Quantcast

Problem samba db / pc - domain trust gone.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem samba db / pc - domain trust gone.

Samba - General mailing list
Hai,
 
Environment, Debian Jessie.
 
 
I got reports about pc's unable to login into the samba ad dc domain.
The trust between this workstation and the primary domain failed.
This happend on a win7 and win10 pc.
Now, this is "normaly" easy fixed,by rejoining the pc to the domain with the domain wizzard in windows.
I noticed this didnt work anymore.
 
I was running without problem, so what lead to this problem.
 
installed the needed security updates last friday.  ( kernel, bind, no samba things. )
I was prepering to upgrade to 4.6.3 and did the following.
 
1) samba-tool dbcheck  and a samba-tool dbcheck --fix
 
--- DC 1  ----
 
That fixed 4 errors.
i got some others back.
Multple messages with : CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
this part "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System" can be anything, multiple messages.
users/computers.
 
rebooted the server, resulting in these log messages.
samba logs clean, no errors,
running : samba-tool dbcheck  and a samba-tool dbcheck --fix   again, fixed simalar like above. ( 8 errors )
 
 
running samba-tool ldapcmp:
samba-tool ldapcmp --filter='whenChanged,dc,cn' ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
Shows differenced in login timpstamps.  
Which can explain the message on the pc's : the trust between this workstation and the primary domain failed. 
 
   Difference in attribute values:
        lastLogonTimestamp =>
['131390598670332960']
['131380923051230950']
    FAILED

  Difference in attribute values:
        pwdLastSet =>
['131389578099979510']
['131363450502014640']
    FAILED

 
-------------------------
Now i checked my DC2.
 
samba-tool dbcheck:
Please use --fix to fix these errors
Checked 852 objects (626 errors)

pff, 626 errors?
 
mostly things like these below.
 
  STATUS=daemon 'samba' finished starting up and ready to serve connections
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2017/05/15 09:17:32.208909,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:17:32.213955,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:22:32.210006,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:22:32.211300,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 09:27:32.222921,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
 
[2017/05/15 09:27:32.223286,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
 
 
Not fixing replPropertyMetaData on CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
 
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
 
Not fixing replPropertyMetaData on CN=Windows Authorization Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
 
 
What is the best action here, do a full resync from DC1 to DC2?  
Or did i forget something?
 
 
Greetz,
 
Louis
 
 
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem samba db / pc - domain trust gone.

Samba - General mailing list
I forgot to mention it involves samba 4.5.8.

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van Belle via samba
> Verzonden: maandag 15 mei 2017 11:40
> Aan: [hidden email]
> Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
>
> Hai,
>  
> Environment, Debian Jessie.
>  
>  
> I got reports about pc's unable to login into the samba ad dc domain.
> The trust between this workstation and the primary domain failed.
> This happend on a win7 and win10 pc.
> Now, this is "normaly" easy fixed,by rejoining the pc to the
> domain with the domain wizzard in windows.
> I noticed this didnt work anymore.
>  
> I was running without problem, so what lead to this problem.
>  
> installed the needed security updates last friday.  ( kernel,
> bind, no samba things. ) I was prepering to upgrade to 4.6.3
> and did the following.
>  
> 1) samba-tool dbcheck  and a samba-tool dbcheck --fix
>  
> --- DC 1  ----
>  
> That fixed 4 errors.
> i got some others back.
> Multple messages with :
> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System,DC=internal,DC=domain,DC=tld
> this part
> "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System" can be anything, multiple messages.
> users/computers.
>  
> rebooted the server, resulting in these log messages.
> samba logs clean, no errors,
> running : samba-tool dbcheck  and a samba-tool dbcheck --fix  
>  again, fixed simalar like above. ( 8 errors )
>  
>  
> running samba-tool ldapcmp:
> samba-tool ldapcmp --filter='whenChanged,dc,cn'
> ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld
> Shows differenced in login timpstamps. Which can explain the
> message on the pc's : the trust between this workstation and
> the primary domain failed. 
>  
>    Difference in attribute values:
>         lastLogonTimestamp =>
> ['131390598670332960']
> ['131380923051230950']
>     FAILED
>
>   Difference in attribute values:
>         pwdLastSet =>
> ['131389578099979510']
> ['131363450502014640']
>     FAILED
>
>  
> -------------------------
> Now i checked my DC2.
>  
> samba-tool dbcheck:
> Please use --fix to fix these errors
> Checked 852 objects (626 errors)
>
> pff, 626 errors?
>  
> mostly things like these below.
>  
>   STATUS=daemon 'samba' finished starting up and ready to
> serve connections
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor.
> [2017/05/15 09:17:32.208909,  0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>   ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>  
> [2017/05/15 09:17:32.213955,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
>   Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> [2017/05/15 09:22:32.210006,  0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>   ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>  
> [2017/05/15 09:22:32.211300,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
>   Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> [2017/05/15 09:27:32.222921,  0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>   ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
>  
> [2017/05/15 09:27:32.223286,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
>   Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>  
>  
> Not fixing replPropertyMetaData on
> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> icies,CN=System,DC=internal,DC=domain,DC=tld
>  
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
> ERROR: unsorted attributeID values in replPropertyMetaData on
> CN=Windows Authorization Access
> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>  
> Not fixing replPropertyMetaData on CN=Windows Authorization
> Access Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>  
>  
> What is the best action here, do a full resync from DC1 to
> DC2? Or did i forget something?
>  
>  
> Greetz,
>  
> Louis
>  
>  
>  
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem samba db / pc - domain trust gone.

Samba - General mailing list
Nobody?


These are repeating every 5 min on my DC2.
No i dont care about the LostAndFound/deleted.

[2017/05/15 16:52:32.848035,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2017/05/15 16:57:32.857425,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!

Im wondering what this is.

[2017/05/15 16:57:32.857647,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

So any tips?

Im out tomorrow, but any info helps thanks.

Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van Belle via samba
> Verzonden: maandag 15 mei 2017 12:13
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
>
> I forgot to mention it involves samba 4.5.8.
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens L.P.H. van
> > Belle via samba
> > Verzonden: maandag 15 mei 2017 11:40
> > Aan: [hidden email]
> > Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
> >
> > Hai,
> >  
> > Environment, Debian Jessie.
> >  
> >  
> > I got reports about pc's unable to login into the samba ad
> dc domain.
> > The trust between this workstation and the primary domain failed.
> > This happend on a win7 and win10 pc.
> > Now, this is "normaly" easy fixed,by rejoining the pc to the domain
> > with the domain wizzard in windows.
> > I noticed this didnt work anymore.
> >  
> > I was running without problem, so what lead to this problem.
> >  
> > installed the needed security updates last friday.  (
> kernel, bind, no
> > samba things. ) I was prepering to upgrade to 4.6.3 and did the
> > following.
> >  
> > 1) samba-tool dbcheck  and a samba-tool dbcheck --fix
> >  
> > --- DC 1  ----
> >  
> > That fixed 4 errors.
> > i got some others back.
> > Multple messages with :
> > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> > icies,CN=System,DC=internal,DC=domain,DC=tld
> > this part
> > "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> > icies,CN=System" can be anything, multiple messages.
> > users/computers.
> >  
> > rebooted the server, resulting in these log messages.
> > samba logs clean, no errors,
> > running : samba-tool dbcheck  and a samba-tool dbcheck
> --fix  again,
> > fixed simalar like above. ( 8 errors )
> >  
> >  
> > running samba-tool ldapcmp:
> > samba-tool ldapcmp --filter='whenChanged,dc,cn'
> > ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld Shows
> > differenced in login timpstamps. Which can explain the
> message on the
> > pc's : the trust between this workstation and the primary domain
> > failed.
> >  
> >    Difference in attribute values:
> >         lastLogonTimestamp =>
> > ['131390598670332960']
> > ['131380923051230950']
> >     FAILED
> >
> >   Difference in attribute values:
> >         pwdLastSet =>
> > ['131389578099979510']
> > ['131363450502014640']
> >     FAILED
> >
> >  
> > -------------------------
> > Now i checked my DC2.
> >  
> > samba-tool dbcheck:
> > Please use --fix to fix these errors
> > Checked 852 objects (626 errors)
> >
> > pff, 626 errors?
> >  
> > mostly things like these below.
> >  
> >   STATUS=daemon 'samba' finished starting up and ready to serve
> > connections
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor.
> > [2017/05/15 09:17:32.208909,  0]
> > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >   ldb: No objectClass found in replPropertyMetaData for
> > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> > ound,DC=internal,DC=domain,DC=tld!
> >  
> > [2017/05/15 09:17:32.213955,  0]
> > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> > source_apply_changes_trigger)
> >   Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> > [2017/05/15 09:22:32.210006,  0]
> > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >   ldb: No objectClass found in replPropertyMetaData for
> > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> > ound,DC=internal,DC=domain,DC=tld!
> >  
> > [2017/05/15 09:22:32.211300,  0]
> > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> > source_apply_changes_trigger)
> >   Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> > [2017/05/15 09:27:32.222921,  0]
> > ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >   ldb: No objectClass found in replPropertyMetaData for
> > CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> > ound,DC=internal,DC=domain,DC=tld!
> >  
> > [2017/05/15 09:27:32.223286,  0]
> > ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> > source_apply_changes_trigger)
> >   Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >  
> >  
> > Not fixing replPropertyMetaData on
> > CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> > Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> > icies,CN=System,DC=internal,DC=domain,DC=tld
> >  
> > CN=Windows Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
> CN=Windows
> > Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
> > ERROR: unsorted attributeID values in replPropertyMetaData on
> > CN=Windows Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >  
> > Not fixing replPropertyMetaData on CN=Windows Authorization Access
> > Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >  
> >  
> > What is the best action here, do a full resync from DC1 to
> DC2? Or did
> > i forget something?
> >  
> >  
> > Greetz,
> >  
> > Louis
> >  
> >  
> >  
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem samba db / pc - domain trust gone.

Samba - General mailing list
Hello Louis,

Looks like an unsynced deleted object.

Did you try "samba-tool domain tombstones expunge"

achim~


Am 15.05.2017 um 17:02 schrieb L.P.H. van Belle via samba:

