Web lists-archives.com

Re: [Samba] Replication problems bdc to pdc




On Mon, 11 Dec 2017 14:33:48 +0100
Jiří Knotek via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> Replication from backup Active Directory Domain Controler to primary 
> Active Directory Domain Controler does not work, reporting error ' 
> WERR_BADFILE '. The reverse works.

You do not have a backup AD DC, or a primary AD DC, you just have two
AD DCs

> 
>   * Linux: Raspbian, debian stretch lite
>   * Samba version 4.5.12-Debian
>   * DNS: BIND9_DLZ 9.10.x
>   * Installed packages: ntp ntpdate samba smbclient winbind libcups2
>     samba-common cups ldb-tools bind9 bind9utils dnsutils krb5-user
> 
> root@ry11citdc:~# samba-tool drs replicate ry11citsdc ry11citdc 
> dc=ry11cit,dc=local
> Replicate from ry11citdc to ry11citsdc was successful.
> 
> 
> root@ry11citdc:~# samba-tool drs replicate
> ry11citsdc ry11citdc dc=ry11cit,dc=local
> -bash: root@ry11citdc:~#: command not found
> root@ry11citdc:~# samba-tool drs replicate ry11citdc ry11citsdc 
> dc=ry11cit,dc=local
> *ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
> - drsException: DsReplicaSync failed (2, 'WERR_BADFILE')**
> **  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 368, in run**
> **    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
> source_dsa_guid, NC, req_options)**
> **  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> 83, in sendDsReplicaSync**
> **    raise drsException("DsReplicaSync failed %s" % estr)*
> 

There is something strange here, you seem to be running the commands on
the same DC, the first time it works, then it cannot find the command,
then after you switched the order of the DCs to replicate to & from,
it throws an error 

> First Active Directory Domain Controler:
> 
> krb5.conf:
> 
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 

You only need the above

> named.conf:------------------------
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };

You haven't set any forwarders.

> 
> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITDC
>      realm = RY11CIT.LOCAL
>      workgroup = RY11CIT
>      server role = active directory domain controller
> 

Why haven't you got a 'server services' line ?
you should have if you are using Bind9


 
> 
> Another (Standby) Active Directory Domain Controler:

What do mean by 'standby' ?

> 
> krb5.conf:
> 
> [libdefaults]
>      default_realm = RY11CIT.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 

You only need the above


> [realms]

 named.conf.options:-----------------------
> 
> options {
>      directory "/var/cache/bind";
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { none; };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 

Still no forwarders

> smb.conf:------------------------------
> 
> # Global parameters
> [global]
>      netbios name = RY11CITSDC
>      realm = RY11CIT.LOCAL
>      workgroup = RY11CIT
> 
>      server role = active directory domain controller
> 

Again there is no 'server services' line

Finally, I see that you are not aware that using '.local' is a bad
idea.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba