second error exeption :

- domain cleanup include full cleanup /var/lib/samba/
- resetup master ads using sernet-samba
- join vpn based ads site as DC  using sernet-samba

Cause error :

 $ # samba-tool drs showrepl                                                                                  ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ad1.ads.sample.dom failed - drsException: DRS connection to ad1.ads.sample.dom failed: (8, 'WERR_NOMEM')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

expected results : 
                  - no samba4 restart required
                  - samba-tool drs showrepl   with clean output


TEMP FIX : samba4 restart required

samba-tool drs bind
Bind to ad1.ads.sample.dom succeeded.
Extensions supported:
  DRSUAPI_SUPPORTED_EXTENSION_BASE                            : Yes (DRS_EXT_BASE)
  DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION               : Yes (DRS_EXT_ASYNCREPL)
  DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI                       : Yes (DRS_EXT_REMOVEAPI)
  DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2                      : Yes (DRS_EXT_MOVEREQ_V2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS                 : No  (DRS_EXT_GETCHG_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1                       : Yes (DRS_EXT_DCINFO_V1)
  DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION        : Yes (DRS_EXT_RESTORE_USN_OPTIMIZATION)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY                        : No  (DRS_EXT_ADDENTRY)
  DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE                     : Yes (DRS_EXT_KCC_EXECUTE)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2                     : Yes (DRS_EXT_ADDENTRY_V2)
  DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION        : Yes (DRS_EXT_LINKED_VALUE_REPLICATION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2                       : Yes (DRS_EXT_DCINFO_V2)
  DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD    : Yes (DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD)
  DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND                     : Yes (DRS_EXT_CRYPTO_BIND)
  DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO                   : Yes (DRS_EXT_GET_REPL_INFO)
  DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION               : Yes (DRS_EXT_STRONG_ENCRYPTION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01                      : Yes (DRS_EXT_DCINFO_VFFFFFFFF)
  DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP           : Yes (DRS_EXT_TRANSITIVE_MEMBERSHIP)
  DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY                 : Yes (DRS_EXT_ADD_SID_HISTORY)
  DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3                      : Yes (DRS_EXT_POST_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5                    : Yes (DRS_EXT_GETCHGREQ_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2                : Yes (DRS_EXT_GETMEMBERSHIPS2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6                    : Yes (DRS_EXT_GETCHGREQ_V6)
  DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS                   : Yes (DRS_EXT_NONDOMAIN_NCS)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8                    : Yes (DRS_EXT_GETCHGREQ_V8)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                  : Yes (DRS_EXT_GETCHGREPLY_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                  : Yes (DRS_EXT_GETCHGREPLY_V6)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7                  : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT                   : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS                 : No  (DRS_EXT_W2K3_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10                   : Yes (DRS_EXT_GETCHGREQ_V10)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3)

Site GUID: ba489383-78f8-48d9-ad73-297b81061b13
Repl epoch: 0
root@ad1:samba#

root@ad1:samba# samba-tool drs showrepl
Default-First-Site-Name\AD1
DSA Options: 0x00000001
DSA object GUID: f6ec238f-f9d3-4791-909e-a7d3b1ebb671
DSA invocationId: 8b3e18a6-595c-4b93-a612-68cc9889fee8

==== INBOUND NEIGHBORS ====

DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:10 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:10 2014 CET

DC=DomainDnsZones,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:14 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:14 2014 CET

CN=Configuration,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:51:44 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:51:44 2014 CET

DC=ForestDnsZones,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:17 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:17 2014 CET

CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:50:26 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:50:26 2014 CET

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Tested on a samba 4.1.17, with sitenames, and this does work for me.

Looking at your error again.. 


'WERR_NOMEM' 

add more ram to your DC, or you found a memory leak. 
so yes, restarting samba explains why its working again.

I wouldn't put too much weight on the WERR_NOMEM part of this.  We report this on many things that fail, not just out of memory.

(In reply to Louis from comment #5)


 VM with 4G ram are sufficent enoth  for less then 100 user objects 
 adding more ram are insufficent paath as befor happend same with 1G ram .
 adding even more i.e 16G are wrong path  for an DC without any load.

@Louis

have an look about  mem allocatiom at the bind_dlz  / kcc / Kdc

this happend at my Vms either on Freshly installed  DCś

I'm also running into this error. One of my dc's suddenly showed 

Last attempt @ Sat Dec 12 20:41:09 2015 CET failed, result 8 (WERR_NOMEM)

for all it's nc's on all other dc's.

On the affected dc:

samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to logon-server.domain.local failed - drsException: DRS connection to logon-server.domain.local failed: (-1073741801, 'Memory allocation error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

Also I can not connect to the server with ldap-utils and gss authentication.

On working dc's.
kinit Administrator
ldapwhoami 
SASL/GSSAPI authentication started
SASL username: Administrator@DOMAIN.LOCAL
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
        additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

On the affected dc:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

So I assume some kerberos spn issue causes all this.

I had tried to connect an new dc which also shows above issues. Tried to cleanup the ad database manually removing all occurences of the faulty server in dns and ldap (with adsi), "samba-tool domain demote" did not work and also failes with an memory error.

VM has 1GB raised it to 4GB but it made no difference, also in my case an restart does not fix the issue temporary.

I use debian wheezy with sernet samba 4.1.21 packages.

Figured it out. I have ipv6 disabled via the kernel parameter ipv6.disable=1.

This results in: samba.log
  Failed to bind to ipv6::::389 - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.845672,  0] ../source4/kdc/kdc.c:672(kdc_add_socket)
  Failed to bind to :::88 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.872710,  0] ../source4/kdc/kdc.c:672(kdc_add_socket)
  Failed to bind to :::464 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.905467,  0] ../lib/util/become_daemon.c:136(daemon_ready)
[2015/12/12 21:44:04.943766,  0] ../source4/dns_server/dns_server.c:629(dns_add_socket)
  Failed to bind to :::53 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:05.642494,  0] ../source4/ldap_server/ldap_server.c:821(add_socket)
  ldapsrv failed to bind to :::389 - NT_STATUS_INVALID_PARAMETER_MIX

Once i add 

interfaces = eth0 lo
bind interfaces only = yes

these errors go away and replication starts to work.