similar to: AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

On Wed, 27 Dec 2017 13:00:05 +0100 "Dr. Johannes-Ulrich Menzebach via samba" <samba at lists.samba.org> wrote: > There is additional info in the logs of the source DC (dcdo1, log > level 2, manually triggered another replication): > ==================== > [2017/12/27 12:31:29.695121,  2] >

Hi, i have the same problem on samba 4.7.3 and 4.7.4. I start with 2 DCs and the sync works fine. After the join of a third DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 times. in my case i have: DC1 (with any FSMO Roles) DC2 new join as DC: DC3 After the join, the sync from DC2 to DC3 fails. samba-tool drs replicate dc2 dc1 dc=gvcc,dc=net : OK samba-tool drs replicate

Heinz, I had exactly the same problem, and used ldbedit to apply the fix. Thanks for digging into this! Now I'm interested in the root cause as well ... Uli Am 16.01.2018 um 16:48 schrieb Heinz Hölzl via samba: > no, it seems to work!!! > > > i did a ldapmodify on DC2: > > ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f > serverReference.ldif

Hi, there is no firewall, all DCs are in the same subnet. here ist the output of a test, you can see, the CNAME guid entries in the _msdcs can be resolved on any DC: (DC1 and DC2 are the first and second DCs, SAMBA3 was added at last. ldbsearch -H /srv/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-

There is additional info in the logs of the source DC (dcdo1, log level 2, manually triggered another replication): ==================== [2017/12/27 12:31:29.695121,  2] ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415) [2017/12/27

Rowland, - the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and Services console to each of them). - I also checked that "samba-tool dbcheck" completes w/o showing errors. - the objectGUID DNS aliases of all DCs are resolvable against all 3 DCs' builtin DNS - I forced a full sync from the FSMO holder (dcge1) to the 2 other DCs which finished w/o errors. -

Hi Heinz, > i have the same problem on samba 4.7.3 and 4.7.4. > I start with 2 DCs and the sync works fine. After the join of a third > DC mostly i get the WERR_DS_DRA_ACCESS_DENIED. I tested it for 10 > times. > > in my case i have: > DC1 (with any FSMO Roles) > DC2 > > new join as DC: > DC3 > > After the join, the sync from DC2 to DC3 fails. > >

no, it seems to work!!! i did a ldapmodify on DC2: ldapmodify -x -h dc2 -D cn=administrator,cn=users,dc=test,dc=net -W -f serverReference.ldif serverReference.ldif: dn: CN=SAMBA3,CN=Servers,CN=Default-First- SiteName,CN=Sites,CN=Configuration,DC=test,DC=net changetype: modify add: serverReference serverReference: CN=SAMBA3,OU=Domain Controllers,DC=test,DC=net - now the question: Why the

on DC2 in the log i found: ./source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=SAMBA3,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=test,DC=net, parent of DSA with objectGUID c01a335e-1794-4997-9c7e-553be77fba04, sid S-1-5-21- 1608159440-4144762864-1017073214-18962 ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs

Hi Heinz and Johannes, > I had exactly the same problem, and used ldbedit to apply the fix. > Thanks for digging into this! > > Now I'm interested in the root cause as well ... I just had a client calling with a replication issue due to the exact same error. The domain was initially build on 4.7.1, upgraded to 4.7.3, and it was also missing the serverReference attribute on one

Same error here... root at samba01:~# samba-tool ldapcmp ldap://samba01 ldap://samba02 -Uadministrator --filter=CN,DC,member CONFIGURATION Password for [LAURENZ\administrator]: * Comparing [CONFIGURATION] context... * Objects to be compared: 1631 Comparing: 'CN=SAMBA03,CN=Servers,CN=Harz,CN=Sites,CN=Configuration,DC=local,DC=laurenz,DC=ws' [ldap://samba01]

Hi, I had Samba 4.2.14 working as AD DC with shares. After upgrade to version 4.3.11 AD DC authentication, ADUC, etc, stopped working. Shares still work fine. OS. Oracle Linux 6.x with UEK, uptodate. Samba compiled from source. Upgrade procedure (nothing special): ./configure --enable-selftest make make install Testparm output: # Global parameters [global] workgroup = EXAMPLE realm =

Hi, I have a problem with samba / winbind PAM authentication. Domain controller is samba4, machines users log on to via PAM are samba 3.6 (all of them ubuntu 12.04 LTS). The whole user authentication was working already, but after a reboot it somehow broke. Additional reboots don't help. The funny thing is that all logs look quite OK to me (except for the single line saying

Hi all, when i try to authenticate against my AD (rdesktop authentication) i got a wrong password/logname message despite my logname and password being exact , in the log i have the following . Nothing wrong for me. the only strange thing being the : stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -

Hi, I'm trying to setup the following configuration but encounter a problem. I'm not sure if it's a normal behavior for samba 4. I have a smartcard provided with a user principal name looking like serial_number at domain. The serial number is in the form of 0000-0000-0000-0000. The domain, let's say "upn.example.com", doesn't match my Samba Realm, that would be

I migrated over a Samba 3/LDAP domain to Samba 4 in a test environment. After a few bumps due to not having all my machine accounts as posixAccounts and clashing user/group names, the migration went relatively smoothly. Great work, Samba team! I have a few standing issues that I haven't been able to shake out: 1. wbinfo returns various errors when run on the DC. wbinfo -D MYDOMAIN returns a

Hi, I'm not able to join a windows XP machine in samba AD DC. This XP machine is a VM. No problems when joining Windows 10 machines to this DC. On XP machine, after inserting the Administrator username\password to join the domain, the error message is - error while attempting to join the domain "VIDROESTE.IND": Internal error. I can see that the XP machine account was created in AD

Dear Group I have few errors while installing package rattle from CRAN i do the installing from the local zip files... I am using R 2.4.0 do i have to upgrade to R2.4.1 ? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ utils:::menuInstallLocal() package 'rattle' successfully unpacked and MD5 sums checked updating HTML package descriptions > help(rattle) No

Rowland, it was a typo. Sorry, I paste the smb.conf twice. I changed the smb.conf as you proposed, so: dns forwarder removed - yes it's in named.conf, and ntlm auth / lanman auth removed. I also checked the NTLMv2 configuration in windows XP. But the error is still there. I guess it's MIT as saw this in log: /usr/lib/mit/sbin/krb5kdc: kerberos: 10 But how can I confirm which kerberos

Hi, we are testing a new AD domain that will replace our old NT4 one, and we are setting up a new cifs vserver of our Netapp filer (running Clustered Dataontap 9.2). The new AD domain was a clean deployment created using "samba-tool domain provision --server-role=dc --use-rfc2307 ...". All seems to work well and the Netapp filer joins the domain without errors and seems to run fine.