Domain Joined after standard samba4 domain as DC docu used : root@ad1:samba# samba-tool domain join ADS.SAMPLE.DOM DC -Uadministrator --realm=ADS.SAMPLE.DOM --dns-backend=BIND9_DLZ --site=AD1 Finding a writeable DC for domain 'ADS.SAMPLE.DOM' Found DC samba4-ad2.ads.sample.dom Password for [WORKGROUP\administrator]: workgroup is ADS realm is ads.sample.dom checking sAMAccountName Deleted CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom Deleted CN=dns-AD1,CN=Users,DC=ads,DC=sample,DC=dom Deleted CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom Deleted CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom Adding CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom Adding CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom Adding CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom Adding SPNs to CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom Setting account password for AD1$ Enabling account Adding DNS account CN=dns-AD1,CN=Users,DC=ads,DC=sample,DC=dom with dns/ SPN Setting account password for dns-AD1 Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=ads,DC=sample,DC=dom Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[402/1626] linked_values[0/0] Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[804/1626] linked_values[0/0] Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1206/1626] linked_values[0/0] Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1608/1626] linked_values[0/0] Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1626/1626] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=ads,DC=sample,DC=dom] objects[98/98] linked_values[23/0] Partition[DC=ads,DC=sample,DC=dom] objects[373/275] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=ads,DC=sample,DC=dom Partition[DC=DomainDnsZones,DC=ads,DC=sample,DC=dom] objects[63/63] linked_values[0/0] Replicating DC=ForestDnsZones,DC=ads,DC=sample,DC=dom Partition[DC=ForestDnsZones,DC=ads,DC=sample,DC=dom] objects[21/21] linked_values[0/0] Partition[DC=ForestDnsZones,DC=ads,DC=sample,DC=dom] objects[42/21] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain ADS (SID S-1-5-21-3664771823-1641098865-1791846405) as a DC resulted in : root@ad1:samba# samba-tool drs showrepl ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ad1.ads.sample.dom failed - drsException: DRS connection to ad1.ads.sample.dom failed: (8, 'WERR_NOMEM') File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) root@ad1:samba# samba-tool dbcheck --cross-nc Checking 3535 objects Checked 3535 objects (0 errors) root@ad1:samba# expected result : Joined domain sample.dom as ad1 and sitename site1
second error exeption : - domain cleanup include full cleanup /var/lib/samba/ - resetup master ads using sernet-samba - join vpn based ads site as DC using sernet-samba Cause error : $ # samba-tool drs showrepl ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ad1.ads.sample.dom failed - drsException: DRS connection to ad1.ads.sample.dom failed: (8, 'WERR_NOMEM') File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) expected results : - no samba4 restart required - samba-tool drs showrepl with clean output TEMP FIX : samba4 restart required
samba-tool drs bind Bind to ad1.ads.sample.dom succeeded. Extensions supported: DRSUAPI_SUPPORTED_EXTENSION_BASE : Yes (DRS_EXT_BASE) DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION : Yes (DRS_EXT_ASYNCREPL) DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI : Yes (DRS_EXT_REMOVEAPI) DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2 : Yes (DRS_EXT_MOVEREQ_V2) DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS : No (DRS_EXT_GETCHG_DEFLATE) DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1 : Yes (DRS_EXT_DCINFO_V1) DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION : Yes (DRS_EXT_RESTORE_USN_OPTIMIZATION) DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY : No (DRS_EXT_ADDENTRY) DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE : Yes (DRS_EXT_KCC_EXECUTE) DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2 : Yes (DRS_EXT_ADDENTRY_V2) DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION : Yes (DRS_EXT_LINKED_VALUE_REPLICATION) DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2 : Yes (DRS_EXT_DCINFO_V2) DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD : Yes (DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD) DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND : Yes (DRS_EXT_CRYPTO_BIND) DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO : Yes (DRS_EXT_GET_REPL_INFO) DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION : Yes (DRS_EXT_STRONG_ENCRYPTION) DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01 : Yes (DRS_EXT_DCINFO_VFFFFFFFF) DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP : Yes (DRS_EXT_TRANSITIVE_MEMBERSHIP) DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY : Yes (DRS_EXT_ADD_SID_HISTORY) DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3 : Yes (DRS_EXT_POST_BETA3) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5 : Yes (DRS_EXT_GETCHGREQ_V5) DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2 : Yes (DRS_EXT_GETMEMBERSHIPS2) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6 : Yes (DRS_EXT_GETCHGREQ_V6) DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS : Yes (DRS_EXT_NONDOMAIN_NCS) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8 : Yes (DRS_EXT_GETCHGREQ_V8) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5 : Yes (DRS_EXT_GETCHGREPLY_V5) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6 : Yes (DRS_EXT_GETCHGREPLY_V6) DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3 : Yes (DRS_EXT_WHISTLER_BETA3) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7 : Yes (DRS_EXT_WHISTLER_BETA3) DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT : Yes (DRS_EXT_WHISTLER_BETA3) DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS : No (DRS_EXT_W2K3_DEFLATE) DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10 : Yes (DRS_EXT_GETCHGREQ_V10) DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2 : No (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2) DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3 : No (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3) Site GUID: ba489383-78f8-48d9-ad73-297b81061b13 Repl epoch: 0 root@ad1:samba#
root@ad1:samba# samba-tool drs showrepl Default-First-Site-Name\AD1 DSA Options: 0x00000001 DSA object GUID: f6ec238f-f9d3-4791-909e-a7d3b1ebb671 DSA invocationId: 8b3e18a6-595c-4b93-a612-68cc9889fee8 ==== INBOUND NEIGHBORS ==== DC=ads,DC=sample,DC=dom Default-First-Site-Name\SAMBA4-AD2 via RPC DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc Last attempt @ Sun Nov 23 18:52:10 2014 CET was successful 0 consecutive failure(s). Last success @ Sun Nov 23 18:52:10 2014 CET DC=DomainDnsZones,DC=ads,DC=sample,DC=dom Default-First-Site-Name\SAMBA4-AD2 via RPC DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc Last attempt @ Sun Nov 23 18:52:14 2014 CET was successful 0 consecutive failure(s). Last success @ Sun Nov 23 18:52:14 2014 CET CN=Configuration,DC=ads,DC=sample,DC=dom Default-First-Site-Name\SAMBA4-AD2 via RPC DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc Last attempt @ Sun Nov 23 18:51:44 2014 CET was successful 0 consecutive failure(s). Last success @ Sun Nov 23 18:51:44 2014 CET DC=ForestDnsZones,DC=ads,DC=sample,DC=dom Default-First-Site-Name\SAMBA4-AD2 via RPC DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc Last attempt @ Sun Nov 23 18:52:17 2014 CET was successful 0 consecutive failure(s). Last success @ Sun Nov 23 18:52:17 2014 CET CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom Default-First-Site-Name\SAMBA4-AD2 via RPC DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc Last attempt @ Sun Nov 23 18:50:26 2014 CET was successful 0 consecutive failure(s). Last success @ Sun Nov 23 18:50:26 2014 CET ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ====
Tested on a samba 4.1.17, with sitenames, and this does work for me.
Looking at your error again.. 'WERR_NOMEM' add more ram to your DC, or you found a memory leak. so yes, restarting samba explains why its working again.
I wouldn't put too much weight on the WERR_NOMEM part of this. We report this on many things that fail, not just out of memory.
(In reply to Louis from comment #5) VM with 4G ram are sufficent enoth for less then 100 user objects adding more ram are insufficent paath as befor happend same with 1G ram . adding even more i.e 16G are wrong path for an DC without any load.
@Louis have an look about mem allocatiom at the bind_dlz / kcc / Kdc this happend at my Vms either on Freshly installed DCĹ
I'm also running into this error. One of my dc's suddenly showed Last attempt @ Sat Dec 12 20:41:09 2015 CET failed, result 8 (WERR_NOMEM) for all it's nc's on all other dc's. On the affected dc: samba-tool drs showrepl ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to logon-server.domain.local failed - drsException: DRS connection to logon-server.domain.local failed: (-1073741801, 'Memory allocation error') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) Also I can not connect to the server with ldap-utils and gss authentication. On working dc's. kinit Administrator ldapwhoami SASL/GSSAPI authentication started SASL username: Administrator@DOMAIN.LOCAL SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported Result: Protocol error (2) Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported On the affected dc: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) So I assume some kerberos spn issue causes all this. I had tried to connect an new dc which also shows above issues. Tried to cleanup the ad database manually removing all occurences of the faulty server in dns and ldap (with adsi), "samba-tool domain demote" did not work and also failes with an memory error. VM has 1GB raised it to 4GB but it made no difference, also in my case an restart does not fix the issue temporary. I use debian wheezy with sernet samba 4.1.21 packages.
Figured it out. I have ipv6 disabled via the kernel parameter ipv6.disable=1. This results in: samba.log Failed to bind to ipv6::::389 - NT_STATUS_INVALID_PARAMETER_MIX [2015/12/12 21:44:04.845672, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Failed to bind to :::88 TCP - NT_STATUS_INVALID_PARAMETER_MIX [2015/12/12 21:44:04.872710, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Failed to bind to :::464 TCP - NT_STATUS_INVALID_PARAMETER_MIX [2015/12/12 21:44:04.905467, 0] ../lib/util/become_daemon.c:136(daemon_ready) [2015/12/12 21:44:04.943766, 0] ../source4/dns_server/dns_server.c:629(dns_add_socket) Failed to bind to :::53 TCP - NT_STATUS_INVALID_PARAMETER_MIX [2015/12/12 21:44:05.642494, 0] ../source4/ldap_server/ldap_server.c:821(add_socket) ldapsrv failed to bind to :::389 - NT_STATUS_INVALID_PARAMETER_MIX Once i add interfaces = eth0 lo bind interfaces only = yes these errors go away and replication starts to work.