 ??????? Connection name: 6a7fe61b-d6d6-44b8-bc3a-b1a0a464e3bb
 ??????? Enabled??????? : TRUE
 ??????? Server DNS name : dc2.season-of-mist.intranet
 ??????? Server DN name? : CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Chaos-Theory,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
 ??????????????? TransportType: RPC
 ??????????????? options: 0x00000001
Warning: No NC replicated for Connection!

Here is the output of the same command on the "new" DC :

Chaos-Theory\DC2
DSA Options: 0x00000001
DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
DSA invocationId: a8f75274-c493-4b23-87d4-fcba4a7d9a2f

==== INBOUND NEIGHBORS ===
DC=season-of-mist,DC=intranet
 ??????? Default-First-Site-Name\DC3 via RPC
 ??????????????? DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
 ??????????????? Last attempt @ Wed Oct? 8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
 ??????????????? 1 consecutive failure(s).
 ??????????????? Last success @ Wed Oct? 8 07:17:15 2025 EDT

CN=Schema,CN=Configuration,DC=season-of-mist,DC=intranet
 ??????? Default-First-Site-Name\DC3 via RPC
 ??????????????? DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
 ??????????????? Last attempt @ Wed Oct? 8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
 ??????????????? 1 consecutive failure(s).
 ??????????????? Last success @ Wed Oct? 8 07:17:06 2025 EDT

DC=ForestDnsZones,DC=season-of-mist,DC=intranet
 ??????? Default-First-Site-Name\DC3 via RPC
 ??????????????? DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
 ??????????????? Last attempt @ Wed Oct? 8 07:30:07 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
 ??????????????? 1 consecutive failure(s).
 ??????????????? Last success @ Wed Oct? 8 07:17:22 2025 EDT

CN=Configuration,DC=season-of-mist,DC=intranet
 ??????? Default-First-Site-Name\DC3 via RPC
 ??????????????? DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
 ??????????????? Last attempt @ Wed Oct? 8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
 ??????????????? 1 consecutive failure(s).
 ??????????????? Last success @ Wed Oct? 8 07:17:10 2025 EDT

DC=DomainDnsZones,DC=season-of-mist,DC=intranet
 ??????? Default-First-Site-Name\DC3 via RPC
 ??????????????? DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
 ??????????????? Last attempt @ Wed Oct? 8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
 ??????????????? 1 consecutive failure(s).
 ??????????????? Last success @ Wed Oct? 8 07:17:21 2025 EDT

==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
 ??????? Connection name: 1b0cce3d-b8d7-4729-a6bd-81d1562e3058
 ??????? Enabled??????? : TRUE
 ??????? Server DNS name : dc3.season-of-mist.intranet
 ??????? Server DN name? : CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
 ??????????????? TransportType: RPC
 ??????????????? options: 0x00000001
Warning: No NC replicated for Connection!

Here is the smb.conf on the "rejoined" DC

# Global parameters
[global]
 ??????? netbios name = DC2
 ??????? realm = SEASON-OF-MIST.INTRANET
 ??????? server role = active directory domain controller
 ??????? workgroup = SEASON-OF-MIST
 ??????? idmap_ldb:use rfc2307? = yes
 ??????? # Kerberos settings
 ??????? kerberos method = secrets and keytab
 ??????? winbind refresh tickets = yes
 ??????? # DNS settings
 ??????? dns forwarder = 192.168.20.1
 ??????? # Logging settings
 ??????? log file = /var/log/samba/samba.log
 ??????? # TLS settings
 ??????? tls enabled = yes
 ? ?? ?? tls keyfile = /var/lib/samba/private/tls/myKey.pem
 ??????? tls certfile = /var/lib/samba/private/tls/myCert.pem
 ? ?? ?? tls cafile = /var/lib/samba/private/tls/myCA.pem
 ??????? # Disable CUPS
 ??????? load printers = no
 ??????? printing = cups
 ??????? printcap name = /dev/null
 ??????? disable spoolss = yes

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/season-of-mist.intranet/scripts
 ??????? read only = No

How can I fix it ?

Rowland Penny

2025-Oct-08 14:50 UTC

head link

[Samba] Replication issue after rejoining a DC

On Wed, 8 Oct 2025 15:53:43 +0200
Cedric Puchalver via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have 2 Samba DCs running on two different sites. They are both
> running Samba compiled from source and I decided to use Samba from
> Debian Bookworm backports instead.
> 
> I demoted the DC that wasn't holding FSMO roles by following the wiki
> :
>
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Online_Domain_Controller
> 
> I installed Samba packages from Debian repos and followed the wiki to 
> join the domain again.
> 
> Everything went fine but when I started the freshly-joined DC I have 
> errors in the log :
> 
> [2025/10/08 07:30:08.906866,? 1] 
> source4/auth/gensec/gensec_gssapi.c:852(gensec_gssapi_update_internal)
>  ? GSS server Update(krb5)(1) Update failed:? Miscellaneous failure
> (see text): Decrypt integrity check failed for checksum type 
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> [2025/10/08 07:30:08.907110,? 0] 
> source4/librpc/rpc/dcerpc_util.c:697(dcerpc_pipe_auth_recv)
>  ? Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>
ncacn_ip_tcp:192.168.20.5[49153,seal,krb5,target_hostname=e6af5447-965a-451b-8d60-3bef78100504._msdcs.season-of-mist.intranet,target_principal=GC/dc3.season-of-mist.intranet/season-of-mist.intranet,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.20.5]
> NT_STATUS_UNSUCCESSFUL
When were these log messages created ? Was it shortly after the New DC
was started or quite sometime later ?
When a new DC is joined, quite a few of the required dns records do not
exist and will not until Samba runs a script called samba_dnsupdate,
this is what creates them.

To put it another way, if you rerun 'samba-tool drs showrepl', do you
still get the errors ?

Rowland

samba - Oct 2025 - Replication issue after rejoining a DC

[Samba] Replication issue after rejoining a DC

[Samba] Replication issue after rejoining a DC