Created attachment 11870 [details] Wireshark screenshot with Samba DsGetNCChanges wrong response. During replication process initiated on Windows DC from Samba DC occurs "Error 8418: The replication operation failed because of a schema mismatch between the servers involved". This error returns as DsReplicaSync() DCERPC response with error code 0x20e2 = 8418 - WERR_DS_DRA_SCHEMA_MISMATCH. Problem reproduced on Samba after replication from Windows based Domain controller extended with Exchange 2003/2010 schema. Command to reproduce (dc01 - WinDC, dc02 - SambaDC) problem: # samba-tool drs replicate dc01 dc02 dc=company3,dc=dd ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8418, 'WERR_DS_DRA_SCHEMA_MISMATCH') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 349, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Full wireshark and gdb using log proccess looks like: - DsReplicaSync request - to Windows DC (from remote host) - DsGetNCChanges request - from Windows DC to Samba DC - DsGetNCChanges response - wrong DCERPC response from Samba DC! - DsReplicaSync response - return WERR_DS_DRA_SCHEMA_MISMATCH. There are various case of wrong DCERPC response: - packet looks like old packet from previuos session with smaller call_id, than in current request; - nca_s_fault_context_mismatch response packet; - unknown encrypted packet. Discussion of this investigation in mailing list: https://lists.samba.org/archive/samba-technical/2016-February/112361.html Other errors, which looks similar: https://bugzilla.samba.org/show_bug.cgi?id=10470 https://bugzilla.samba.org/show_bug.cgi?id=11172 https://bugzilla.samba.org/show_bug.cgi?id=11388 https://bugzilla.samba.org/show_bug.cgi?id=11415 Additional logs could be found here: * test14: https://goo.gl/BSStsW (Problem with Samba DsGetNCChanges response on Windows request after DsReplicaSync) * test13: https://goo.gl/2cr8xj (Original work between Windows DC's on same configuration)
Recently I continued testing this problem: https://goo.gl/7CW3Gh And finally I found solution for it: https://lists.samba.org/archive/samba-technical/2016-April/113304.html This is not due DCERPC interconnection, like I think. It is another, not critical cause for this problem. Real actually cause occurs due wrong attid in DsGetNCChanges response from Samba, like it here: https://bugzilla.samba.org/show_bug.cgi?id=11443
Fixed on commit 032fc2762ea47df069e02a55ad8d586ec75ff73c. https://lists.samba.org/archive/samba-technical/2016-April/113363.html commit 032fc2762ea47df069e02a55ad8d586ec75ff73c Author: Evgeny Sinelnikov <sin@altlinux.ru> Date: Tue Mar 29 18:37:40 2016 +0300 rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists We got WERR_DS_DRA_SCHEMA_MISMATCH for linked attributes with 8418 error for extended attributes when using same attid as attribute object. Signed-off-by: Evgeny Sinelnikov <sin@altlinux.ru> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Marking as fixed per comment #2