Bug 10955 - samba-tool drs showrepl broken after Domain join as DC with given sitename
Summary: samba-tool drs showrepl broken after Domain join as DC with given sitename
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.13
Hardware: All All
: P5 regression (vote)
Target Milestone: 4.3
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-23 17:42 UTC by Remsnet (dead mail address)
Modified: 2015-12-12 20:47 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Remsnet (dead mail address) 2014-11-23 17:42:28 UTC
Domain Joined after standard samba4 domain as DC docu used :

root@ad1:samba# samba-tool domain join ADS.SAMPLE.DOM DC -Uadministrator --realm=ADS.SAMPLE.DOM --dns-backend=BIND9_DLZ --site=AD1
Finding a writeable DC for domain 'ADS.SAMPLE.DOM'
Found DC samba4-ad2.ads.sample.dom
Password for [WORKGROUP\administrator]:
workgroup is ADS
realm is ads.sample.dom
checking sAMAccountName
Deleted CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom
Deleted CN=dns-AD1,CN=Users,DC=ads,DC=sample,DC=dom
Deleted CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom
Deleted CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom
Adding CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom
Adding CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom
Adding CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=sample,DC=dom
Adding SPNs to CN=AD1,OU=Domain Controllers,DC=ads,DC=sample,DC=dom
Setting account password for AD1$
Enabling account
Adding DNS account CN=dns-AD1,CN=Users,DC=ads,DC=sample,DC=dom with dns/ SPN
Setting account password for dns-AD1
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=ads,DC=sample,DC=dom
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[402/1626] linked_values[0/0]
Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[804/1626] linked_values[0/0]
Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1206/1626] linked_values[0/0]
Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1608/1626] linked_values[0/0]
Partition[CN=Configuration,DC=ads,DC=sample,DC=dom] objects[1626/1626] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=ads,DC=sample,DC=dom] objects[98/98] linked_values[23/0]
Partition[DC=ads,DC=sample,DC=dom] objects[373/275] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=ads,DC=sample,DC=dom
Partition[DC=DomainDnsZones,DC=ads,DC=sample,DC=dom] objects[63/63] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=ads,DC=sample,DC=dom
Partition[DC=ForestDnsZones,DC=ads,DC=sample,DC=dom] objects[21/21] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=ads,DC=sample,DC=dom] objects[42/21] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain ADS (SID S-1-5-21-3664771823-1641098865-1791846405) as a DC


resulted in :


root@ad1:samba# samba-tool drs showrepl                                                                                  ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ad1.ads.sample.dom failed - drsException: DRS connection to ad1.ads.sample.dom failed: (8, 'WERR_NOMEM')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
root@ad1:samba# samba-tool dbcheck --cross-nc
Checking 3535 objects
Checked 3535 objects (0 errors)
root@ad1:samba# 


expected result : 

Joined domain sample.dom as ad1 and sitename site1
Comment 1 Remsnet (dead mail address) 2014-11-23 18:03:20 UTC
second error exeption :

- domain cleanup include full cleanup /var/lib/samba/
- resetup master ads using sernet-samba
- join vpn based ads site as DC  using sernet-samba

Cause error :

 $ # samba-tool drs showrepl                                                                                  ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ad1.ads.sample.dom failed - drsException: DRS connection to ad1.ads.sample.dom failed: (8, 'WERR_NOMEM')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

expected results : 
                  - no samba4 restart required
                  - samba-tool drs showrepl   with clean output


TEMP FIX : samba4 restart required
Comment 2 Remsnet (dead mail address) 2014-11-23 18:05:13 UTC
samba-tool drs bind
Bind to ad1.ads.sample.dom succeeded.
Extensions supported:
  DRSUAPI_SUPPORTED_EXTENSION_BASE                            : Yes (DRS_EXT_BASE)
  DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION               : Yes (DRS_EXT_ASYNCREPL)
  DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI                       : Yes (DRS_EXT_REMOVEAPI)
  DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2                      : Yes (DRS_EXT_MOVEREQ_V2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS                 : No  (DRS_EXT_GETCHG_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1                       : Yes (DRS_EXT_DCINFO_V1)
  DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION        : Yes (DRS_EXT_RESTORE_USN_OPTIMIZATION)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY                        : No  (DRS_EXT_ADDENTRY)
  DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE                     : Yes (DRS_EXT_KCC_EXECUTE)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2                     : Yes (DRS_EXT_ADDENTRY_V2)
  DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION        : Yes (DRS_EXT_LINKED_VALUE_REPLICATION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2                       : Yes (DRS_EXT_DCINFO_V2)
  DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD    : Yes (DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD)
  DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND                     : Yes (DRS_EXT_CRYPTO_BIND)
  DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO                   : Yes (DRS_EXT_GET_REPL_INFO)
  DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION               : Yes (DRS_EXT_STRONG_ENCRYPTION)
  DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01                      : Yes (DRS_EXT_DCINFO_VFFFFFFFF)
  DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP           : Yes (DRS_EXT_TRANSITIVE_MEMBERSHIP)
  DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY                 : Yes (DRS_EXT_ADD_SID_HISTORY)
  DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3                      : Yes (DRS_EXT_POST_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5                    : Yes (DRS_EXT_GETCHGREQ_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2                : Yes (DRS_EXT_GETMEMBERSHIPS2)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6                    : Yes (DRS_EXT_GETCHGREQ_V6)
  DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS                   : Yes (DRS_EXT_NONDOMAIN_NCS)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8                    : Yes (DRS_EXT_GETCHGREQ_V8)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                  : Yes (DRS_EXT_GETCHGREPLY_V5)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                  : Yes (DRS_EXT_GETCHGREPLY_V6)
  DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7                  : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT                   : Yes (DRS_EXT_WHISTLER_BETA3)
  DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS                 : No  (DRS_EXT_W2K3_DEFLATE)
  DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10                   : Yes (DRS_EXT_GETCHGREQ_V10)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2)
  DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                  : No  (DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3)

Site GUID: ba489383-78f8-48d9-ad73-297b81061b13
Repl epoch: 0
root@ad1:samba#
Comment 3 Remsnet (dead mail address) 2014-11-23 18:07:01 UTC
root@ad1:samba# samba-tool drs showrepl
Default-First-Site-Name\AD1
DSA Options: 0x00000001
DSA object GUID: f6ec238f-f9d3-4791-909e-a7d3b1ebb671
DSA invocationId: 8b3e18a6-595c-4b93-a612-68cc9889fee8

==== INBOUND NEIGHBORS ====

DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:10 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:10 2014 CET

DC=DomainDnsZones,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:14 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:14 2014 CET

CN=Configuration,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:51:44 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:51:44 2014 CET

DC=ForestDnsZones,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:52:17 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:52:17 2014 CET

CN=Schema,CN=Configuration,DC=ads,DC=sample,DC=dom
        Default-First-Site-Name\SAMBA4-AD2 via RPC
                DSA object GUID: 7e08b677-3db9-4114-982e-cb070b5792bc
                Last attempt @ Sun Nov 23 18:50:26 2014 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Nov 23 18:50:26 2014 CET

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====
Comment 4 Louis 2015-04-29 09:06:38 UTC
Tested on a samba 4.1.17, with sitenames, and this does work for me.
Comment 5 Louis 2015-04-30 10:14:56 UTC
Looking at your error again.. 


'WERR_NOMEM' 

add more ram to your DC, or you found a memory leak. 
so yes, restarting samba explains why its working again.
Comment 6 Andrew Bartlett 2015-04-30 10:23:20 UTC
I wouldn't put too much weight on the WERR_NOMEM part of this.  We report this on many things that fail, not just out of memory.
Comment 7 Remsnet (dead mail address) 2015-04-30 10:56:33 UTC
(In reply to Louis from comment #5)


 VM with 4G ram are sufficent enoth  for less then 100 user objects 
 adding more ram are insufficent paath as befor happend same with 1G ram .
 adding even more i.e 16G are wrong path  for an DC without any load.
Comment 8 Remsnet (dead mail address) 2015-04-30 11:16:47 UTC
@Louis

have an look about  mem allocatiom at the bind_dlz  / kcc / Kdc

this happend at my Vms either on Freshly installed  DCś
Comment 9 Achim Gottinger 2015-12-12 19:52:24 UTC
I'm also running into this error. One of my dc's suddenly showed 

Last attempt @ Sat Dec 12 20:41:09 2015 CET failed, result 8 (WERR_NOMEM)

for all it's nc's on all other dc's.

On the affected dc:

samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to logon-server.domain.local failed - drsException: DRS connection to logon-server.domain.local failed: (-1073741801, 'Memory allocation error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

Also I can not connect to the server with ldap-utils and gss authentication.

On working dc's.
kinit Administrator
ldapwhoami 
SASL/GSSAPI authentication started
SASL username: Administrator@DOMAIN.LOCAL
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
        additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

On the affected dc:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

So I assume some kerberos spn issue causes all this.

I had tried to connect an new dc which also shows above issues. Tried to cleanup the ad database manually removing all occurences of the faulty server in dns and ldap (with adsi), "samba-tool domain demote" did not work and also failes with an memory error.

VM has 1GB raised it to 4GB but it made no difference, also in my case an restart does not fix the issue temporary.

I use debian wheezy with sernet samba 4.1.21 packages.
Comment 10 Achim Gottinger 2015-12-12 20:45:46 UTC
Figured it out. I have ipv6 disabled via the kernel parameter ipv6.disable=1.

This results in: samba.log
  Failed to bind to ipv6::::389 - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.845672,  0] ../source4/kdc/kdc.c:672(kdc_add_socket)
  Failed to bind to :::88 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.872710,  0] ../source4/kdc/kdc.c:672(kdc_add_socket)
  Failed to bind to :::464 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:04.905467,  0] ../lib/util/become_daemon.c:136(daemon_ready)
[2015/12/12 21:44:04.943766,  0] ../source4/dns_server/dns_server.c:629(dns_add_socket)
  Failed to bind to :::53 TCP - NT_STATUS_INVALID_PARAMETER_MIX
[2015/12/12 21:44:05.642494,  0] ../source4/ldap_server/ldap_server.c:821(add_socket)
  ldapsrv failed to bind to :::389 - NT_STATUS_INVALID_PARAMETER_MIX

Once i add 

interfaces = eth0 lo
bind interfaces only = yes

these errors go away and replication starts to work.