> Nobody?
>
>
> These are repeating every 5 min on my DC2.
> No i dont care about the LostAndFound/deleted.
>
> [2017/05/15 16:52:32.848035,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
>    Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> [2017/05/15 16:57:32.857425,  0] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>    ldb: No objectClass found in replPropertyMetaData for CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndFound,DC=internal,DC=domain,DC=tld!
>
> Im wondering what this is.
>
> [2017/05/15 16:57:32.857647,  0] ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
>    Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
> So any tips?
>
> Im out tomorrow, but any info helps thanks.
>
> Greetz,
>
> Louis
>  
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens
>> L.P.H. van Belle via samba
>> Verzonden: maandag 15 mei 2017 12:13
>> Aan: [hidden email]
>> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
>>
>> I forgot to mention it involves samba 4.5.8.
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:[hidden email]] Namens L.P.H. van
>>> Belle via samba
>>> Verzonden: maandag 15 mei 2017 11:40
>>> Aan: [hidden email]
>>> Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
>>>
>>> Hai,
>>>  
>>> Environment, Debian Jessie.
>>>  
>>>  
>>> I got reports about pc's unable to login into the samba ad
>> dc domain.
>>> The trust between this workstation and the primary domain failed.
>>> This happend on a win7 and win10 pc.
>>> Now, this is "normaly" easy fixed,by rejoining the pc to the domain
>>> with the domain wizzard in windows.
>>> I noticed this didnt work anymore.
>>>  
>>> I was running without problem, so what lead to this problem.
>>>  
>>> installed the needed security updates last friday.  (
>> kernel, bind, no
>>> samba things. ) I was prepering to upgrade to 4.6.3 and did the
>>> following.
>>>  
>>> 1) samba-tool dbcheck  and a samba-tool dbcheck --fix
>>>  
>>> --- DC 1  ----
>>>  
>>> That fixed 4 errors.
>>> i got some others back.
>>> Multple messages with :
>>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
>>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
>>> icies,CN=System,DC=internal,DC=domain,DC=tld
>>> this part
>>> "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
>>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
>>> icies,CN=System" can be anything, multiple messages.
>>> users/computers.
>>>  
>>> rebooted the server, resulting in these log messages.
>>> samba logs clean, no errors,
>>> running : samba-tool dbcheck  and a samba-tool dbcheck
>> --fix  again,
>>> fixed simalar like above. ( 8 errors )
>>>  
>>>  
>>> running samba-tool ldapcmp:
>>> samba-tool ldapcmp --filter='whenChanged,dc,cn'
>>> ldap://dc1.internal.domain.tld ldap://dc2.internal.domain.tld Shows
>>> differenced in login timpstamps. Which can explain the
>> message on the
>>> pc's : the trust between this workstation and the primary domain
>>> failed.
>>>  
>>>     Difference in attribute values:
>>>          lastLogonTimestamp =>
>>> ['131390598670332960']
>>> ['131380923051230950']
>>>      FAILED
>>>
>>>    Difference in attribute values:
>>>          pwdLastSet =>
>>> ['131389578099979510']
>>> ['131363450502014640']
>>>      FAILED
>>>
>>>  
>>> -------------------------
>>> Now i checked my DC2.
>>>  
>>> samba-tool dbcheck:
>>> Please use --fix to fix these errors
>>> Checked 852 objects (626 errors)
>>>
>>> pff, 626 errors?
>>>  
>>> mostly things like these below.
>>>  
>>>    STATUS=daemon 'samba' finished starting up and ready to serve
>>> connections
>>> samba: setproctitle not initialized, please either call
>>> setproctitle_init() or link against libbsd-ctor.
>>> [2017/05/15 09:17:32.208909,  0]
>>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>>>    ldb: No objectClass found in replPropertyMetaData for
>>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
>>> ound,DC=internal,DC=domain,DC=tld!
>>>  
>>> [2017/05/15 09:17:32.213955,  0]
>>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
>>> source_apply_changes_trigger)
>>>    Failed to commit objects:
>>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>> [2017/05/15 09:22:32.210006,  0]
>>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>>>    ldb: No objectClass found in replPropertyMetaData for
>>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
>>> ound,DC=internal,DC=domain,DC=tld!
>>>  
>>> [2017/05/15 09:22:32.211300,  0]
>>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
>>> source_apply_changes_trigger)
>>>    Failed to commit objects:
>>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>> [2017/05/15 09:27:32.222921,  0]
>>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
>>>    ldb: No objectClass found in replPropertyMetaData for
>>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
>>> ound,DC=internal,DC=domain,DC=tld!
>>>  
>>> [2017/05/15 09:27:32.223286,  0]
>>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
>>> source_apply_changes_trigger)
>>>    Failed to commit objects:
>>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>>  
>>>  
>>> Not fixing replPropertyMetaData on
>>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
>>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
>>> icies,CN=System,DC=internal,DC=domain,DC=tld
>>>  
>>> CN=Windows Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
>> CN=Windows
>>> Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
>>> ERROR: unsorted attributeID values in replPropertyMetaData on
>>> CN=Windows Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>>>  
>>> Not fixing replPropertyMetaData on CN=Windows Authorization Access
>>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
>>>  
>>>  
>>> What is the best action here, do a full resync from DC1 to
>> DC2? Or did
>>> i forget something?
>>>  
>>>  
>>> Greetz,
>>>  
>>> Louis
>>>  
>>>  
>>>  
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem samba db / pc - domain trust gone. (solved)

Samba - General mailing list
Hai,
Thanks, (sorry for the late reply).

Tried that on both server, 0 tumbstones..

Now running : on DC1.
samba-tool dbcheck
Please use --fix to fix these errors
Checked 863 objects (4 errors)

samba-tool drs showrepl
0 errors


Now running : on DC2
samba-tool dbcheck
Please use --fix to fix these errors
Checked 835 objects (608 errors)

samba-tool drs showrepl
Only this one shows errors. But a lot.

        Default-First-Site-Name\RTD-DC1 via RPC
                DSA object GUID: 1abcder-f4ck-46af-9dcf-561234556789
                Last attempt @ Thu May 18 16:52:39 2017 CEST failed, result 58 (WERR_BAD_NET_RESP)
                2574 consecutive failure(s).
                Last success @ Wed May 10 10:48:14 2017 CEST

I fixed it by on DC1 :
runnning: samba-tool dbcheck --fix
do a full re-sync from dc1 to dc2.
samba-tool drs replicate dc2 dc1 DC=internal,DC=domain,DC=tld --full-sync

Resulting in 0 errors, and no more pc's that are dropping out of my network.
Just to bad i didnt find where this was comming from.


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Achim Gottinger via samba
> Verzonden: maandag 15 mei 2017 17:55
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
>
> Hello Louis,
>
> Looks like an unsynced deleted object.
>
> Did you try "samba-tool domain tombstones expunge"
>
> achim~
>
>
> Am 15.05.2017 um 17:02 schrieb L.P.H. van Belle via samba:
> > Nobody?
> >
> >
> > These are repeating every 5 min on my DC2.
> > No i dont care about the LostAndFound/deleted.
> >
> > [2017/05/15 16:52:32.848035,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> >    Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> > [2017/05/15 16:57:32.857425,  0]
> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >    ldb: No objectClass found in replPropertyMetaData for
> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> ound,DC=internal,DC=domain,DC=tld!
> >
> > Im wondering what this is.
> >
> > [2017/05/15 16:57:32.857647,  0]
> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> source_apply_changes_trigger)
> >    Failed to commit objects:
> > WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >
> > So any tips?
> >
> > Im out tomorrow, but any info helps thanks.
> >
> > Greetz,
> >
> > Louis
> >  
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van
> >> Belle via samba
> >> Verzonden: maandag 15 mei 2017 12:13
> >> Aan: [hidden email]
> >> Onderwerp: Re: [Samba] Problem samba db / pc - domain trust gone.
> >>
> >> I forgot to mention it involves samba 4.5.8.
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van
> >>> Belle via samba
> >>> Verzonden: maandag 15 mei 2017 11:40
> >>> Aan: [hidden email]
> >>> Onderwerp: [Samba] Problem samba db / pc - domain trust gone.
> >>>
> >>> Hai,
> >>>  
> >>> Environment, Debian Jessie.
> >>>  
> >>>  
> >>> I got reports about pc's unable to login into the samba ad
> >> dc domain.
> >>> The trust between this workstation and the primary domain failed.
> >>> This happend on a win7 and win10 pc.
> >>> Now, this is "normaly" easy fixed,by rejoining the pc to
> the domain
> >>> with the domain wizzard in windows.
> >>> I noticed this didnt work anymore.
> >>>  
> >>> I was running without problem, so what lead to this problem.
> >>>  
> >>> installed the needed security updates last friday.  (
> >> kernel, bind, no
> >>> samba things. ) I was prepering to upgrade to 4.6.3 and did the
> >>> following.
> >>>  
> >>> 1) samba-tool dbcheck  and a samba-tool dbcheck --fix
> >>>  
> >>> --- DC 1  ----
> >>>  
> >>> That fixed 4 errors.
> >>> i got some others back.
> >>> Multple messages with :
> >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System,DC=internal,DC=domain,DC=tld
> >>> this part
> >>> "CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System" can be anything, multiple messages.
> >>> users/computers.
> >>>  
> >>> rebooted the server, resulting in these log messages.
> >>> samba logs clean, no errors,
> >>> running : samba-tool dbcheck  and a samba-tool dbcheck
> >> --fix  again,
> >>> fixed simalar like above. ( 8 errors )
> >>>  
> >>>  
> >>> running samba-tool ldapcmp:
> >>> samba-tool ldapcmp --filter='whenChanged,dc,cn'
> >>> ldap://dc1.internal.domain.tld
> ldap://dc2.internal.domain.tld Shows
> >>> differenced in login timpstamps. Which can explain the
> >> message on the
> >>> pc's : the trust between this workstation and the primary domain
> >>> failed.
> >>>  
> >>>     Difference in attribute values:
> >>>          lastLogonTimestamp =>
> >>> ['131390598670332960']
> >>> ['131380923051230950']
> >>>      FAILED
> >>>
> >>>    Difference in attribute values:
> >>>          pwdLastSet =>
> >>> ['131389578099979510']
> >>> ['131363450502014640']
> >>>      FAILED
> >>>
> >>>  
> >>> -------------------------
> >>> Now i checked my DC2.
> >>>  
> >>> samba-tool dbcheck:
> >>> Please use --fix to fix these errors Checked 852 objects (626
> >>> errors)
> >>>
> >>> pff, 626 errors?
> >>>  
> >>> mostly things like these below.
> >>>  
> >>>    STATUS=daemon 'samba' finished starting up and ready to serve
> >>> connections
> >>> samba: setproctitle not initialized, please either call
> >>> setproctitle_init() or link against libbsd-ctor.
> >>> [2017/05/15 09:17:32.208909,  0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>>    ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>  
> >>> [2017/05/15 09:17:32.213955,  0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>>    Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>> [2017/05/15 09:22:32.210006,  0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>>    ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>  
> >>> [2017/05/15 09:22:32.211300,  0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>>    Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>> [2017/05/15 09:27:32.222921,  0]
> >>> ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> >>>    ldb: No objectClass found in replPropertyMetaData for
> >>> CN=User\0ADEL:668703c1-846c-45f1-aabd-2af7ddaee441,CN=LostAndF
> >>> ound,DC=internal,DC=domain,DC=tld!
> >>>  
> >>> [2017/05/15 09:27:32.223286,  0]
> >>> ../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_
> >>> source_apply_changes_trigger)
> >>>    Failed to commit objects:
> >>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> >>>  
> >>>  
> >>> Not fixing replPropertyMetaData on
> >>> CN=182696b8-95cc-4ec7-8ee8-34f528538944,CN=Packages,CN=Class
> >>> Store,CN=User,CN={94436DC5-0FA6-4533-9C4F-7BEE2F2D25E2},CN=Pol
> >>> icies,CN=System,DC=internal,DC=domain,DC=tld
> >>>  
> >>> CN=Windows Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090364
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009030e
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000902ee
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090177
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0009012e
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x000900dd
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090092
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00090001
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020119
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020002
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00020001
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x0000000d
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000003
> >> CN=Windows
> >>> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld: 0x00000000
> >>> ERROR: unsorted attributeID values in replPropertyMetaData on
> >>> CN=Windows Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >>>  
> >>> Not fixing replPropertyMetaData on CN=Windows
> Authorization Access
> >>> Group,CN=Builtin,DC=internal,DC=domain,DC=tld
> >>>  
> >>>  
> >>> What is the best action here, do a full resync from DC1 to
> >> DC2? Or did
> >>> i forget something?
> >>>  
> >>>  
> >>> Greetz,
> >>>  
> >>> Louis
> >>>  
> >>>  
> >>>  
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...