The DC1 on Samba 4.4.4 fails to replicate full DC=foo,DC=bar,DC=com from PDC1 Windows 2003 Server. [root@dc1 etc]# samba-tool drs replicate dc1 pdc1 DC=foo,DC=bar,DC=com --full-sync -d 9 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync out: struct drsuapi_DsReplicaSync result : WERR_BAD_NET_RESP ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Meanwhile, "samba-tool drs replicate dc1 pdc1 DC=foo,DC=bar,DC=com" completes successfully. ----- CentOS 7 Linux dc1.foo.bar.com 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Both forest and domain are at Windows 2003 level.
Created attachment 12200 [details] level 99 debug log for the error in question
I'm pretty sure this is a duplicate, due to DRS replication sizes being clamped at 4MB in the 4.4 code. *** This bug has been marked as a duplicate of bug 11948 ***
Nope, I applied the patch from 11948, rebuilt samba, kicked the joined DC out, rejoined the domain as a DC. Same error.
Updated to v4-4-test (e93603f). Stopped samba, rebuilt, installed, restarted. DCE is gone. Can't see any errors except for spoolss, port 135, naturally, doesn't respond. No configuration changes. Anything I should have changed? Jul 9 00:03:23 dc1 systemd: Started LSB: start and stop samba4. Jul 9 00:03:24 dc1 samba[1600]: [2016/07/09 00:03:24.649898, 0] ../source4/smbd/server.c:481(binary_smbd_main) Jul 9 00:03:24 dc1 samba[1600]: samba: using 'standard' process model Jul 9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.664361, 0] ../source4/rpc_server/dcerpc_server.c:1672(dcesrv_init_context) Jul 9 00:03:24 dc1 samba[1603]: dcesrv_init_context: failed to find endpoint server = 'spoolss' Jul 9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.664936, 0] ../source4/smbd/service_task.c:35(task_server_terminate) Jul 9 00:03:24 dc1 samba[1603]: task_server_terminate: [Failed to startup dcerpc server task] Jul 9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.672630, 0] ../source4/smbd/server.c:211(samba_terminate) Jul 9 00:03:24 dc1 samba[1603]: samba_terminate: Failed to startup dcerpc server task Jul 9 00:03:24 dc1 samba[1600]: [2016/07/09 00:03:24.712117, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jul 9 00:03:24 dc1 samba[1600]: STATUS=daemon 'samba' finished starting up and ready to serve connections Jul 9 00:03:24 dc1 winbindd[1615]: [2016/07/09 00:03:24.803268, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache) Jul 9 00:03:24 dc1 winbindd[1615]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Jul 9 00:03:25 dc1 winbindd[1615]: [2016/07/09 00:03:25.327058, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jul 9 00:03:25 dc1 winbindd[1615]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Jul 9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.351529, 0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe) Jul 9 00:03:25 dc1 winbindd[1618]: open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_UNSUCCESSFUL Jul 9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.352272, 0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe) Jul 9 00:03:25 dc1 winbindd[1618]: open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL Jul 9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.353536, 0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe) Jul 9 00:03:25 dc1 winbindd[1618]: open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_UNSUCCESSFUL Jul 9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.354265, 0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe) Jul 9 00:03:25 dc1 winbindd[1618]: open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL Jul 9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.354948, 0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe) Jul 9 00:03:25 dc1 winbindd[1618]: open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL Jul 9 00:03:25 dc1 smbd[1604]: [2016/07/09 00:03:25.423988, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jul 9 00:03:25 dc1 smbd[1604]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
(In reply to Arcadiy Ivanov from comment #5) This last log relates to an unrelated issue, a regression in bug 11991
Just got v4-4-stable (fb3e629). The regression you mentioned is not present. The error described in this bug appears to be gone now. I will continue testing and will let you know.
