AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Samba - General mailing list
We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal DNS)/
CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles. The 3 ADCs
are on different locations connected via IPSec based VPN. No traffic is
filtered out.

All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:

[root@dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line
386, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
   File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line
85, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

Log on dcdo1:
==============
[2017/12/27 08:20:56.335895,  0]
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
   ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
DsReplicaUpdateRefs for sid S-1-5-21-454945863-777199239-1595221609-1112
with GUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76

Log on target DC dcnh1:
==============
[2017/12/27 08:20:55.278559,  5]
../auth/auth_log.c:860(log_successful_authz_event_human_readable)
   Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017
08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] local host
[ipv4:192.168.152.15:135]
[2017/12/27 08:20:55.278641,  5] ../auth/auth_log.c:220(log_json)
   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.278587+0100",
"type": "Authorization", "Authorization": {"version": {"major": 1,
"minor": 0}, "localAddress": "ipv4:192.168.152.15:135", "remoteAddress":
"ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC",
"authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", "account":
"ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1",
"transportProtection": "NONE", "accountFlags": "0x00000010"}}
[2017/12/27 08:20:55.278660,  3]
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2017/12/27 08:20:55.337740,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27 08:20:55.337873,  3]
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27 08:20:55.506117,  3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2017/12/27 08:20:55.506420,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2017/12/27 08:20:55.506501,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
   Starting GENSEC submechanism gssapi_krb5
[2017/12/27 08:20:55.536259,  5]
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
   gensec_gssapi: credentials were delegated
[2017/12/27 08:20:55.536320,  5]
../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update_internal)
   GSSAPI Connection will be cryptographically sealed
[2017/12/27 08:20:55.538591,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
-> 0
[2017/12/27 08:20:55.538644,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
-> 0
[2017/12/27 08:20:55.538712,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
-> 0
[2017/12/27 08:20:55.538762,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
[2017/12/27 08:20:55.538819,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
[2017/12/27 08:20:55.538864,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
[2017/12/27 08:20:55.538909,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
[2017/12/27 08:20:55.538967,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
[2017/12/27 08:20:55.539029,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
[2017/12/27 08:20:55.539087,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
[2017/12/27 08:20:55.539289,  4]
../auth/auth_log.c:860(log_successful_authz_event_human_readable)
   Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] local host
[ipv4:192.168.152.15:49152]
[2017/12/27 08:20:55.539359,  4] ../auth/auth_log.c:220(log_json)
   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.539334+0100",
"type": "Authorization", "Authorization": {"version": {"major": 1,
"minor": 0}, "localAddress": "ipv4:192.168.152.15:49152",
"remoteAddress": "ipv4:192.168.172.14:57364", "serviceDescription":
"DCE/RPC", "authType": "krb5", "domain": "AD", "account": "DCDO1$",
"sid": "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
"DCDO1", "transportProtection": "SEAL", "accountFlags": "0x00002100"}}
[2017/12/27 08:20:55.539398,  3]
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2017/12/27 08:20:55.568937,  3]
../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind)
   ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind with
system_session
[2017/12/27 08:20:55.641297,  3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2017/12/27 08:20:55.644257,  5]
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
   ldb_request BASE dn= filter=(|(objectClass=*)(distinguishedName=*))
[2017/12/27 08:20:55.706421,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.706573,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.706777,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from ipv4:192.168.172.14:48486
for ldap/[hidden email] [canonicalize]
[2017/12/27 08:20:55.708186,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.708670,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.708795,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.709594,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.710027,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
[2017/12/27 08:20:55.740222,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27 08:20:55.740440,  3]
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27 08:20:55.770764,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.771034,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.771283,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from ipv4:192.168.172.14:48488
for krbtgt/[hidden email] [forwarded, forwardable]
[2017/12/27 08:20:55.771576,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.771786,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.772103,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.772257,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.773194,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
[2017/12/27 08:20:55.773691,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
[2017/12/27 08:20:55.804565,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27 08:20:55.804774,  3]
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27 08:20:55.806137,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2017/12/27 08:20:55.806296,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
   Starting GENSEC submechanism gssapi_krb5
[2017/12/27 08:20:55.807170,  5]
../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
   gensec_gssapi: credentials were delegated
[2017/12/27 08:20:55.807242,  5]
../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update_internal)
   GSSAPI Connection will be cryptographically signed
[2017/12/27 08:20:55.810168,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
-> 0
[2017/12/27 08:20:55.810265,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
-> 0
[2017/12/27 08:20:55.810353,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
-> 0
[2017/12/27 08:20:55.810428,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
[2017/12/27 08:20:55.810507,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
[2017/12/27 08:20:55.810582,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
[2017/12/27 08:20:55.810674,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
[2017/12/27 08:20:55.810745,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
[2017/12/27 08:20:55.810826,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
[2017/12/27 08:20:55.810901,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
   gendb_search_v: NULL
objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
[2017/12/27 08:20:55.811125,  4]
../auth/auth_log.c:860(log_successful_authz_event_human_readable)
   Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
[S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] local host
[ipv4:192.168.152.15:389]
[2017/12/27 08:20:55.811301,  4] ../auth/auth_log.c:220(log_json)
   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.811228+0100",
"type": "Authorization", "Authorization": {"version": {"major": 1,
"minor": 0}, "localAddress": "ipv4:192.168.152.15:389", "remoteAddress":
"ipv4:192.168.172.14:56798", "serviceDescription": "LDAP", "authType":
"krb5", "domain": "AD", "account": "DCDO1$", "sid":
"S-1-5-21-454945863-777199239-1595221609-1108", "logonServer": "DCDO1",
"transportProtection": "SIGN", "accountFlags": "0x00002100"}}
[2017/12/27 08:20:55.811385,  3]
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2017/12/27 08:20:55.841539,  5]
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
   ldb_request BASE dn= filter=(objectClass=*)
[2017/12/27 08:20:55.871177,  5]
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
   ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com
filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHostName=dcdo1.ad.kdu.com)))
[2017/12/27 08:20:55.902579,  5]
../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
   ldb_request ONE
dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO))
[2017/12/27 08:20:55.932550,  5]
default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch)
   function drsuapi_DsReplicaSync will reply async
[2017/12/27 08:20:55.932676,  3]
../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replication)
   _drepl_schedule_replication: forcing sync of partition
(141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com,
1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
[2017/12/27 08:20:55.932697,  4]
../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_schedule)
   dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 08:20:57 2017 CET
[2017/12/27 08:20:56.971645,  4]
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_extended_replicated_objects)
   linked_attributes_count=0
[2017/12/27 08:20:56.971966,  4]
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_replicated_uptodate_modify)
   DRS replication uptodate modify message:
   dn: DC=ad,DC=kdu,DC=com
   changetype: modify
   replace: replUpToDateVector
   replUpToDateVector::
AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KYP2wnvCZRbBYAAA
    AAAAAAgD7V3rGdAQ==
   -
   replace: repsFrom
   repsFrom::
AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAAAERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgAAAAAAAKQMPrx0t
UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABiYzNlMGNhNC1iNT
c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A
   repsFrom::
AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAAAERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAAAAAAAABNWUx36g
V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAxZDUzNTYxMy04MW
ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A
   -


[2017/12/27 08:20:56.974912,  2]
../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
   Replicated 0 objects (0 linked attributes) for DC=ad,DC=kdu,DC=com
[2017/12/27 08:20:57.004974,  0]
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
   UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105
for 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
DC=ad,DC=kdu,DC=com
[2017/12/27 08:20:57.005468,  4]
../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_callback)
   dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
DC=ad,DC=kdu,DC=com
[2017/12/27 08:20:57.009507,  5]
default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply)
   function drsuapi_DsReplicaSync replied async
[2017/12/27 08:20:57.053246,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27 08:20:57.053478,  3]
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27 08:20:57.053528,  3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/12/27 08:20:57.053760,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
   standard_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/12/27 08:20:57.057842,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
   Child 900 () exited with status 0

Any hints/ideas very much appreciated ...

Thanks,

Uli


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Samba - General mailing list
There is additional info in the logs of the source DC (dcdo1, log level
2, manually triggered another replication):
====================
[2017/12/27 12:31:29.695121,  2]
../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
   ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on
DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
[2017/12/27 12:31:29.698828,  2]
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
   DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on
<GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
gave 0 objects (done 0/0) 0 links (done 0/0 (as
S-1-5-21-454945863-777199239-1595221609-1112))
[2017/12/27 12:31:29.733157,  1]
../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
   ../source4/dsdb/common/util.c:4807: Failed to find account dn
(serverReference) for
CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76, sid
S-1-5-21-454945863-777199239-1595221609-1112
[2017/12/27 12:31:29.733198,  0]
../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
   ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
DsReplicaUpdateRefs for sid S-1-5-21-454945863-777199239-1595221609-1112
with GUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76

According to what I see in the "Sites and Services" RSAT console the DN
for
CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
seems to exist.

Any ideas?

Thanks,

     Uli



On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba wrote:

> We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal
> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles. The
> 3 ADCs are on different locations connected via IPSec based VPN. No
> traffic is filtered out.
>
> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
>
> [root@dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line
> 386, in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line
> 85, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> Log on dcdo1:
> ==============
> [2017/12/27 08:20:56.335895,  0]
> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
>   ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
> DsReplicaUpdateRefs for sid
> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>
> Log on target DC dcnh1:
> ==============
> [2017/12/27 08:20:55.278559,  5]
> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>   Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017
> 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] local
> host [ipv4:192.168.152.15:135]
> [2017/12/27 08:20:55.278641,  5] ../auth/auth_log.c:220(log_json)
>   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.278587+0100",
> "type": "Authorization", "Authorization": {"version": {"major": 1,
> "minor": 0}, "localAddress": "ipv4:192.168.152.15:135",
> "remoteAddress": "ipv4:192.168.172.14:36196", "serviceDescription":
> "DCE/RPC", "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY",
> "account": "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer":
> "DCNH1", "transportProtection": "NONE", "accountFlags": "0x00000010"}}
> [2017/12/27 08:20:55.278660,  3]
> ../auth/auth_log.c:139(get_auth_event_server)
>   get_auth_event_server: Failed to find 'auth_event' registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2017/12/27 08:20:55.337740,  3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2017/12/27 08:20:55.337873,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2017/12/27 08:20:55.506117,  3]
> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2017/12/27 08:20:55.506420,  5]
> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>   Starting GENSEC mechanism spnego
> [2017/12/27 08:20:55.506501,  5]
> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>   Starting GENSEC submechanism gssapi_krb5
> [2017/12/27 08:20:55.536259,  5]
> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
>   gensec_gssapi: credentials were delegated
> [2017/12/27 08:20:55.536320,  5]
> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update_internal)
>   GSSAPI Connection will be cryptographically sealed
> [2017/12/27 08:20:55.538591,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
> -> 0
> [2017/12/27 08:20:55.538644,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
> -> 0
> [2017/12/27 08:20:55.538712,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
> -> 0
> [2017/12/27 08:20:55.538762,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
> -> 0
> [2017/12/27 08:20:55.538819,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
> -> 0
> [2017/12/27 08:20:55.538864,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
> -> 0
> [2017/12/27 08:20:55.538909,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
> -> 0
> [2017/12/27 08:20:55.538967,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
> [2017/12/27 08:20:55.539029,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
> [2017/12/27 08:20:55.539087,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
> [2017/12/27 08:20:55.539289,  4]
> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>   Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
> 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] local
> host [ipv4:192.168.152.15:49152]
> [2017/12/27 08:20:55.539359,  4] ../auth/auth_log.c:220(log_json)
>   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.539334+0100",
> "type": "Authorization", "Authorization": {"version": {"major": 1,
> "minor": 0}, "localAddress": "ipv4:192.168.152.15:49152",
> "remoteAddress": "ipv4:192.168.172.14:57364", "serviceDescription":
> "DCE/RPC", "authType": "krb5", "domain": "AD", "account": "DCDO1$",
> "sid": "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
> "DCDO1", "transportProtection": "SEAL", "accountFlags": "0x00002100"}}
> [2017/12/27 08:20:55.539398,  3]
> ../auth/auth_log.c:139(get_auth_event_server)
>   get_auth_event_server: Failed to find 'auth_event' registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2017/12/27 08:20:55.568937,  3]
> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind)
>   ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind with
> system_session
> [2017/12/27 08:20:55.641297,  3]
> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2017/12/27 08:20:55.644257,  5]
> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>   ldb_request BASE dn= filter=(|(objectClass=*)(distinguishedName=*))
> [2017/12/27 08:20:55.706421,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.706573,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.706777,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from ipv4:192.168.172.14:48486
> for ldap/[hidden email] [canonicalize]
> [2017/12/27 08:20:55.708186,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.708670,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.708795,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.709594,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.710027,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
> [2017/12/27 08:20:55.740222,  3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2017/12/27 08:20:55.740440,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> [2017/12/27 08:20:55.770764,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.771034,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.771283,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from ipv4:192.168.172.14:48488
> for krbtgt/[hidden email] [forwarded, forwardable]
> [2017/12/27 08:20:55.771576,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.771786,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.772103,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.772257,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.773194,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> [2017/12/27 08:20:55.773691,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
> [2017/12/27 08:20:55.804565,  3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2017/12/27 08:20:55.804774,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> [2017/12/27 08:20:55.806137,  5]
> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>   Starting GENSEC mechanism spnego
> [2017/12/27 08:20:55.806296,  5]
> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>   Starting GENSEC submechanism gssapi_krb5
> [2017/12/27 08:20:55.807170,  5]
> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
>   gensec_gssapi: credentials were delegated
> [2017/12/27 08:20:55.807242,  5]
> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update_internal)
>   GSSAPI Connection will be cryptographically signed
> [2017/12/27 08:20:55.810168,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
> -> 0
> [2017/12/27 08:20:55.810265,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
> -> 0
> [2017/12/27 08:20:55.810353,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
> -> 0
> [2017/12/27 08:20:55.810428,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\09\00\00\00
> -> 0
> [2017/12/27 08:20:55.810507,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\01\00\00\00\00
> -> 0
> [2017/12/27 08:20:55.810582,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\02\00\00\00
> -> 0
> [2017/12/27 08:20:55.810674,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00
> -> 0
> [2017/12/27 08:20:55.810745,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
> [2017/12/27 08:20:55.810826,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
> [2017/12/27 08:20:55.810901,  6]
> ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: NULL
> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
> [2017/12/27 08:20:55.811125,  4]
> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>   Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
> 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] local
> host [ipv4:192.168.152.15:389]
> [2017/12/27 08:20:55.811301,  4] ../auth/auth_log.c:220(log_json)
>   JSON Authorization: {"timestamp": "2017-12-27T08:20:55.811228+0100",
> "type": "Authorization", "Authorization": {"version": {"major": 1,
> "minor": 0}, "localAddress": "ipv4:192.168.152.15:389",
> "remoteAddress": "ipv4:192.168.172.14:56798", "serviceDescription":
> "LDAP", "authType": "krb5", "domain": "AD", "account": "DCDO1$",
> "sid": "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
> "DCDO1", "transportProtection": "SIGN", "accountFlags": "0x00002100"}}
> [2017/12/27 08:20:55.811385,  3]
> ../auth/auth_log.c:139(get_auth_event_server)
>   get_auth_event_server: Failed to find 'auth_event' registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2017/12/27 08:20:55.841539,  5]
> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>   ldb_request BASE dn= filter=(objectClass=*)
> [2017/12/27 08:20:55.871177,  5]
> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>   ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHostName=dcdo1.ad.kdu.com)))
> [2017/12/27 08:20:55.902579,  5]
> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>   ldb_request ONE
> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO))
> [2017/12/27 08:20:55.932550,  5]
> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch)
>   function drsuapi_DsReplicaSync will reply async
> [2017/12/27 08:20:55.932676,  3]
> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replication)
>   _drepl_schedule_replication: forcing sync of partition
> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com,
> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> [2017/12/27 08:20:55.932697,  4]
> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_schedule)
>   dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 08:20:57 2017
> CET
> [2017/12/27 08:20:56.971645,  4]
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_extended_replicated_objects)
>   linked_attributes_count=0
> [2017/12/27 08:20:56.971966,  4]
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_replicated_uptodate_modify)
>   DRS replication uptodate modify message:
>   dn: DC=ad,DC=kdu,DC=com
>   changetype: modify
>   replace: replUpToDateVector
>   replUpToDateVector::
> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KYP2wnvCZRbBYAAA
>
>    AAAAAAgD7V3rGdAQ==
>   -
>   replace: repsFrom
>   repsFrom::
> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAAAERE
> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>
> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgAAAAAAAKQMPrx0t
>
> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABiYzNlMGNhNC1iNT
>
> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A
>   repsFrom::
> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAAAERE
> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>
> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAAAAAAAABNWUx36g
>
> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAxZDUzNTYxMy04MW
>
> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A
>   -
>
>
> [2017/12/27 08:20:56.974912,  2]
> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
>   Replicated 0 objects (0 linked attributes) for DC=ad,DC=kdu,DC=com
> [2017/12/27 08:20:57.004974,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
>   UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105
> for 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> DC=ad,DC=kdu,DC=com
> [2017/12/27 08:20:57.005468,  4]
> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_callback)
>   dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> DC=ad,DC=kdu,DC=com
> [2017/12/27 08:20:57.009507,  5]
> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply)
>   function drsuapi_DsReplicaSync replied async
> [2017/12/27 08:20:57.053246,  3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2017/12/27 08:20:57.053478,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2017/12/27 08:20:57.053528,  3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2017/12/27 08:20:57.053760,  2]
> ../source4/smbd/process_standard.c:473(standard_terminate)
>   standard_terminate: reason[ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> [2017/12/27 08:20:57.057842,  2]
> ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
>   Child 900 () exited with status 0
>
> Any hints/ideas very much appreciated ...
>
> Thanks,
>
> Uli
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Samba - General mailing list
On Wed, 27 Dec 2017 13:00:05 +0100
"Dr. Johannes-Ulrich Menzebach via samba" <[hidden email]> wrote:

> There is additional info in the logs of the source DC (dcdo1, log
> level 2, manually triggered another replication):
> ====================
> [2017/12/27 12:31:29.695121,  2]
> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
>    ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on
> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
> [2017/12/27 12:31:29.698828,  2]
> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
>    DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on
> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
> gave 0 objects (done 0/0) 0 links (done 0/0 (as
> S-1-5-21-454945863-777199239-1595221609-1112))
> [2017/12/27 12:31:29.733157,  1]
> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
>    ../source4/dsdb/common/util.c:4807: Failed to find account dn
> (serverReference) for
> CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76,
> sid S-1-5-21-454945863-777199239-1595221609-1112
> [2017/12/27 12:31:29.733198,  0]
> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
>    ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
> DsReplicaUpdateRefs for sid
> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>
> According to what I see in the "Sites and Services" RSAT console the
> DN for
> CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> seems to exist.
>
> Any ideas?
>
> Thanks,
>
>      Uli
>
>
>
> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba wrote:
> > We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal
> > DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles.
> > The 3 ADCs are on different locations connected via IPSec based
> > VPN. No traffic is filtered out.
> >
> > All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
> >
> > [root@dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
> > dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
> > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
> > - drsException: DsReplicaSync failed (8453,
> > 'WERR_DS_DRA_ACCESS_DENIED') File
> > "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 386,
> > in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> > source_dsa_guid, NC, req_options)
> >   File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py",
> > line 85, in sendDsReplicaSync
> >     raise drsException("DsReplicaSync failed %s" % estr)
> >
> > Log on dcdo1:
> > ==============
> > [2017/12/27 08:20:56.335895,  0]
> > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
> >   ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
> > DsReplicaUpdateRefs for sid
> > S-1-5-21-454945863-777199239-1595221609-1112 with GUID
> > 0acce4bc-1193-4609-8e4d-a0771bb6fb76
> >
> > Log on target DC dcnh1:
> > ==============
> > [2017/12/27 08:20:55.278559,  5]
> > ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
> >   Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
> > AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017
> > 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] local
> > host [ipv4:192.168.152.15:135]
> > [2017/12/27 08:20:55.278641,  5] ../auth/auth_log.c:220(log_json)
> >   JSON Authorization: {"timestamp":
> > "2017-12-27T08:20:55.278587+0100", "type": "Authorization",
> > "Authorization": {"version": {"major": 1, "minor": 0},
> > "localAddress": "ipv4:192.168.152.15:135", "remoteAddress":
> > "ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC",
> > "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", "account":
> > "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1",
> > "transportProtection": "NONE", "accountFlags": "0x00000010"}}
> > [2017/12/27 08:20:55.278660,
> > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > get_auth_event_server: Failed to find 'auth_event' registered on
> > the message bus to send JSON authentication events to:
> > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.337740,  3]
> > ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> >   Terminating connection - 'dcesrv:
> > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 08:20:55.337873,  3]
> > ../source4/smbd/process_single.c:114(single_terminate)
> >   single_terminate: reason[dcesrv:
> > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 08:20:55.506117,  3]
> > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2017/12/27 08:20:55.506420,  5]
> > ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >   Starting GENSEC mechanism spnego
> > [2017/12/27 08:20:55.506501,  5]
> > ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >   Starting GENSEC submechanism gssapi_krb5
> > [2017/12/27 08:20:55.536259,  5]
> > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
> >   gensec_gssapi: credentials were delegated
> > [2017/12/27 08:20:55.536320,  5]
> > ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update_internal)
> >   GSSAPI Connection will be cryptographically sealed
> > [2017/12/27 08:20:55.538591,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
> > -> 0
> > [2017/12/27 08:20:55.538644,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
> > -> 0
> > [2017/12/27 08:20:55.538712,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
> > -> 0
> > [2017/12/27 08:20:55.538762,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > [2017/12/27 08:20:55.538819,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > [2017/12/27 08:20:55.538864,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > [2017/12/27 08:20:55.538909,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > [2017/12/27 08:20:55.538967,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
> > [2017/12/27 08:20:55.539029,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
> > [2017/12/27 08:20:55.539087,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
> > [2017/12/27 08:20:55.539289,  4]
> > ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
> >   Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
> > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
> > 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] local
> > host [ipv4:192.168.152.15:49152]
> > [2017/12/27 08:20:55.539359,  4] ../auth/auth_log.c:220(log_json)
> >   JSON Authorization: {"timestamp":
> > "2017-12-27T08:20:55.539334+0100", "type": "Authorization",
> > "Authorization": {"version": {"major": 1, "minor": 0},
> > "localAddress": "ipv4:192.168.152.15:49152", "remoteAddress":
> > "ipv4:192.168.172.14:57364", "serviceDescription": "DCE/RPC",
> > "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
> > "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
> > "DCDO1", "transportProtection": "SEAL", "accountFlags":
> > "0x00002100"}} [2017/12/27 08:20:55.539398,
> > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > get_auth_event_server: Failed to find 'auth_event' registered on
> > the message bus to send JSON authentication events to:
> > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.568937,  3]
> > ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind)
> >   ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind
> > with system_session
> > [2017/12/27 08:20:55.641297,  3]
> > ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
> >   ldb_wrap open of secrets.ldb
> > [2017/12/27 08:20:55.644257,  5]
> > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
> >   ldb_request BASE dn=
> > filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27
> > 08:20:55.706421,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.706573,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.706777,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > ipv4:192.168.172.14:48486 for ldap/[hidden email]
> > [canonicalize] [2017/12/27 08:20:55.708186,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.708670,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.708795,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.709594,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.710027,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
> > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
> > [2017/12/27 08:20:55.740222,  3]
> > ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> >   Terminating connection - 'kdc_tcp_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> > [2017/12/27 08:20:55.740440,  3]
> > ../source4/smbd/process_single.c:114(single_terminate)
> >   single_terminate: reason[kdc_tcp_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> > [2017/12/27 08:20:55.770764,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.771034,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.771283,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >   Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
> > ipv4:192.168.172.14:48488 for krbtgt/[hidden email]
> > [forwarded, forwardable] [2017/12/27 08:20:55.771576,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.771786,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.772103,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.772257,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.773194,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
> > [2017/12/27 08:20:55.773691,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >   Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
> > 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
> > [2017/12/27 08:20:55.804565,  3]
> > ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> >   Terminating connection - 'kdc_tcp_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> > [2017/12/27 08:20:55.804774,  3]
> > ../source4/smbd/process_single.c:114(single_terminate)
> >   single_terminate: reason[kdc_tcp_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> > [2017/12/27 08:20:55.806137,  5]
> > ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >   Starting GENSEC mechanism spnego
> > [2017/12/27 08:20:55.806296,  5]
> > ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >   Starting GENSEC submechanism gssapi_krb5
> > [2017/12/27 08:20:55.807170,  5]
> > ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
> >   gensec_gssapi: credentials were delegated
> > [2017/12/27 08:20:55.807242,  5]
> > ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update_internal)
> >   GSSAPI Connection will be cryptographically signed
> > [2017/12/27 08:20:55.810168,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
> > -> 0
> > [2017/12/27 08:20:55.810265,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
> > -> 0
> > [2017/12/27 08:20:55.810353,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
> > -> 0
> > [2017/12/27 08:20:55.810428,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
> > [2017/12/27 08:20:55.810507,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
> > [2017/12/27 08:20:55.810582,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
> > [2017/12/27 08:20:55.810674,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
> > [2017/12/27 08:20:55.810745,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
> > [2017/12/27 08:20:55.810826,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
> > [2017/12/27 08:20:55.810901,  6]
> > ../lib/util/util_ldb.c:60(gendb_search_v)
> >   gendb_search_v: NULL
> > objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
> > [2017/12/27 08:20:55.811125,  4]
> > ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
> >   Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
> > [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
> > 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] local
> > host [ipv4:192.168.152.15:389]
> > [2017/12/27 08:20:55.811301,  4] ../auth/auth_log.c:220(log_json)
> >   JSON Authorization: {"timestamp":
> > "2017-12-27T08:20:55.811228+0100", "type": "Authorization",
> > "Authorization": {"version": {"major": 1, "minor": 0},
> > "localAddress": "ipv4:192.168.152.15:389", "remoteAddress":
> > "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP",
> > "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
> > "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
> > "DCDO1", "transportProtection": "SIGN", "accountFlags":
> > "0x00002100"}} [2017/12/27 08:20:55.811385,
> > 3] ../auth/auth_log.c:139(get_auth_event_server)
> > get_auth_event_server: Failed to find 'auth_event' registered on
> > the message bus to send JSON authentication events to:
> > NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.841539,  5]
> > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
> >   ldb_request BASE dn= filter=(objectClass=*)
> > [2017/12/27 08:20:55.871177,  5]
> > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
> >   ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com
> > filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHostName=dcdo1.ad.kdu.com)))
> > [2017/12/27 08:20:55.902579,  5]
> > ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
> >   ldb_request ONE
> > dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
> > filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO))
> > [2017/12/27 08:20:55.932550,  5]
> > default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch)
> >   function drsuapi_DsReplicaSync will reply async
> > [2017/12/27 08:20:55.932676,  3]
> > ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replication)
> >   _drepl_schedule_replication: forcing sync of partition
> > (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com,
> > 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
> > [2017/12/27 08:20:55.932697,  4]
> > ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_schedule)
> >   dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 08:20:57
> > 2017 CET
> > [2017/12/27 08:20:56.971645,  4]
> > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_extended_replicated_objects)
> >   linked_attributes_count=0
> > [2017/12/27 08:20:56.971966,  4]
> > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_replicated_uptodate_modify)
> >   DRS replication uptodate modify message:
> >   dn: DC=ad,DC=kdu,DC=com
> >   changetype: modify
> >   replace: replUpToDateVector
> >   replUpToDateVector::
> > AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
> > tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KYP2wnvCZRbBYAAA
> >
> >    AAAAAAgD7V3rGdAQ==
> >   -
> >   replace: repsFrom
> >   repsFrom::
> > AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAAAERE
> > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> >
> > ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgAAAAAAAKQMPrx0t
> >
> > UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABiYzNlMGNhNC1iNT
> >
> > c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A
> >   repsFrom::
> > AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAAAERE
> > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> >
> > ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAAAAAAAABNWUx36g
> >
> > V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAxZDUzNTYxMy04MW
> >
> > ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A
> >   -
> >
> >
> > [2017/12/27 08:20:56.974912,  2]
> > ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
> >   Replicated 0 objects (0 linked attributes) for DC=ad,DC=kdu,DC=com
> > [2017/12/27 08:20:57.004974,  0]
> > ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
> >   UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code
> > 0xc0002105 for
> > 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
> > DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468,  4]
> > ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_callback)
> >   dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
> > DC=ad,DC=kdu,DC=com
> > [2017/12/27 08:20:57.009507,  5]
> > default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply)
> >   function drsuapi_DsReplicaSync replied async
> > [2017/12/27 08:20:57.053246,  3]
> > ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> >   Terminating connection - 'dcesrv:
> > NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 08:20:57.053478,  3]
> > ../source4/smbd/process_single.c:114(single_terminate)
> >   single_terminate: reason[dcesrv:
> > NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 08:20:57.053528,  3]
> > ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> >   Terminating connection - 'ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> > [2017/12/27 08:20:57.053760,  2]
> > ../source4/smbd/process_standard.c:473(standard_terminate)
> >   standard_terminate: reason[ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> > [2017/12/27 08:20:57.057842,  2]
> > ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
> >   Child 900 () exited with status 0
> >
> > Any hints/ideas very much appreciated ...
> >
> > Thanks,
> >
> > Uli
> >
> >
>
>

Couple of thoughts, try reading this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

and this:

https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions

Does the missing 'CN' exist on the other two DCs ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging

Samba - General mailing list
Rowland,

- the DN "CN=DCNH1,..." exists on all 3 DCs (pointing the Sites and
Services console to each of them).
- I also checked that "samba-tool dbcheck" completes w/o showing errors.
- the objectGUID DNS aliases of all DCs are resolvable against all 3
DCs' builtin DNS
- I forced a full sync from the FSMO holder (dcge1) to the 2 other DCs
which finished w/o errors.
- after that, sync and also full sync dcdo1-->dcnh1 failed exactly as
earlier.

I'm wondering whether this is related to
https://bugzilla.samba.org/show_bug.cgi?id=12972 , however I'm running
4.7.4 and the domain had been created under 4.7.3 (based on the Samba
Wiki). Apart from the sync issue I'm VERY happy with Samba4/AD.

Many thanks,

Uli



On 12/27/2017 01:29 PM, Rowland Penny via samba wrote:

> On Wed, 27 Dec 2017 13:00:05 +0100
> "Dr. Johannes-Ulrich Menzebach via samba" <[hidden email]> wrote:
>
>> There is additional info in the logs of the source DC (dcdo1, log
>> level 2, manually triggered another replication):
>> ====================
>> [2017/12/27 12:31:29.695121,  2]
>> ../source4/rpc_server/drsuapi/getncchanges.c:1731(getncchanges_collect_objects)
>>     ../source4/rpc_server/drsuapi/getncchanges.c:1731: getncchanges on
>> DC=ad,DC=kdu,DC=com using filter (uSNChanged>=5415)
>> [2017/12/27 12:31:29.698828,  2]
>> ../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
>>     DsGetNCChanges with uSNChanged >= 5415 flags 0x80000064 on
>> <GUID=141bbe37-5eda-42b8-b904-0b75e26b1e2d>;<SID=S-1-5-21-454945863-777199239-1595221609>;DC=ad,DC=kdu,DC=com
>> gave 0 objects (done 0/0) 0 links (done 0/0 (as
>> S-1-5-21-454945863-777199239-1595221609-1112))
>> [2017/12/27 12:31:29.733157,  1]
>> ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
>>     ../source4/dsdb/common/util.c:4807: Failed to find account dn
>> (serverReference) for
>> CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com,
>> parent of DSA with objectGUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76,
>> sid S-1-5-21-454945863-777199239-1595221609-1112
>> [2017/12/27 12:31:29.733198,  0]
>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
>>     ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
>> DsReplicaUpdateRefs for sid
>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>
>> According to what I see in the "Sites and Services" RSAT console the
>> DN for
>> CN=DCNH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>> seems to exist.
>>
>> Any ideas?
>>
>> Thanks,
>>
>>       Uli
>>
>>
>>
>> On 12/27/2017 09:59 AM, Dr. Johannes-Ulrich Menzebach via samba wrote:
>>> We have 3 ADCs based on Samba-4.7.4 (compiled from source,internal
>>> DNS)/ CentOS7: dcdo1,dcnh1 and dcge1. dcge1 holds all FSMO roles.
>>> The 3 ADCs are on different locations connected via IPSec based
>>> VPN. No traffic is filtered out.
>>>
>>> All 3 ADCs replicate fine except dcdo1 -->dcnh1. Symptom:
>>>
>>> [root@dcdo1 ~]# samba-tool drs replicate dcnh1.ad.kdu.com
>>> dcdo1.ad.kdu.com dc=ad,dc=kdu,dc=com
>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
>>> - drsException: DsReplicaSync failed (8453,
>>> 'WERR_DS_DRA_ACCESS_DENIED') File
>>> "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 386,
>>> in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>>> source_dsa_guid, NC, req_options)
>>>    File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py",
>>> line 85, in sendDsReplicaSync
>>>      raise drsException("DsReplicaSync failed %s" % estr)
>>>
>>> Log on dcdo1:
>>> ==============
>>> [2017/12/27 08:20:56.335895,  0]
>>> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
>>>    ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
>>> DsReplicaUpdateRefs for sid
>>> S-1-5-21-454945863-777199239-1595221609-1112 with GUID
>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76
>>>
>>> Log on target DC dcnh1:
>>> ==============
>>> [2017/12/27 08:20:55.278559,  5]
>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>>>    Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT
>>> AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017
>>> 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] local
>>> host [ipv4:192.168.152.15:135]
>>> [2017/12/27 08:20:55.278641,  5] ../auth/auth_log.c:220(log_json)
>>>    JSON Authorization: {"timestamp":
>>> "2017-12-27T08:20:55.278587+0100", "type": "Authorization",
>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>> "localAddress": "ipv4:192.168.152.15:135", "remoteAddress":
>>> "ipv4:192.168.172.14:36196", "serviceDescription": "DCE/RPC",
>>> "authType": "ncacn_ip_tcp", "domain": "NT AUTHORITY", "account":
>>> "ANONYMOUS LOGON", "sid": "S-1-5-7", "logonServer": "DCNH1",
>>> "transportProtection": "NONE", "accountFlags": "0x00000010"}}
>>> [2017/12/27 08:20:55.278660,
>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>> get_auth_event_server: Failed to find 'auth_event' registered on
>>> the message bus to send JSON authentication events to:
>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.337740,  3]
>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>>>    Terminating connection - 'dcesrv:
>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 08:20:55.337873,  3]
>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>    single_terminate: reason[dcesrv:
>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 08:20:55.506117,  3]
>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>    ldb_wrap open of secrets.ldb
>>> [2017/12/27 08:20:55.506420,  5]
>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>    Starting GENSEC mechanism spnego
>>> [2017/12/27 08:20:55.506501,  5]
>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>    Starting GENSEC submechanism gssapi_krb5
>>> [2017/12/27 08:20:55.536259,  5]
>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
>>>    gensec_gssapi: credentials were delegated
>>> [2017/12/27 08:20:55.536320,  5]
>>> ../source4/auth/gensec/gensec_gssapi.c:685(gensec_gssapi_update_internal)
>>>    GSSAPI Connection will be cryptographically sealed
>>> [2017/12/27 08:20:55.538591,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.538644,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.538712,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.538762,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>> [2017/12/27 08:20:55.538819,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>> [2017/12/27 08:20:55.538864,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>> [2017/12/27 08:20:55.538909,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>> [2017/12/27 08:20:55.538967,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
>>> [2017/12/27 08:20:55.539029,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
>>> [2017/12/27 08:20:55.539087,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
>>> [2017/12/27 08:20:55.539289,  4]
>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>>>    Successful AuthZ: [DCE/RPC,krb5] user [AD]\[DCDO1$]
>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
>>> 08:20:55.539277 CET] Remote host [ipv4:192.168.172.14:57364] local
>>> host [ipv4:192.168.152.15:49152]
>>> [2017/12/27 08:20:55.539359,  4] ../auth/auth_log.c:220(log_json)
>>>    JSON Authorization: {"timestamp":
>>> "2017-12-27T08:20:55.539334+0100", "type": "Authorization",
>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>> "localAddress": "ipv4:192.168.152.15:49152", "remoteAddress":
>>> "ipv4:192.168.172.14:57364", "serviceDescription": "DCE/RPC",
>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
>>> "DCDO1", "transportProtection": "SEAL", "accountFlags":
>>> "0x00002100"}} [2017/12/27 08:20:55.539398,
>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>> get_auth_event_server: Failed to find 'auth_event' registered on
>>> the message bus to send JSON authentication events to:
>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.568937,  3]
>>> ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind)
>>>    ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind
>>> with system_session
>>> [2017/12/27 08:20:55.641297,  3]
>>> ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
>>>    ldb_wrap open of secrets.ldb
>>> [2017/12/27 08:20:55.644257,  5]
>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>>>    ldb_request BASE dn=
>>> filter=(|(objectClass=*)(distinguishedName=*)) [2017/12/27
>>> 08:20:55.706421,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.706573,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.706777,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>> ipv4:192.168.172.14:48486 for ldap/[hidden email]
>>> [canonicalize] [2017/12/27 08:20:55.708186,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.708670,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.708795,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.709594,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.710027,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>    Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
>>> [2017/12/27 08:20:55.740222,  3]
>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>>>    Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> [2017/12/27 08:20:55.740440,  3]
>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>    single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> [2017/12/27 08:20:55.770764,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.771034,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.771283,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>    Kerberos: TGS-REQ DCDO1$@AD.kdu.COM from
>>> ipv4:192.168.172.14:48488 for krbtgt/[hidden email]
>>> [forwarded, forwardable] [2017/12/27 08:20:55.771576,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.771786,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.772103,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.772257,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.773194,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: DC=ad,DC=kdu,DC=com NULL -> 1
>>> [2017/12/27 08:20:55.773691,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>    Kerberos: TGS-REQ authtime: 2017-12-27T08:20:54 starttime:
>>> 2017-12-27T08:20:55 endtime: 2017-12-27T18:20:54 renew till: unset
>>> [2017/12/27 08:20:55.804565,  3]
>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>>>    Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> [2017/12/27 08:20:55.804774,  3]
>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>    single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> [2017/12/27 08:20:55.806137,  5]
>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>    Starting GENSEC mechanism spnego
>>> [2017/12/27 08:20:55.806296,  5]
>>> ../auth/gensec/gensec_start.c:739(gensec_start_mech)
>>>    Starting GENSEC submechanism gssapi_krb5
>>> [2017/12/27 08:20:55.807170,  5]
>>> ../source4/auth/gensec/gensec_gssapi.c:668(gensec_gssapi_update_internal)
>>>    gensec_gssapi: credentials were delegated
>>> [2017/12/27 08:20:55.807242,  5]
>>> ../source4/auth/gensec/gensec_gssapi.c:687(gensec_gssapi_update_internal)
>>>    GSSAPI Connection will be cryptographically signed
>>> [2017/12/27 08:20:55.810168,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_T\04\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.810265,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_\04\02\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.810353,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\05\00\00\00\00\00\05\15\00\00\00G\EC\1D\1B\87\1ES.i\26\15_<\02\00\00
>>> -> 0
>>> [2017/12/27 08:20:55.810428,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\09\00\00\00 -> 0
>>> [2017/12/27 08:20:55.810507,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\01\00\00\00\00 -> 0
>>> [2017/12/27 08:20:55.810582,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\02\00\00\00 -> 0
>>> [2017/12/27 08:20:55.810674,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00 -> 0
>>> [2017/12/27 08:20:55.810745,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\000\02\00\00 -> 0
>>> [2017/12/27 08:20:55.810826,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\2A\02\00\00 -> 1
>>> [2017/12/27 08:20:55.810901,  6]
>>> ../lib/util/util_ldb.c:60(gendb_search_v)
>>>    gendb_search_v: NULL
>>> objectSid=\01\02\00\00\00\00\00\05\20\00\00\00\21\02\00\00 -> 0
>>> [2017/12/27 08:20:55.811125,  4]
>>> ../auth/auth_log.c:860(log_successful_authz_event_human_readable)
>>>    Successful AuthZ: [LDAP,krb5] user [AD]\[DCDO1$]
>>> [S-1-5-21-454945863-777199239-1595221609-1108] at [Wed, 27 Dec 2017
>>> 08:20:55.811108 CET] Remote host [ipv4:192.168.172.14:56798] local
>>> host [ipv4:192.168.152.15:389]
>>> [2017/12/27 08:20:55.811301,  4] ../auth/auth_log.c:220(log_json)
>>>    JSON Authorization: {"timestamp":
>>> "2017-12-27T08:20:55.811228+0100", "type": "Authorization",
>>> "Authorization": {"version": {"major": 1, "minor": 0},
>>> "localAddress": "ipv4:192.168.152.15:389", "remoteAddress":
>>> "ipv4:192.168.172.14:56798", "serviceDescription": "LDAP",
>>> "authType": "krb5", "domain": "AD", "account": "DCDO1$", "sid":
>>> "S-1-5-21-454945863-777199239-1595221609-1108", "logonServer":
>>> "DCDO1", "transportProtection": "SIGN", "accountFlags":
>>> "0x00002100"}} [2017/12/27 08:20:55.811385,
>>> 3] ../auth/auth_log.c:139(get_auth_event_server)
>>> get_auth_event_server: Failed to find 'auth_event' registered on
>>> the message bus to send JSON authentication events to:
>>> NT_STATUS_OBJECT_NAME_NOT_FOUND [2017/12/27 08:20:55.841539,  5]
>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>>>    ldb_request BASE dn= filter=(objectClass=*)
>>> [2017/12/27 08:20:55.871177,  5]
>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>>>    ldb_request SUB dn=CN=Configuration,DC=ad,DC=kdu,DC=com
>>> filter=(&(objectCategory=server)(|(name=dcdo1.ad.kdu.com)(dNSHostName=dcdo1.ad.kdu.com)))
>>> [2017/12/27 08:20:55.902579,  5]
>>> ../source4/ldap_server/ldap_backend.c:578(ldapsrv_SearchRequest)
>>>    ldb_request ONE
>>> dn=CN=DCDO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=kdu,DC=com
>>> filter=(|(objectCategory=nTDSDSA)(objectCategory=nTDSDSARO))
>>> [2017/12/27 08:20:55.932550,  5]
>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:93(drsuapi__op_dispatch)
>>>    function drsuapi_DsReplicaSync will reply async
>>> [2017/12/27 08:20:55.932676,  3]
>>> ../source4/dsdb/repl/drepl_service.c:206(_drepl_schedule_replication)
>>>    _drepl_schedule_replication: forcing sync of partition
>>> (141bbe37-5eda-42b8-b904-0b75e26b1e2d, dc=ad,dc=kdu,dc=com,
>>> 1d535613-81fa-435f-ba17-631d5742c775._msdcs.ad.kdu.com)
>>> [2017/12/27 08:20:55.932697,  4]
>>> ../source4/dsdb/repl/drepl_periodic.c:187(dreplsrv_pendingops_schedule)
>>>    dreplsrv_pending_schedule(1) scheduled for: Wed Dec 27 08:20:57
>>> 2017 CET
>>> [2017/12/27 08:20:56.971645,  4]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6725(replmd_extended_replicated_objects)
>>>    linked_attributes_count=0
>>> [2017/12/27 08:20:56.971966,  4]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6561(replmd_replicated_uptodate_modify)
>>>    DRS replication uptodate modify message:
>>>    dn: DC=ad,DC=kdu,DC=com
>>>    changetype: modify
>>>    replace: replUpToDateVector
>>>    replUpToDateVector::
>>> AgAAAAAAAAADAAAAAAAAABblFEZH4CNPh3GL0LFEOVz6FAAAAAAAAACAP
>>> tXesZ0BhJrYYEE7/kOJnoKr3dq/vN0PAAAAAAAAAIA+1d6xnQHgHbdwEVrzS7KYP2wnvCZRbBYAAA
>>>
>>>     AAAAAAgD7V3rGdAQ==
>>>    -
>>>    replace: repsFrom
>>>    repsFrom::
>>> AQAAAAAAAAAOAQAAAAAAAMHaUxADAAAAwdpTEAMAAAAAAAAA0AAAAD4AAAB0AAAAERE
>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>
>>> ERERERERERERERERERERERERERERERERAAAAAGsWAAAAAAAAAAAAAAAAAABrFgAAAAAAAKQMPrx0t
>>>
>>> UlIhMh6s36sM6XgHbdwEVrzS7KYP2wnvCZRAAAAAAAAAAAAAAAAAAAAADoAAABiYzNlMGNhNC1iNT
>>>
>>> c0LTQ4NDktODRjOC03YWIzN2VhYzMzYTUuX21zZGNzLmFkLmthbmRvdS5jb20A
>>>    repsFrom::
>>> AQAAAAAAAAAOAQAAuQIAANjaUxADAAAA2NpTEAMAAAAAAAAA0AAAAD4AAABkAAAAERE
>>> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
>>>
>>> ERERERERERERERERERERERERERERERERAAAAAPgUAAAAAAAAAAAAAAAAAAD4FAAAAAAAABNWUx36g
>>>
>>> V9DuhdjHVdCx3UW5RRGR+AjT4dxi9CxRDlcAAAAAAAAAAAAAAAAAAAAADoAAAAxZDUzNTYxMy04MW
>>>
>>> ZhLTQzNWYtYmExNy02MzFkNTc0MmM3NzUuX21zZGNzLmFkLmthbmRvdS5jb20A
>>>    -
>>>
>>>
>>> [2017/12/27 08:20:56.974912,  2]
>>> ../source4/dsdb/repl/replicated_objects.c:1020(dsdb_replicated_objects_commit)
>>>    Replicated 0 objects (0 linked attributes) for DC=ad,DC=kdu,DC=com
>>> [2017/12/27 08:20:57.004974,  0]
>>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
>>>    UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code
>>> 0xc0002105 for
>>> 0acce4bc-1193-4609-8e4d-a0771bb6fb76._msdcs.ad.kdu.com
>>> DC=ad,DC=kdu,DC=com [2017/12/27 08:20:57.005468,  4]
>>> ../source4/dsdb/repl/drepl_out_pull.c:181(dreplsrv_pending_op_callback)
>>>    dreplsrv_op_pull_source(WERR_DS_DRA_ACCESS_DENIED) for
>>> DC=ad,DC=kdu,DC=com
>>> [2017/12/27 08:20:57.009507,  5]
>>> default/librpc/gen_ndr/ndr_drsuapi_s.c:389(drsuapi__op_reply)
>>>    function drsuapi_DsReplicaSync replied async
>>> [2017/12/27 08:20:57.053246,  3]
>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>>>    Terminating connection - 'dcesrv:
>>> NT_STATUS_CONNECTION_DISCONNECTED' [2017/12/27 08:20:57.053478,  3]
>>> ../source4/smbd/process_single.c:114(single_terminate)
>>>    single_terminate: reason[dcesrv:
>>> NT_STATUS_CONNECTION_DISCONNECTED] [2017/12/27 08:20:57.053528,  3]
>>> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
>>>    Terminating connection - 'ldapsrv_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> [2017/12/27 08:20:57.053760,  2]
>>> ../source4/smbd/process_standard.c:473(standard_terminate)
>>>    standard_terminate: reason[ldapsrv_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> [2017/12/27 08:20:57.057842,  2]
>>> ../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
>>>    Child 900 () exited with status 0
>>>
>>> Any hints/ideas very much appreciated ...
>>>
>>> Thanks,
>>>
>>> Uli
>>>
>>>
>>
> Couple of thoughts, try reading this:
>
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
>
> and this:
>
> https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions
>
> Does the missing 'CN' exist on the other two DCs ?
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba