DomainDnsZones inbound replication issue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

DomainDnsZones inbound replication issue

Donaldson Jeff
Greetings,


I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).


If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:


ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ncsauth3[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
ERROR(ldb): LDAP connection to ncsauth3 failed - None
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
    options=options)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
    options=options)


I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.

Regards,
Jeff

Jeff Donaldson
Technology Director
Newark Charter School
[hidden email]
(302) 369-2001 ext: 625
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DomainDnsZones inbound replication issue

lingpanda101@gmail.com
On 7/28/2016 9:24 AM, Donaldson Jeff wrote:

> Greetings,
>
>
> I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
>
>
> If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:
>
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:ncsauth3[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to ncsauth3 failed - None
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
>      credentials=ctx.creds, lp=ctx.lp)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
>      options=options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
>      self.connect(url, flags, options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
>      options=options)
>
>
> I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> [hidden email]
> (302) 369-2001 ext: 625

What is the value of

"ldap server require strong auth =" in your smb.conf? You may need to
run 'samba-tool testparm -v'

--
-James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DomainDnsZones inbound replication issue

Donaldson Jeff
Here's my edited smb.conf and the output of the testparm. As you can see I'm not setting that in my smb.conf and it appears to be turned on by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4 as well, but haven't done that yet. It's currently on 4.2.3. Should I upgrade that as well before changing anything else? Thanks!


Jeff Donaldson
Technology Director
Newark Charter School
[hidden email]
(302) 369-2001 ext: 625


________________________________
From: samba <[hidden email]> on behalf of [hidden email] <[hidden email]>
Sent: Thursday, July 28, 2016 9:45 AM
To: [hidden email]
Subject: Re: [Samba] DomainDnsZones inbound replication issue

On 7/28/2016 9:24 AM, Donaldson Jeff wrote:

> Greetings,
>
>
> I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
>
>
> If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:
>
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:ncsauth3[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to ncsauth3 failed - None
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
>      credentials=ctx.creds, lp=ctx.lp)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
>      options=options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
>      self.connect(url, flags, options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
>      options=options)
>
>
> I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> [hidden email]
> (302) 369-2001 ext: 625
What is the value of

"ldap server require strong auth =" in your smb.conf? You may need to
run 'samba-tool testparm -v'

--
-James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
[https://lists.samba.org/images/mailman/gnu-head-tiny.jpg]<https://lists.samba.org/mailman/options/samba>

samba list: member options login page<https://lists.samba.org/mailman/options/samba>
lists.samba.org
Unsubscribe: By clicking on the Unsubscribe button, a confirmation message will be emailed to you. This message will have a link that you should click on to ...



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Testparm Output DC3.txt (15K) Download Attachment
Testparm Output DC1.txt (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DomainDnsZones inbound replication issue

lingpanda101@gmail.com
On 7/28/2016 10:25 AM, Donaldson Jeff wrote:

>
> Here's my edited smb.conf and the output of the testparm. As you can
> see I'm not setting that in my smb.conf and it appears to be turned on
> by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4
> as well, but haven't done that yet. It's currently on 4.2.3. Should I
> upgrade that as well before changing anything else? Thanks!
>
>
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> [hidden email]
> (302) 369-2001 ext: 625
>
>
> ------------------------------------------------------------------------
> *From:* samba <[hidden email]> on behalf of
> [hidden email] <[hidden email]>
> *Sent:* Thursday, July 28, 2016 9:45 AM
> *To:* [hidden email]
> *Subject:* Re: [Samba] DomainDnsZones inbound replication issue
> On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> > Greetings,
> >
> >
> > I am having a problem with one of my DCs (DC3) replicating
> DomainDnsZones. On DC3 replication is successful on both Inbound and
> Outbound with both of my other DCs. On both of my other DCs (DC1 &
> DC2) I only get a failure with Inbound replication for DomainDnsZones
> from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
> >
> >
> > If I try to force replication to DC3 from DC1 using samba-tool drs
> replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com
> --full-sync, I get the following:
> >
> >
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:ncsauth3[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> > Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> > ERROR(ldb): LDAP connection to ncsauth3 failed - None
> >    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 48, in samdb_connect
> >      credentials=ctx.creds, lp=ctx.lp)
> >    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 56, in __init__
> >      options=options)
> >    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line
> 114, in __init__
> >      self.connect(url, flags, options)
> >    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 71, in connect
> >      options=options)
> >
> >
> > I didn't have any replication issues prior to upgrading Samba to
> 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran
> samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to
> resolve the issue. Would the best solution be to demote the affected
> DC, wipe out all of private, then join as a DC again? Any help or
> suggestions are greatly appreciated.
> >
> > Regards,
> > Jeff
> >
> > Jeff Donaldson
> > Technology Director
> > Newark Charter School
> > [hidden email]
> > (302) 369-2001 ext: 625
>
> What is the value of
>
> "ldap server require strong auth =" in your smb.conf? You may need to
> run 'samba-tool testparm -v'
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
> <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba>
>
> samba list: member options login page
> <https://lists.samba.org/mailman/options/samba>
> lists.samba.org
> Unsubscribe: By clicking on the Unsubscribe button, a confirmation
> message will be emailed to you. This message will have a link that you
> should click on to ...
>
>
Yes, updating should fix the issue.  However I would strongly suggest
you read the release notes of each version you may be skipping. The
default behavior for

LDAP_STRONG_AUTH_REQUIRED was no.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112

Changing 'ldap server require strong auth = No' should fix the
replication issue. Just understand what this means. I assume your other
DC's were 4.2.3 before you upgraded to 4.4.4?


--
-James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DomainDnsZones inbound replication issue

Samba - General mailing list
In reply to this post by lingpanda101@gmail.com
James,

My apologies for not responding previously. I have an email rule setup for the various listservs I'm on and didn't realize that you had responded. If it's not too much trouble, could you reply to me as well as the list for any response? I fear I may have missed responses in the past. I apologize for that. I'm still having an issue with replication of one partition with the result 8442 (WERR_DS_DRA_INTERNAL_ERROR). When I checked, the ldap server require strong auth is set to yes on both servers. Should that be changed? Any help is appreciated. Thanks!

Regards,
Jeff

Jeff Donaldson
Technology Director
Newark Charter School
[hidden email]
(302) 369-2001 ext:625

-----Original Message-----
From: samba [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, July 28, 2016 9:45 AM
To: [hidden email]
Subject: Re: [Samba] DomainDnsZones inbound replication issue

On 7/28/2016 9:24 AM, Donaldson Jeff wrote:

> Greetings,
>
>
> I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
>
>
> If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:
>
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5'
> registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend
> 'spnego' registered GENSEC backend 'schannel' registered GENSEC
> backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL'
> registered GENSEC backend 'ntlmssp' registered GENSEC backend
> 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC
> backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:ncsauth3[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to connect
> to 'ldap://ncsauth3' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to ncsauth3 failed - None
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
>      credentials=ctx.creds, lp=ctx.lp)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
>      options=options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
>      self.connect(url, flags, options)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
>      options=options)
>
>
> I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> [hidden email]
> (302) 369-2001 ext: 625

What is the value of

"ldap server require strong auth =" in your smb.conf? You may need to run 'samba-tool testparm -v'

--
-James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba