Web lists-archives.com

Re: [Samba] self compiled 4.10.3 replication failure.




On Sat, 18 May 2019, Nico Kadel-Garcia wrote:

On Wed, May 15, 2019 at 4:32 PM Tom Diehl via samba
<samba@xxxxxxxxxxxxxxx> wrote:

Hi,

I have a new Centos 7.6 VM that I self compiled 4.10.3 and joined it to an
existing samba AD domain that has 2 existing DCs. One of the existing DCs is
running 4.8.7 and the other is running 4.7.7. Everything looks OK except
that when I run samba-tool drs showrepl on the new DC (VDC4) I get the
following output:

"self-compiled" can include a lot of sins, especially if trying to
place it alongside *or* in place of the provided libraries for tevent,
ldb, tdb, and talloc. Let me point you to my git repo,

Well OK maybe I should have said self compiled using the instructions @ https://wiki.samba.org/index.php/Build_Samba_from_Source#configure and
the package list from https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Red_Hat_Enterprise_Linux_7_.2F_CentOS_7_.2F_Scientific_Linux_7
substituting python36-devel for python-devel and adding python32-dns
to get the samba-tool dns module to work. None of the distro samba packages are installed.

TBH, I am guessng about the package list given the change from python2 to python3
as it does not look like the wiki has been updated for 4.10.x.

https:/github.com/nkadel/samba4repo/, with submodules for samba
itself, talloc, tevent, etc., etc. It's built to use the official
upstream tarballs from www.samba.org, not tarballs from *me*, and that
also will give you a good git repo you can use to manage any
compilation options in the ".spec" file.

Is there a way to only build the Centos bits using your git repo? I have no
Fedora machines and so far I have not been successful in getting the above
to build on a Centos 7 VM using the version of Mock supplied by the Centos
project.


I see errors similar to below in the logs:
[2019/05/15 16:19:58.683401,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
   ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29465)
[2019/05/15 16:19:58.695818,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:3619(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 29465 flags 0x80000064 on <GUID=e9fe6598-6cfe-40dd-b882-33c6bc031517>;DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com gave 2 objects (done 2/2) 0 links (done 0/0 (as S-1-5-21-3052942767-4183929206-737583365-1279))
[2019/05/15 16:20:01.245656,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
   Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.260687,  2] ../../source4/dsdb/repl/replicated_objects.c:1061(dsdb_replicated_objects_commit)
   Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:06.271512,  0] ../../source4/dsdb/repl/drepl_out_helpers.c:1158(dreplsrv_update_refs_done)
   UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for a57c74ed-3343-4497-965d-e7e50a1f84ae._msdcs.kmg.mydomain.com DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com
[2019/05/15 16:20:08.692911,  2] ../../source4/rpc_server/drsuapi/getncchanges.c:1765(getncchanges_collect_objects)
   ../../source4/rpc_server/drsuapi/getncchanges.c:1765: getncchanges on DC=DomainDnsZones,DC=kmg,DC=mydomain,DC=com using filter (uSNChanged>=29467)

Given the above errors this looks like a permissions problem but so far I have not
been able to find it.

Hmm. some classic questions include "is SELinux on", and "which
Kerberos did you use, the supported internal Heimdal Kerberos or the
experimental support for MIT kerberos?

SELinux is in permissive and my configure line is simply ./configure so no MIT
here. IMO no one in their right mind would try to use MIT in production.

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba