thr3ads.net - samba - [Samba] Replication issue after rejoining a DC [Oct 2025]

If this information is useful, please help other people find it:
Share via:

Luis Peromarta

2025-Oct-09 07:40 UTC

[Samba] Replication issue after rejoining a DC

Hi there,

Just as a precaution, and in order to double check all steps, please see this
and make sure you did not miss any step.

http://samba.bigbird.es/doku.php?id=samba:aditional-dc

On Oct 9, 2025 at 08:04 +0100, Cedric Puchalver via samba <samba at
lists.samba.org>, wrote:> Le 08/10/2025 ? 16:50, Rowland Penny via samba a ?crit?:
> > On Wed, 8 Oct 2025 15:53:43 +0200
> > Cedric Puchalver via samba <samba at lists.samba.org> wrote:
> >
> > > Hello,
> > >
> > > I have 2 Samba DCs running on two different sites. They are both
> > > running Samba compiled from source and I decided to use Samba
from
> > > Debian Bookworm backports instead.
> > >
> > >

Cedric Puchalver

2025-Oct-09 09:16 UTC

head link

[Samba] Replication issue after rejoining a DC

Le 09/10/2025 ? 09:40, Luis Peromarta via samba a
?crit?:> Hi there,
>
> Just as a precaution, and in order to double check all steps, please see
> this and make sure you did not miss any step.
>
> http://samba.bigbird.es/doku.php?id=samba:aditional-dc
>
> On Oct 9, 2025 at 08:04 +0100, Cedric Puchalver via samba
> <samba at lists.samba.org>, wrote:
>> Le 08/10/2025 ? 16:50, Rowland Penny via samba a ?crit :
>>> On Wed, 8 Oct 2025 15:53:43 +0200
>>> Cedric Puchalver via samba<samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have 2 Samba DCs running on two different sites. They are
both
>>>> running Samba compiled from source and I decided to use Samba
from
>>>> Debian Bookworm backports instead.
>>>>
>>>>Hi Luis,

I double-checked all the steps and I didn't miss any.

When testing the AD replication, the command samba-tool visualize 
uptodateness -rS --utf8 returns an error :

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -? <8009030C: 
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, 
v1db1> <>
Failed to connect to 'ldap://dc3.season-of-mist.intranet' with backend 
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: 
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
Could not contact ldap://dc3.season-of-mist.intranet ((49, 'LDAP error 
49 LDAP_INVALID_CREDENTIALS -? <8009030C: LdapErr: DSID-0C0904DC, 
comment: AcceptSecurityContext error, data 52e, v1db1> <>'))
missing dn 
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
from UTD vector list
missing dn 
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
from UTD vector list
ERROR(<class 'KeyError'>): uncaught exception - 
'CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
356, in _run
 ??? return self.run(*args, **kwargs)
 ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/visualize.py",
line
685, in run
 ??? s = full_matrix(distances,
 ??????? ^^^^^^^^^^^^^^^^^^^^^^
 ? File "/usr/lib/python3/dist-packages/samba/graph.py", line 725, in 
full_matrix
 ??? rows2[vmap[vert]] = dict((vmap[k], v) for k, v in r.items())
 ??????????????????????? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 ? File "/usr/lib/python3/dist-packages/samba/graph.py", line 725, in 
<genexpr>
 ??? rows2[vmap[vert]] = dict((vmap[k], v) for k, v in r.items())

Then I decided to ping dc3 (which IP address is 192.168.10.5) 
supprisingly it was pinging 192.168.20.5 :

PING dc3.season-of-mist.intranet (192.168.20.5) 56(84) bytes of data.
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=1 
ttl=64 time=0.023 ms
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=2 
ttl=64 time=0.045 ms
64 bytes from dc2.season-of-mist.intranet (192.168.20.5): icmp_seq=3 
ttl=64 time=0.031 ms

The command host -t A dc3.season-of-mist.intranet returns :

host -t A dc3.season-of-mist.intranet
dc3.season-of-mist.intranet has address 192.168.10.5
dc3.season-of-mist.intranet has address 192.168.20.5

Obviously wrong...

The AD replication seems fine after deleting the wrong A record for DC3.

samba-tool drs showrepl shows no error. Same for samba-tool dbcheck 
--cross-ncs

I ran samba-tool visualize uptodateness -rS --utf8 and to be honest I 
don't know how to interpret the result :


DOMAIN

 ??????????????????????????????????????????????? out-of-date-ness
 ?????????????????????????????????????? ???????? 
CN=DC3,**,CN=Default-First-Site-Name+
 ?????????????????????????????????? DC? ?? ????? CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+? ? 13
 ?????????? CN=DC2,**,CN=Chaos-Theory+ 16? ?

'**' stands for 'CN=Servers'
'+' stands for
',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

CONFIGURATION

 ??????????????????????????????????????????????? out-of-date-ness
 ?????????????????????????????????????? ???????? 
CN=DC3,**,CN=Default-First-Site-Name+
 ?????????????????????????????????? DC? ?? ????? CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+? ? 13
 ?????????? CN=DC2,**,CN=Chaos-Theory+ 16? ?

'**' stands for 'CN=Servers'
'+' stands for
',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

SCHEMA

 ??????????????????????????????????????????????? out-of-date-ness
 ?????????????????????????????????????? ???????? 
CN=DC3,**,CN=Default-First-Site-Name+
 ?????????????????????????????????? DC? ?? ????? CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+? ? 13
 ?????????? CN=DC2,**,CN=Chaos-Theory+ 16? ?

'**' stands for 'CN=Servers'
'+' stands for
',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

DNSDOMAIN

 ??????????????????????????????????????????????? out-of-date-ness
 ?????????????????????????????????????? ???????? 
CN=DC3,**,CN=Default-First-Site-Name+
 ?????????????????????????????????? DC? ?? ????? CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+? ? 13
 ?????????? CN=DC2,**,CN=Chaos-Theory+? 0? ?

'**' stands for 'CN=Servers'
'+' stands for
',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

DNSFOREST

 ??????????????????????????????????????????????? out-of-date-ness
 ?????????????????????????????????????? ???????? 
CN=DC3,**,CN=Default-First-Site-Name+
 ?????????????????????????????????? DC? ?? ????? CN=DC2,**,CN=Chaos-Theory+
CN=DC3,**,CN=Default-First-Site-Name+? ? 13
 ?????????? CN=DC2,**,CN=Chaos-Theory+ 16? ?

'**' stands for 'CN=Servers'
'+' stands for
',CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet'

samba - Oct 2025 - Replication issue after rejoining a DC

[Samba] Replication issue after rejoining a DC

[Samba] Replication issue after rejoining a DC