Spoke too soon (tested full replication with the wrong NS). Full-sync replication of the domain NS still results in the below error: GSSAPI Connection will be cryptographically signed drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync in: struct drsuapi_DsReplicaSync bind_handle : * bind_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 70bbf606-0778-4d33-88b5-4aea5b8fa60d level : 0x00000001 (1) req : * req : union drsuapi_DsReplicaSyncRequest(case 1) req1: struct drsuapi_DsReplicaSyncRequest1 naming_context : * naming_context: struct drsuapi_DsReplicaObjectIdentifier __ndr_size : 0x0000006c (108) __ndr_size_sid : 0x00000000 (0) guid : 00000000-0000-0000-0000-000000000000 sid : S-0-0 __ndr_size_dn : 0x00000019 (25) dn : 'dc=foo,dc=bar,dc=com' source_dsa_guid : 0f255ec4-0072-4121-b424-e0718bdc7ec6 source_dsa_dns : NULL options : 0x00008010 (32784) 0: DRSUAPI_DRS_ASYNC_OP 0: DRSUAPI_DRS_GETCHG_CHECK 0: DRSUAPI_DRS_UPDATE_NOTIFICATION 0: DRSUAPI_DRS_ADD_REF 0: DRSUAPI_DRS_SYNC_ALL 0: DRSUAPI_DRS_DEL_REF 1: DRSUAPI_DRS_WRIT_REP 0: DRSUAPI_DRS_INIT_SYNC 0: DRSUAPI_DRS_PER_SYNC 0: DRSUAPI_DRS_MAIL_REP 0: DRSUAPI_DRS_ASYNC_REP 0: DRSUAPI_DRS_IGNORE_ERROR 0: DRSUAPI_DRS_TWOWAY_SYNC 0: DRSUAPI_DRS_CRITICAL_ONLY 0: DRSUAPI_DRS_GET_ANC 0: DRSUAPI_DRS_GET_NC_SIZE 0: DRSUAPI_DRS_LOCAL_ONLY 0: DRSUAPI_DRS_NONGC_RO_REP 0: DRSUAPI_DRS_SYNC_BYNAME 0: DRSUAPI_DRS_REF_OK 1: DRSUAPI_DRS_FULL_SYNC_NOW 1: DRSUAPI_DRS_NO_SOURCE 0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS 0: DRSUAPI_DRS_FULL_SYNC_PACKET 0: DRSUAPI_DRS_SYNC_REQUEUE 0: DRSUAPI_DRS_SYNC_URGENT 0: DRSUAPI_DRS_REF_GCSPN 0: DRSUAPI_DRS_NO_DISCARD 0: DRSUAPI_DRS_NEVER_SYNCED 0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING 0: DRSUAPI_DRS_INIT_SYNC_NOW 0: DRSUAPI_DRS_PREEMPTED 0: DRSUAPI_DRS_SYNC_FORCED 0: DRSUAPI_DRS_DISABLE_AUTO_SYNC 0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC 0: DRSUAPI_DRS_USE_COMPRESSION 0: DRSUAPI_DRS_NEVER_NOTIFY 0: DRSUAPI_DRS_SYNC_PAS 0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP rpc request data: [0000] 00 00 00 00 06 F6 BB 70 78 07 33 4D 88 B5 4A EA .......p x.3M..J. [0010] 5B 8F A6 0D 01 00 00 00 01 00 00 00 F1 AE F1 AE [....... ........ [0020] C4 5E 25 0F 72 00 21 41 B4 24 E0 71 8B DC 7E C6 .^%.r.!A .$.q..~. [0030] 00 00 00 00 10 80 00 00 1A 00 00 00 6C 00 00 00 ........ ....l... [0040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0070] 19 00 00 00 64 00 63 00 3D 00 68 00 6F 00 6D 00 ....d.c. =.h.o.m. [0080] 65 00 2C 00 64 00 63 00 3D 00 69 00 76 00 61 00 e.,.d.c. =.i.v.a. [0090] 6E 00 6F 00 76 00 79 00 2C 00 64 00 63 00 3D 00 n.o.v.y. ,.d.c.=. [00A0] 6E 00 65 00 74 00 00 00 n.e.t... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x21133d0 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x215b1c0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x21133d0 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x21133d0 Sealed 176 bytes, and got 76 bytes header/signature. s4_tevent: Schedule immediate event "tevent_req_trigger": 0x2160bc0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x21133d0 s4_tevent: Run immediate event "tevent_req_trigger": 0x2160bc0 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x2160890 s4_tevent: Run immediate event "tevent_req_trigger": 0x2160890 ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 Unsealed 16 bytes, with 76 bytes header/signature. s4_tevent: Destroying timer event 0x215b1c0 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x215d4f0 s4_tevent: Run immediate event "tevent_req_trigger": 0x215d4f0 drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync out: struct drsuapi_DsReplicaSync result : WERR_BAD_NET_RESP rpc reply data: [0000] 3A 00 00 00 :... ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr)
Using `samba-tool ldapcmp ldap://pdc1 ldap://dc1 domain --filter=whenChanged` the userParameters blob for user accounts fail to replicate correctly: Difference in attribute values: userParameters => [' P\x04\x1a\x08\x01CtxCfgPresent\xe3\x94\xb5\xe6\x94\xb1\xe6\x88\xb0\xe3\x81\xa2\x18\x08\x01CtxCfgFlags1\xe3\x80\xb0\xe3\x81\xa6\xe3\x84\xb2\xe3\x80\xb9\x12\x08\x01CtxShadow\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0*\x02\x01CtxMinEncryptionLevel\xe3\x84\xb0'] [' \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x04\x00\x1a\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00P\x00r\x00e\x00s\x00e\x00n\x00t\x00551e0bb0\x18\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00F\x00l\x00a\x00g\x00s\x001\x0000f02190\x12\x00\x08\x00\x01\x00C\x00t\x00x\x00S\x00h\x00a\x00d\x00o\x00w\x0000000000*\x00\x02\x00\x01\x00C\x00t\x00x\x00M\x00i\x00n\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00i\x00o\x00n\x00L\x00e\x00v\x00e\x00l\x0001']
Any progress on this one? Any additional info I need to supply that may be helpful?
This looks like our long-running userParameters saga. *** This bug has been marked as a duplicate of bug 8077 ***