Bug 11987 - DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
Summary: DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_...
Status: RESOLVED DUPLICATE of bug 8077
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.4
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-22 18:08 UTC by Arcadiy Ivanov
Modified: 2016-07-28 23:53 UTC (History)
1 user (show)

See Also:

Attachments
level 99 debug log for the error in question (28.69 KB, text/plain)
2016-06-22 18:24 UTC, Arcadiy Ivanov 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arcadiy Ivanov 2016-06-22 18:08:56 UTC 
The DC1 on Samba 4.4.4 fails to replicate full DC=foo,DC=bar,DC=com from PDC1 Windows 2003 Server.

[root@dc1 etc]# samba-tool drs replicate dc1 pdc1 DC=foo,DC=bar,DC=com --full-sync -d 9

../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        out: struct drsuapi_DsReplicaSync
            result                   : WERR_BAD_NET_RESP
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run
    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)


Meanwhile,

"samba-tool drs replicate dc1 pdc1 DC=foo,DC=bar,DC=com" completes successfully.

-----
CentOS 7
Linux dc1.foo.bar.com 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Comment 1 Arcadiy Ivanov 2016-06-22 18:09:50 UTC 
Both forest and domain are at Windows 2003 level.
Comment 2 Arcadiy Ivanov 2016-06-22 18:24:33 UTC 
Created attachment 12200 [details]
level 99 debug log for the error in question
Comment 3 Andrew Bartlett 2016-06-22 22:38:36 UTC 
I'm pretty sure this is a duplicate, due to DRS replication sizes being clamped at 4MB in the 4.4 code.

*** This bug has been marked as a duplicate of bug 11948 ***
Comment 4 Arcadiy Ivanov 2016-06-23 08:23:24 UTC 
Nope, I applied the patch from 11948, rebuilt samba, kicked the joined DC out, rejoined the domain as a DC. 

Same error.
Comment 5 Arcadiy Ivanov 2016-07-09 07:22:37 UTC 
Updated to v4-4-test (e93603f). Stopped samba, rebuilt, installed, restarted. DCE is gone. Can't see any errors except for spoolss, port 135, naturally, doesn't respond.

No configuration changes. Anything I should have changed?

Jul  9 00:03:23 dc1 systemd: Started LSB: start and stop samba4.
Jul  9 00:03:24 dc1 samba[1600]: [2016/07/09 00:03:24.649898,  0] ../source4/smbd/server.c:481(binary_smbd_main)
Jul  9 00:03:24 dc1 samba[1600]:  samba: using 'standard' process model
Jul  9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.664361,  0] ../source4/rpc_server/dcerpc_server.c:1672(dcesrv_init_context)
Jul  9 00:03:24 dc1 samba[1603]:  dcesrv_init_context: failed to find endpoint server = 'spoolss'
Jul  9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.664936,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
Jul  9 00:03:24 dc1 samba[1603]:  task_server_terminate: [Failed to startup dcerpc server task]
Jul  9 00:03:24 dc1 samba[1603]: [2016/07/09 00:03:24.672630,  0] ../source4/smbd/server.c:211(samba_terminate)
Jul  9 00:03:24 dc1 samba[1603]:  samba_terminate: Failed to startup dcerpc server task
Jul  9 00:03:24 dc1 samba[1600]: [2016/07/09 00:03:24.712117,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jul  9 00:03:24 dc1 samba[1600]:  STATUS=daemon 'samba' finished starting up and ready to serve connections
Jul  9 00:03:24 dc1 winbindd[1615]: [2016/07/09 00:03:24.803268,  0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
Jul  9 00:03:24 dc1 winbindd[1615]:  initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jul  9 00:03:25 dc1 winbindd[1615]: [2016/07/09 00:03:25.327058,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jul  9 00:03:25 dc1 winbindd[1615]:  STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Jul  9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.351529,  0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe)
Jul  9 00:03:25 dc1 winbindd[1618]:  open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_UNSUCCESSFUL
Jul  9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.352272,  0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe)
Jul  9 00:03:25 dc1 winbindd[1618]:  open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
Jul  9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.353536,  0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe)
Jul  9 00:03:25 dc1 winbindd[1618]:  open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_UNSUCCESSFUL
Jul  9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.354265,  0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe)
Jul  9 00:03:25 dc1 winbindd[1618]:  open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
Jul  9 00:03:25 dc1 winbindd[1618]: [2016/07/09 00:03:25.354948,  0] ../source3/winbindd/winbindd_cm.c:1840(wb_open_internal_pipe)
Jul  9 00:03:25 dc1 winbindd[1618]:  open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
Jul  9 00:03:25 dc1 smbd[1604]: [2016/07/09 00:03:25.423988,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jul  9 00:03:25 dc1 smbd[1604]:  STATUS=daemon 'smbd' finished starting up and ready to serve connections
Comment 6 Andrew Bartlett 2016-07-09 08:09:07 UTC 
(In reply to Arcadiy Ivanov from comment #5)
This last log relates to an unrelated issue, a regression in bug 11991
Comment 7 Arcadiy Ivanov 2016-07-10 01:32:36 UTC 
Just got v4-4-stable (fb3e629). The regression you mentioned is not present. The error described in this bug appears to be gone now. I will continue testing and will let you know.
Comment 8 Arcadiy Ivanov 2016-07-10 01:52:47 UTC 
Spoke too soon (tested full replication with the wrong NS). Full-sync replication of the domain NS still results in the below error:

GSSAPI Connection will be cryptographically signed
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        in: struct drsuapi_DsReplicaSync
            bind_handle              : *
                bind_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 70bbf606-0778-4d33-88b5-4aea5b8fa60d
            level                    : 0x00000001 (1)
            req                      : *
                req                      : union drsuapi_DsReplicaSyncRequest(case 1)
                req1: struct drsuapi_DsReplicaSyncRequest1
                    naming_context           : *
                        naming_context: struct drsuapi_DsReplicaObjectIdentifier
                            __ndr_size               : 0x0000006c (108)
                            __ndr_size_sid           : 0x00000000 (0)
                            guid                     : 00000000-0000-0000-0000-000000000000
                            sid                      : S-0-0
                            __ndr_size_dn            : 0x00000019 (25)
                            dn                       : 'dc=foo,dc=bar,dc=com'
                    source_dsa_guid          : 0f255ec4-0072-4121-b424-e0718bdc7ec6
                    source_dsa_dns           : NULL
                    options                  : 0x00008010 (32784)
                           0: DRSUAPI_DRS_ASYNC_OP     
                           0: DRSUAPI_DRS_GETCHG_CHECK 
                           0: DRSUAPI_DRS_UPDATE_NOTIFICATION
                           0: DRSUAPI_DRS_ADD_REF      
                           0: DRSUAPI_DRS_SYNC_ALL     
                           0: DRSUAPI_DRS_DEL_REF      
                           1: DRSUAPI_DRS_WRIT_REP     
                           0: DRSUAPI_DRS_INIT_SYNC    
                           0: DRSUAPI_DRS_PER_SYNC     
                           0: DRSUAPI_DRS_MAIL_REP     
                           0: DRSUAPI_DRS_ASYNC_REP    
                           0: DRSUAPI_DRS_IGNORE_ERROR 
                           0: DRSUAPI_DRS_TWOWAY_SYNC  
                           0: DRSUAPI_DRS_CRITICAL_ONLY
                           0: DRSUAPI_DRS_GET_ANC      
                           0: DRSUAPI_DRS_GET_NC_SIZE  
                           0: DRSUAPI_DRS_LOCAL_ONLY   
                           0: DRSUAPI_DRS_NONGC_RO_REP 
                           0: DRSUAPI_DRS_SYNC_BYNAME  
                           0: DRSUAPI_DRS_REF_OK       
                           1: DRSUAPI_DRS_FULL_SYNC_NOW
                           1: DRSUAPI_DRS_NO_SOURCE    
                           0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
                           0: DRSUAPI_DRS_FULL_SYNC_PACKET
                           0: DRSUAPI_DRS_SYNC_REQUEUE 
                           0: DRSUAPI_DRS_SYNC_URGENT  
                           0: DRSUAPI_DRS_REF_GCSPN    
                           0: DRSUAPI_DRS_NO_DISCARD   
                           0: DRSUAPI_DRS_NEVER_SYNCED 
                           0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
                           0: DRSUAPI_DRS_INIT_SYNC_NOW
                           0: DRSUAPI_DRS_PREEMPTED    
                           0: DRSUAPI_DRS_SYNC_FORCED  
                           0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
                           0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
                           0: DRSUAPI_DRS_USE_COMPRESSION
                           0: DRSUAPI_DRS_NEVER_NOTIFY 
                           0: DRSUAPI_DRS_SYNC_PAS     
                           0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
rpc request data:
[0000] 00 00 00 00 06 F6 BB 70   78 07 33 4D 88 B5 4A EA   .......p x.3M..J.
[0010] 5B 8F A6 0D 01 00 00 00   01 00 00 00 F1 AE F1 AE   [....... ........
[0020] C4 5E 25 0F 72 00 21 41   B4 24 E0 71 8B DC 7E C6   .^%.r.!A .$.q..~.
[0030] 00 00 00 00 10 80 00 00   1A 00 00 00 6C 00 00 00   ........ ....l...
[0040] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0050] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0060] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0070] 19 00 00 00 64 00 63 00   3D 00 68 00 6F 00 6D 00   ....d.c. =.h.o.m.
[0080] 65 00 2C 00 64 00 63 00   3D 00 69 00 76 00 61 00   e.,.d.c. =.i.v.a.
[0090] 6E 00 6F 00 76 00 79 00   2C 00 64 00 63 00 3D 00   n.o.v.y. ,.d.c.=.
[00A0] 6E 00 65 00 74 00 00 00                             n.e.t... 
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x21133d0
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x215b1c0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x21133d0
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x21133d0
Sealed 176 bytes, and got 76 bytes header/signature.
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x2160bc0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x21133d0
s4_tevent: Run immediate event "tevent_req_trigger": 0x2160bc0
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x2160890
s4_tevent: Run immediate event "tevent_req_trigger": 0x2160890
../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
Unsealed 16 bytes, with 76 bytes header/signature.
s4_tevent: Destroying timer event 0x215b1c0 "dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x215d4f0
s4_tevent: Run immediate event "tevent_req_trigger": 0x215d4f0
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        out: struct drsuapi_DsReplicaSync
            result                   : WERR_BAD_NET_RESP
rpc reply data:
[0000] 3A 00 00 00                                        :... 
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run
    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
Comment 9 Arcadiy Ivanov 2016-07-10 02:08:31 UTC 
Using `samba-tool ldapcmp ldap://pdc1 ldap://dc1 domain --filter=whenChanged` the userParameters blob for user accounts fail to replicate correctly:

Difference in attribute values:
        userParameters => 
['                                                P\x04\x1a\x08\x01CtxCfgPresent\xe3\x94\xb5\xe6\x94\xb1\xe6\x88\xb0\xe3\x81\xa2\x18\x08\x01CtxCfgFlags1\xe3\x80\xb0\xe3\x81\xa6\xe3\x84\xb2\xe3\x80\xb9\x12\x08\x01CtxShadow\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0*\x02\x01CtxMinEncryptionLevel\xe3\x84\xb0']
[' \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x04\x00\x1a\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00P\x00r\x00e\x00s\x00e\x00n\x00t\x00551e0bb0\x18\x00\x08\x00\x01\x00C\x00t\x00x\x00C\x00f\x00g\x00F\x00l\x00a\x00g\x00s\x001\x0000f02190\x12\x00\x08\x00\x01\x00C\x00t\x00x\x00S\x00h\x00a\x00d\x00o\x00w\x0000000000*\x00\x02\x00\x01\x00C\x00t\x00x\x00M\x00i\x00n\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00i\x00o\x00n\x00L\x00e\x00v\x00e\x00l\x0001']
Comment 10 Arcadiy Ivanov 2016-07-21 20:56:49 UTC 
Any progress on this one? Any additional info I need to supply that may be helpful?
Comment 11 Andrew Bartlett 2016-07-28 23:53:58 UTC 
This looks like our long-running userParameters saga.

*** This bug has been marked as a duplicate of bug 8077 ***