Web lists-archives.com

[Samba] self compiled 4.10.3 replication failure.




Hi,

I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
existing samba AD domain that has 2 existing DCs. One of the existing DCs is
running 4.8.7 and the other is running 4.7.7. Everything looks OK except
that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
following output:

(vdc4 pts4) # samba-tool drs showrepl
Default-First-Site-Name\VDC4
DSA Options: 0x00000001
DSA object GUID: a57c74ed-3343-4497-965d-e7e50a1f84ae
DSA invocationId: 1f0384bb-1f0b-4d8f-a498-d7b02ae53930

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                168 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                167 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                351 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ Wed May 15 16:09:25 2019 EDT failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                4603 consecutive failure(s).
                Last success @ Wed May 15 16:09:25 2019 EDT

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ Wed May 15 16:09:25 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Wed May 15 16:09:25 2019 EDT

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ Wed May 15 16:05:17 2019 EDT failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                168 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ Wed May 15 16:05:17 2019 EDT was successful
                0 consecutive failure(s).
                Last success @ Wed May 15 16:05:17 2019 EDT

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC1 via RPC
                DSA object GUID: 305ee1a5-0200-4906-812a-ccda899452cc
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=kmg,DC=mydomain,DC=com
        Default-First-Site-Name\VDC2 via RPC
                DSA object GUID: 202b4328-91d7-44e7-84c8-a252b116e420
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 4b94d656-40a2-49b2-b904-23a5d7074997
        Enabled        : TRUE
        Server DNS name : vdc2.kmg.mydomain.com
        Server DN name  : CN=NTDS Settings,CN=VDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 1cde66a3-415d-42ff-84c6-5b90c06ac44d
        Enabled        : TRUE
        Server DNS name : vdc1.kmg.mydomain.com
        Server DN name  : CN=NTDS Settings,CN=VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kmg,DC=mydomain,DC=com
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
(vdc4 pts4) #

I see errors similar to below in the logs:
[2019/05/15 16:19:58.683401,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
  ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
[2019/05/15 16:19:58.695818,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
  DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279))
[2019/05/15 16:20:01.245656,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.260687,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
  Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.271512,  0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
  UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:08.692911,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
  ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)

Given the above errors this looks like a permissions problem but so far I have not
been able to find it.

Does anyone have any ideas how to troubleshoot this and fix it?

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba