Web lists-archives.com

[Samba] WERR_BAD_NET_RESP on replication (--full-sync)




Hello,

We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2) server as a backup DC.

The system for the most-part works OK, but occasionally the Samba DC goes wildly out of sync (with respect to group membership), normally after a change to a large group.

I have noted previously before the out-of-sync event occurs, this command always fails thus :



root@inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1 dc=inview,dc=local --sync-all --full-sync ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)   File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)



However immediately after the out-of-sync event occurred the above command completed with no errors. It did not solve my issue, the groups remained out of sync. So I then put the groups back together manually. At some point during this process of adding members back to groups, the  abovec ommand start failing again.


Without the --full sync the command completes OK (always):


root@inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1 dc=inview,dc=local --sync-all
Replicate from inview-dc1 to inview-dc2 was successful.



This bug looks to be a similar issue:
https://bugzilla.samba.org/show_bug.cgi?id=11987


Any ideas what might be going on here?


Thanks in advance


Chris Lewis




PS Here is the full debug of the failing command:

root@inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync  -d 8
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
Mapped to DCERPC endpoint 135
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name inview-dc2.inview.local<0x20> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
Mapped to DCERPC endpoint 1024
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name inview-dc2.inview.local<0x20> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 207
Received smb_krb5 packet of length 1365
Received smb_krb5 packet of length 1290
Received smb_krb5 packet of length 1312
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
     drsuapi_DsBind: struct drsuapi_DsBind
        in: struct drsuapi_DsBind
            bind_guid                : *
                bind_guid                : e24d201a-4fd6-11d1-a3da-0000f875ae0d
            bind_info                : *
                bind_info: struct drsuapi_DsBindInfoCtr
                    length                   : 0x0000001c (28)
                    __ndr_length             : 0x0000001c (28)
                    info                     : union drsuapi_DsBindInfo(case 28)
                    info28: struct drsuapi_DsBindInfo28
                        supported_extensions     : 0x0fefff7f (267386751)
                               1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                               1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                               1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                               0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                               1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                               1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                               1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                               1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP                                1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                               1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                               1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                               0: DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                                0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                         site_guid                : 00000000-0000-0000-0000-000000000000
                        pid                      : 0x00000000 (0)
                        repl_epoch               : 0x00000000 (0)
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
     drsuapi_DsBind: struct drsuapi_DsBind
        out: struct drsuapi_DsBind
            bind_info                : *
                bind_info: struct drsuapi_DsBindInfoCtr
                    length                   : 0x0000001c (28)
                    __ndr_length             : 0x0000001c (28)
                    info                     : union drsuapi_DsBindInfo(case 28)
                    info28: struct drsuapi_DsBindInfo28
                        supported_extensions     : 0x2fffff6f (805306223)
                               1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                               1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                               0: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                               1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                               0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                               1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                               1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                               1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                               1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP                                1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                               1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                               1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                               1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3                                1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                               1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                               0: DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                               0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2                                0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3                         site_guid                : 229f5470-27e6-4f0f-994b-4073a5fc4dc5
                        pid                      : 0x00000000 (0)
                        repl_epoch               : 0x00000000 (0)
            bind_handle              : *
                bind_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : aba489c0-92cd-4a95-ba59-04b765e37884
            result                   : WERR_OK
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name inview-dc2.inview.local<0x20> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
Received smb_krb5 packet of length 1290
Received smb_krb5 packet of length 1312
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        in: struct drsuapi_DsReplicaSync
            bind_handle              : *
                bind_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : aba489c0-92cd-4a95-ba59-04b765e37884
            level                    : 0x00000001 (1)
            req                      : *
                req                      : union drsuapi_DsReplicaSyncRequest(case 1)
                req1: struct drsuapi_DsReplicaSyncRequest1
                    naming_context           : *
                        naming_context: struct drsuapi_DsReplicaObjectIdentifier
                            __ndr_size               : 0x0000005e (94)
                            __ndr_size_sid           : 0x00000000 (0)
                            guid                     : 00000000-0000-0000-0000-000000000000
                            sid                      : S-0-0
                            __ndr_size_dn            : 0x00000012 (18)
                            dn                       : 'dc=inview,dc=local'
                    source_dsa_guid          : 8be331d4-be37-43d6-9593-2ea1d095d504
                    source_dsa_dns           : NULL
                    options                  : 0x00008018 (32792)
                           0: DRSUAPI_DRS_ASYNC_OP
                           0: DRSUAPI_DRS_GETCHG_CHECK
                           0: DRSUAPI_DRS_UPDATE_NOTIFICATION
                           0: DRSUAPI_DRS_ADD_REF
                           1: DRSUAPI_DRS_SYNC_ALL
                           1: DRSUAPI_DRS_DEL_REF
                           1: DRSUAPI_DRS_WRIT_REP
                           0: DRSUAPI_DRS_INIT_SYNC
                           0: DRSUAPI_DRS_PER_SYNC
                           0: DRSUAPI_DRS_MAIL_REP
                           0: DRSUAPI_DRS_ASYNC_REP
                           0: DRSUAPI_DRS_IGNORE_ERROR
                           0: DRSUAPI_DRS_TWOWAY_SYNC
                           0: DRSUAPI_DRS_CRITICAL_ONLY
                           0: DRSUAPI_DRS_GET_ANC
                           0: DRSUAPI_DRS_GET_NC_SIZE
                           0: DRSUAPI_DRS_LOCAL_ONLY
                           0: DRSUAPI_DRS_NONGC_RO_REP
                           0: DRSUAPI_DRS_SYNC_BYNAME
                           0: DRSUAPI_DRS_REF_OK
                           1: DRSUAPI_DRS_FULL_SYNC_NOW
                           1: DRSUAPI_DRS_NO_SOURCE
                           0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
                           0: DRSUAPI_DRS_FULL_SYNC_PACKET
                           0: DRSUAPI_DRS_SYNC_REQUEUE
                           0: DRSUAPI_DRS_SYNC_URGENT
                           0: DRSUAPI_DRS_REF_GCSPN
                           0: DRSUAPI_DRS_NO_DISCARD
                           0: DRSUAPI_DRS_NEVER_SYNCED
                           0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
                           0: DRSUAPI_DRS_INIT_SYNC_NOW
                           0: DRSUAPI_DRS_PREEMPTED
                           0: DRSUAPI_DRS_SYNC_FORCED
                           0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
                           0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
                           0: DRSUAPI_DRS_USE_COMPRESSION
                           0: DRSUAPI_DRS_NEVER_NOTIFY
                           0: DRSUAPI_DRS_SYNC_PAS
                           0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
     drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
        out: struct drsuapi_DsReplicaSync
            result                   : WERR_BAD_NET_RESP
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 350, in run     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)   File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba