Created attachment 11870 [details]
Wireshark screenshot with Samba DsGetNCChanges wrong response.
During replication process initiated on Windows DC from Samba DC occurs "Error 8418: The replication operation failed because of a schema mismatch between the servers involved".
This error returns as DsReplicaSync() DCERPC response with error code 0x20e2 = 8418 - WERR_DS_DRA_SCHEMA_MISMATCH.
Problem reproduced on Samba after replication from Windows based Domain controller extended with Exchange 2003/2010 schema.
Command to reproduce (dc01 - WinDC, dc02 - SambaDC) problem:
# samba-tool drs replicate dc01 dc02 dc=company3,dc=dd
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8418, 'WERR_DS_DRA_SCHEMA_MISMATCH')
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 349, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
Full wireshark and gdb using log proccess looks like:
- DsReplicaSync request - to Windows DC (from remote host)
- DsGetNCChanges request - from Windows DC to Samba DC
- DsGetNCChanges response - wrong DCERPC response from Samba DC!
- DsReplicaSync response - return WERR_DS_DRA_SCHEMA_MISMATCH.
There are various case of wrong DCERPC response:
- packet looks like old packet from previuos session with smaller call_id, than in current request;
- nca_s_fault_context_mismatch response packet;
- unknown encrypted packet.
Discussion of this investigation in mailing list:
Other errors, which looks similar:
Additional logs could be found here:
* test14: https://goo.gl/BSStsW (Problem with Samba DsGetNCChanges response on Windows request after DsReplicaSync)
* test13: https://goo.gl/2cr8xj (Original work between Windows DC's on same configuration)
Recently I continued testing this problem:
And finally I found solution for it:
This is not due DCERPC interconnection, like I think. It is another, not critical cause for this problem. Real actually cause occurs due wrong attid in DsGetNCChanges response from Samba, like it here:
Fixed on commit 032fc2762ea47df069e02a55ad8d586ec75ff73c.
Author: Evgeny Sinelnikov <email@example.com>
Date: Tue Mar 29 18:37:40 2016 +0300
rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists
We got WERR_DS_DRA_SCHEMA_MISMATCH for linked attributes with 8418 error for
extended attributes when using same attid as attribute object.
Signed-off-by: Evgeny Sinelnikov <firstname.lastname@example.org>
Reviewed-by: Garming Sam <email@example.com>
Reviewed-by: Andrew Bartlett <firstname.lastname@example.org>
Marking as fixed per comment #2