Web lists-archives.com

Re: [Samba] WERR_BAD_NET_RESP on replication (--full-sync)




What does the WERR_BAD_NET_RESP means? I'm currently upgrading our DCs to 4.8.3 and I've noticed that the off-site DC has a sync problem of the CN=Configuration NC.

The FSMO DC is still in the 4.5.5, but all other DCs, including the off-site are already on 4.8.3. Trying to sync the off-site DC with one of the updated DCs does not work either.

The WERR_BAD_NET_RESP message already happened under the older version, but I've not seen an impact yet.

Att,
Vinicius;

Em 22/06/2018 10:12, Chris Lewis via samba escreveu:
Thanks Garming.

We currently use a standalone bind DNS server. Will the later version of samba work without the integrated DNS backend?

Cheers

Chris



On 21/06/18 23:41, Garming Sam wrote:
Hi,

Many of these syncing problems were solved in Samba 4.7 (and probably a
few more in 4.8). There were a number of unresolved locking issues that
we uncovered as well as some inconsistencies with Windows replication. I
would try join a DC with one of the latest Samba versions and see if
your problems persist.


Cheers,

Garming


On 21/06/18 21:35, Chris Lewis via samba wrote:
Hello,

We have a Windows 2008 DC (inview-dc1 and a samba 4.4.16 (inview-dc2)
server as a backup DC.

The system for the most-part works OK, but occasionally the Samba DC
goes wildly out of sync (with respect to group membership), normally
after a change to a large group.

I have noted previously before the out-of-sync event occurs, this
command always fails thus :



root@inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
dc=inview,dc=local --sync-all --full-sync
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
line 350, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)



However immediately after the out-of-sync event occurred the above
command completed with no errors. It did not solve my issue, the
groups remained out of sync. So I then put the groups back together
manually. At some point during this process of adding members back to
groups, the  abovec ommand start failing again.


Without the --full sync the command completes OK (always):


root@inview-dc2:~# samba-tool drs replicate inview-dc2 inview-dc1
dc=inview,dc=local --sync-all
Replicate from inview-dc1 to inview-dc2 was successful.



This bug looks to be a similar issue:
https://bugzilla.samba.org/show_bug.cgi?id=11987


Any ideas what might be going on here?


Thanks in advance


Chris Lewis




PS Here is the full debug of the failing command:

root@inview-dc2:~# samba-tool drs replicate inview-dc2.inview.local
inview-dc1.inview.local dc=inview,dc=local --sync-all --full-sync  -d 8
INFO: Current debug levels:
   all: 8
   tdb: 8
   printdrivers: 8
   lanman: 8
   smb: 8
   rpc_parse: 8
   rpc_srv: 8
   rpc_cli: 8
   passdb: 8
   sam: 8
   auth: 8
   winbind: 8
   vfs: 8
   idmap: 8
   quota: 8
   acls: 8
   locking: 8
   msdfs: 8
   dmapi: 8
   registry: 8
   scavenger: 8
   dns: 8
   ldb: 8
   tevent: 8
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap
open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:inview-dc2.inview.local[,seal,print]
Mapped to DCERPC endpoint 135
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
inview-dc2.inview.local<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
Error was No such file or directory
Mapped to DCERPC endpoint 1024
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
inview-dc2.inview.local<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 207
Received smb_krb5 packet of length 1365
Received smb_krb5 packet of length 1290
Received smb_krb5 packet of length 1312
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
      drsuapi_DsBind: struct drsuapi_DsBind
         in: struct drsuapi_DsBind
             bind_guid                : *
                 bind_guid                :
e24d201a-4fd6-11d1-a3da-0000f875ae0d
             bind_info                : *
                 bind_info: struct drsuapi_DsBindInfoCtr
                     length                   : 0x0000001c (28)
                     __ndr_length             : 0x0000001c (28)
                     info                     : union
drsuapi_DsBindInfo(case 28)
                     info28: struct drsuapi_DsBindInfo28
                         supported_extensions     : 0x0fefff7f (267386751)
                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                                1:
DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                                1:
DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                                1:
DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                                0:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                                1:
DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                                1:
DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                                0:
DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                                0:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                                0:
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                                0:
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                         site_guid                :
00000000-0000-0000-0000-000000000000
                         pid                      : 0x00000000 (0)
                         repl_epoch               : 0x00000000 (0)
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 0
      drsuapi_DsBind: struct drsuapi_DsBind
         out: struct drsuapi_DsBind
             bind_info                : *
                 bind_info: struct drsuapi_DsBindInfoCtr
                     length                   : 0x0000001c (28)
                     __ndr_length             : 0x0000001c (28)
                     info                     : union
drsuapi_DsBindInfo(case 28)
                     info28: struct drsuapi_DsBindInfo28
                         supported_extensions     : 0x2fffff6f (805306223)
                                1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                                1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                                0:
DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                                1:
DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                                0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
                                1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
                                1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
                                1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
                                1:
DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
                                1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
                                1:
DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
                                1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
                                1:
DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
                                1:
DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
                                1:
DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
                                0:
DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
                                1:
DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
                                0:
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
                                0:
DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
                         site_guid                :
229f5470-27e6-4f0f-994b-4073a5fc4dc5
                         pid                      : 0x00000000 (0)
                         repl_epoch               : 0x00000000 (0)
             bind_handle              : *
                 bind_handle: struct policy_handle
                     handle_type              : 0x00000000 (0)
                     uuid                     :
aba489c0-92cd-4a95-ba59-04b765e37884
             result                   : WERR_OK
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
added interface eth0 ip=10.1.100.30 bcast=10.1.100.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
inview-dc2.inview.local<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts.
Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for INVIEW-DC2$@INVIEW.LOCAL will expire in 36000 secs
Received smb_krb5 packet of length 1290
Received smb_krb5 packet of length 1312
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
         in: struct drsuapi_DsReplicaSync
             bind_handle              : *
                 bind_handle: struct policy_handle
                     handle_type              : 0x00000000 (0)
                     uuid                     :
aba489c0-92cd-4a95-ba59-04b765e37884
             level                    : 0x00000001 (1)
             req                      : *
                 req                      : union
drsuapi_DsReplicaSyncRequest(case 1)
                 req1: struct drsuapi_DsReplicaSyncRequest1
                     naming_context           : *
                         naming_context: struct
drsuapi_DsReplicaObjectIdentifier
                             __ndr_size               : 0x0000005e (94)
                             __ndr_size_sid           : 0x00000000 (0)
                             guid                     :
00000000-0000-0000-0000-000000000000
                             sid                      : S-0-0
                             __ndr_size_dn            : 0x00000012 (18)
                             dn                       :
'dc=inview,dc=local'
                     source_dsa_guid          :
8be331d4-be37-43d6-9593-2ea1d095d504
                     source_dsa_dns           : NULL
                     options                  : 0x00008018 (32792)

                            0: DRSUAPI_DRS_ASYNC_OP
                            0: DRSUAPI_DRS_GETCHG_CHECK
                            0: DRSUAPI_DRS_UPDATE_NOTIFICATION
                            0: DRSUAPI_DRS_ADD_REF
                            1: DRSUAPI_DRS_SYNC_ALL
                            1: DRSUAPI_DRS_DEL_REF
                            1: DRSUAPI_DRS_WRIT_REP
                            0: DRSUAPI_DRS_INIT_SYNC
                            0: DRSUAPI_DRS_PER_SYNC
                            0: DRSUAPI_DRS_MAIL_REP
                            0: DRSUAPI_DRS_ASYNC_REP
                            0: DRSUAPI_DRS_IGNORE_ERROR
                            0: DRSUAPI_DRS_TWOWAY_SYNC
                            0: DRSUAPI_DRS_CRITICAL_ONLY
                            0: DRSUAPI_DRS_GET_ANC
                            0: DRSUAPI_DRS_GET_NC_SIZE
                            0: DRSUAPI_DRS_LOCAL_ONLY
                            0: DRSUAPI_DRS_NONGC_RO_REP
                            0: DRSUAPI_DRS_SYNC_BYNAME
                            0: DRSUAPI_DRS_REF_OK
                            1: DRSUAPI_DRS_FULL_SYNC_NOW
                            1: DRSUAPI_DRS_NO_SOURCE
                            0: DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS
                            0: DRSUAPI_DRS_FULL_SYNC_PACKET
                            0: DRSUAPI_DRS_SYNC_REQUEUE
                            0: DRSUAPI_DRS_SYNC_URGENT
                            0: DRSUAPI_DRS_REF_GCSPN
                            0: DRSUAPI_DRS_NO_DISCARD
                            0: DRSUAPI_DRS_NEVER_SYNCED
                            0: DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
                            0: DRSUAPI_DRS_INIT_SYNC_NOW
                            0: DRSUAPI_DRS_PREEMPTED
                            0: DRSUAPI_DRS_SYNC_FORCED
                            0: DRSUAPI_DRS_DISABLE_AUTO_SYNC
                            0: DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
                            0: DRSUAPI_DRS_USE_COMPRESSION
                            0: DRSUAPI_DRS_NEVER_NOTIFY
                            0: DRSUAPI_DRS_SYNC_PAS
                            0: DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
../librpc/rpc/dcerpc_util.c:234: auth_pad_length 12
      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
         out: struct drsuapi_DsReplicaSync
             result                   : WERR_BAD_NET_RESP
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
line 350, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line 83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)










--

	
Vinicius Silva
SOC,PCNSE <https://www.certmetrics.com/paloaltonetworks/public/badge.aspx?t=c&d=2018-05-02&i=12&ci=PAN00158552>


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
soc@xxxxxxxxxxxxxx
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte@xxxxxxxxxxxxxx. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte@xxxxxxxxxxxxxx immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba