11258 – DRS error after join third DC

Bug 11258 - DRS error after join third DC

Summary: DRS error after join third DC

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.1.17
Hardware:	x64 FreeBSD

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-05-06 08:00 UTC by Yuriy Tabolin
Modified:	2021-02-10 17:12 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yuriy Tabolin 2015-05-06 08:00:37 UTC

I have two samba 4.1.17 DC and I want to join third machine as DC. Two DC works well, syncing fine:

root@dc1# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.ad-test.stc[,seal]
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
DSA invocationId: 4b1629b4-f307-4d1c-81a2-47d5ccee9467

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ Tue May  5 12:58:10 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:10 2015 MSK

DC=ForestDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ Tue May  5 12:58:10 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:10 2015 MSK

DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ Tue May  5 12:58:11 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:11 2015 MSK

CN=Schema,CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ Tue May  5 12:58:10 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:10 2015 MSK

CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ Tue May  5 12:58:10 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:10 2015 MSK

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: adcb6df6-a9f1-4207-acff-41723bca8e74
        Enabled        : TRUE
        Server DNS name : dc2.ad-test.stc
        Server DN name  : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!


root@dc2# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
DSA invocationId: 44434afb-6476-4422-a235-2fc72df6bd6c

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ Tue May  5 12:58:17 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:17 2015 MSK

CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ Tue May  5 12:58:17 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:17 2015 MSK

DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ Tue May  5 12:58:18 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:18 2015 MSK

DC=DomainDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ Tue May  5 12:58:17 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:17 2015 MSK

DC=ForestDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ Tue May  5 12:58:17 2015 MSK was successful
                0 consecutive failure(s).
                Last success @ Tue May  5 12:58:17 2015 MSK

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=ad-test,DC=stc
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: f01a70da-45d2-46de-a0ba-b8e1495eb74a
        Enabled        : TRUE
        Server DNS name : dc1.ad-test.stc
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!


Then I had joined dc3 to domain:

root@dc3# samba-tool domain join ad-test.stc DC --realm=ad-test.stc --dns-backend=SAMBA_INTERNAL -U administrator
Finding a writeable DC for domain 'ad-test.stc'
Found DC dc1.ad-test.stc
Password for [WORKGROUP\administrator]:
workgroup is AD-TEST
realm is ad-test.stc
checking sAMAccountName
Adding CN=DC3,OU=Domain Controllers,DC=ad-test,DC=stc
Adding CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
Adding CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
Adding SPNs to CN=DC3,OU=Domain Controllers,DC=ad-test,DC=stc
Setting account password for DC3$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=ad-test,DC=stc
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=ad-test,DC=stc] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ad-test,DC=stc] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ad-test,DC=stc] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=ad-test,DC=stc] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=ad-test,DC=stc] objects[402/1618] linked_values[0/0]
Partition[CN=Configuration,DC=ad-test,DC=stc] objects[804/1618] linked_values[0/0]
Partition[CN=Configuration,DC=ad-test,DC=stc] objects[1206/1618] linked_values[0/0]
Partition[CN=Configuration,DC=ad-test,DC=stc] objects[1608/1618] linked_values[0/0]
Partition[CN=Configuration,DC=ad-test,DC=stc] objects[1618/1618] linked_values[38/0]
Replicating critical objects from the base DN of the domain
Partition[DC=ad-test,DC=stc] objects[98/98] linked_values[36/0]
Partition[DC=ad-test,DC=stc] objects[500/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[902/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[1304/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[1706/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[2108/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[2510/2489] linked_values[0/0]
Partition[DC=ad-test,DC=stc] objects[2587/2489] linked_values[893/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=ad-test,DC=stc
Partition[DC=DomainDnsZones,DC=ad-test,DC=stc] objects[42/42] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=ad-test,DC=stc
Partition[DC=ForestDnsZones,DC=ad-test,DC=stc] objects[19/19] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=ad-test,DC=stc] objects[38/19] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain AD-TEST (SID S-1-5-21-2864478947-2530200069-463850822) as a DC


Joining finished well. I added some user and saw it on all three DC. There are no problems with DNS too.

root@dc3# ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
objectGUID: 6112a730-af1e-4fab-af29-bdee05ff387a

# record 2
dn: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
objectGUID: def47c8a-ce92-4a10-bf5d-f8884066d726

# record 3
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad-test,DC=stc
objectGUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814

# returned 3 records
# 3 entries
# 0 referrals


root@dc3# host -t SRV _ldap._tcp.ad-test.stc.
_ldap._tcp.ad-test.stc has SRV record 0 100 389 dc3.ad-test.stc.
_ldap._tcp.ad-test.stc has SRV record 0 100 389 dc1.ad-test.stc.
_ldap._tcp.ad-test.stc has SRV record 0 100 389 dc2.ad-test.stc.

root@dc3# host -t SRV _kerberos._udp.ad-test.stc.
_kerberos._udp.ad-test.stc has SRV record 0 100 88 dc2.ad-test.stc.
_kerberos._udp.ad-test.stc has SRV record 0 100 88 dc3.ad-test.stc.
_kerberos._udp.ad-test.stc has SRV record 0 100 88 dc1.ad-test.stc.

root@dc3# host dc3.ad-test.stc
dc3.ad-test.stc has address 192.168.100.132

root@dc3# host dc2.ad-test.stc
dc2.ad-test.stc has address 192.168.100.131

root@dc3# host dc1.ad-test.stc
dc1.ad-test.stc has address 192.168.100.130

root@dc3# host -t CNAME def47c8a-ce92-4a10-bf5d-f8884066d726._msdcs.ad-test.stc.
def47c8a-ce92-4a10-bf5d-f8884066d726._msdcs.ad-test.stc is an alias for dc3.ad-test.stc.

root@dc3# host -t CNAME 8c0a09a2-ee83-44c8-909d-9f42a9d2c814._msdcs.ad-test.stc.
8c0a09a2-ee83-44c8-909d-9f42a9d2c814._msdcs.ad-test.stc is an alias for dc2.ad-test.stc.

root@dc3# host -t CNAME 6112a730-af1e-4fab-af29-bdee05ff387a._msdcs.ad-test.stc.
6112a730-af1e-4fab-af29-bdee05ff387a._msdcs.ad-test.stc is an alias for dc1.ad-test.stc.


But drs showrepl after DC3 joining showed error on all three DC:

root@dc1# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.ad-test.stc[,seal]
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 6112a730-af1e-4fab-af29-bdee05ff387a
DSA invocationId: 4b1629b4-f307-4d1c-81a2-47d5ccee9467

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/drs.py", line 116, in drsuapi_ReplicaInfo
    (info_type, info) = ctx.drsuapi.DsReplicaGetInfo(ctx.drsuapi_handle, 1, req1)


root@dc2# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 8c0a09a2-ee83-44c8-909d-9f42a9d2c814
DSA invocationId: 44434afb-6476-4422-a235-2fc72df6bd6c

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')


root@dc3# samba-tool drs showrepl
Default-First-Site-Name\DC3
DSA Options: 0x00000001
DSA object GUID: def47c8a-ce92-4a10-bf5d-f8884066d726
DSA invocationId: 3781d360-be03-4d37-983e-60476b0d4eab

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')

I don't understand, there is a problem with DC syncing or only drs showrepl bug.

Comment 1 Björn Jacke 2021-02-10 17:12:36 UTC

this is working for me with recent samba versions. If this is still a similar issue for you with 4.13, please file a new bug report for that.