Problem:
DC-Replica cannot rejoin
[2021/10/02 22:22:00.124949, 0, pid=10875] ../../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
Failed to connect host 192.168.11.61 (c5f98bcf-f72e-4542-bc21-330fc6d92391._msdcs.lng.example.de) on port 135 - NT_STATUS_HOST_UNREACHABLE.
[2021/10/02 22:32:00.234925, 0, pid=10868] ../../source4/dsdb/schema/schema_syntax.c:1277(_dsdb_syntax_OID_attr_ldb_to_drsuapi)
Unable to find attribute msDFSR-DfsPath in the schema
[2021/10/02 22:32:00.235039, 0, pid=10868] ../../source4/rpc_server/drsuapi/getncchanges.c:712(get_nc_changes_build_object)
Unable to convert mayContain on CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=lng,DC=example,DC=de to DRS object - WERR_GEN_FAILURE
[2021/10/02 22:32:10.337084, 0, pid=10868] ../../source4/dsdb/schema/schema_syntax.c:1277(_dsdb_syntax_OID_attr_ldb_to_drsuapi)
Unable to find attribute msDFSR-DfsPath in the schema
[2021/10/02 22:32:10.337257, 0, pid=10868] ../../source4/rpc_server/drsuapi/getncchanges.c:712(get_nc_changes_build_object)
Unable to convert mayContain on CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=lng,DC=example,DC=de to DRS object - WERR_GEN_FAILURE
[2021/10/02 22:35:02.518321, 1, pid=10868] ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC01$@LNG.EXAMPLE.DE(kvno 63) in keytab FILE:/etc/krb5.keytab (arcfour-hmac
-md5)
[2021/10/02 22:35:02.518506, 1, pid=10868] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
Investigation:
This object should normally exist:
univention-s4search -b “CN=Schema,CN=Configuration,$(ucr get samba4/ldap/base)” ldapdisplayname=msDFSR-DfsPath
record 1
dn: CN=ms-DFSR-DfsPath,CN=Schema,CN=Configuration,DC=example,DC=de
objectClass: top
objectClass: attributeSchema
cn: ms-DFSR-DfsPath
instanceType: 4
whenCreated: 20210329113546.0Z
whenChanged: 20210329113546.0Z
uSNCreated: 475
attributeID: 1.2.840.113556.1.6.13.3.21
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 32767
uSNChanged: 475
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFSR-DfsPath
adminDescription: Full path of associated DFS link
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: msDFSR-DfsPath
name: ms-DFSR-DfsPath
objectGUID: 1f3e5c20-ae5c-4b01-82ec-d7d5debc0faf
schemaIDGUID: 2cc903e2-398c-443b-ac86-ff6b01eac7ba
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=de
distinguishedName: CN=ms-DFSR-DfsPath,CN=Schema,CN=Configuration,DC=example,DC=de
Solution:
Unable to find attribute msDFSR-DfsPath in the schema
So other way around, remove the dependency of msDFSR-DfsPath
:~/univention-support# cat DFSR-ContentSet.change
dn: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=lng,DC=example,DC=de
changetype: modify
delete: mayContain
mayContain: msDFSR-DfsPath
ldbmodify -H /var/lib/samba/private/sam.ldb DFSR-ContentSet.change --relax did not work
So change manually:
ldbedit -H /var/lib/samba/private/sam.ldb CN=ms-DFSR-ContentSet --cross-ncs --relax --controls=provision:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.3:0
Important additional note:
If the parameter --relax is necessary:
Refusing to delete xxx This check is to prevent corruption of
the replicated state
than the delection has to be done on each drs replication partner in the domain, otherwise the drs replication gets stuck!