Problem Samba Replication Status

anderson.santos · April 6, 2020, 10:07pm

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/univention/management/console/modules/diagnostic/init.py”, line 280, in execute
result = execute(umc_module, **kwargs)
File “/usr/lib/python2.7/dist-packages/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py”, line 145, in run
drs = DRSUAPI()
File “/usr/lib/python2.7/dist-packages/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py”, line 62, in init
drs_tuple = drs_utils.drsuapi_connect(self.server, self.load_param, self.credentials)
File “/usr/lib/python2.7/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
drsException: drsException: DRS connection to srv-ad-master.dominio.intranet failed: (3221226047, ‘No service is operating at the destination port of the transport on the remote system.’)

Christian_Voelker · April 7, 2020, 3:04pm

Hi,

could you elaborate a little bit further about what you did when this happened? Do you have multiple servers? On which one did you see this error?

It looks like you have multiple servers and this one can not reach srv-ad-master.dominio.intranet as some ports appears to be blocked. Is there a firewall in between?

Could you please post the output of samba-tool drs showrepl on both servers?

Have you checked this article for firewall ports?

/CV

forenuser · January 23, 2026, 4:29pm

I happen to have the same issue.

“samba-tool drs showrepl” shows the same issue. I have only one server.

ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ucs-8802.dom.yyyy.net failed - drsException: DRS connection to ucs-8802.dom.yyyy.net failed: (3221226047, 'No service is operating at the destination port of the transport on the remote system.')

univention-run-diagnostic-checks does not show any issues, besides the one above.

I appreciate any advice. I checked the article regarding the firewall ports

Thanks in advance.

scheinig · January 26, 2026, 10:19am

Hi,

have you tried to restart the samba service like this:
/etc/init.d/samba restart

You should have some services running like this (but could be more or less):

 samba-tool processes
 Service:                          PID
--------------------------------------
cldap_server                    1092899
dnsupdate                       1092913
kccsrv                          1092911
kdc_server                      1092901
kdc_server(worker 3)            1092928
kdc_server(worker 0)            1092914
kdc_server(worker 1)            1092920
kdc_server(worker 2)            1092925
ldap_server                     1092895
ldap_server(worker 1)           1092939
ldap_server(worker 2)           1092941
ldap_server(worker 0)           1092937
ldap_server(worker 3)           1092943
notify-daemon                   1092933
rpc_server                      1092890
rpc_server(worker 2)            1092918
rpc_server(worker 0)            1092897
rpc_server(worker 1)            1092907
rpc_server(worker 3)            1092924
samba                           1092883
winbind_server                  1092916
wrepl_server                    1092893

Maybe you can show your samba-tool processes output!

forenuser · January 26, 2026, 10:27am

Thank you for your answer! I really appreciate it

I restarted the samba service. Unfortunately it did not solve the problem.

Here is the output of “samba-tool processes”:

Service:                          PID
--------------------------------------
cldap_server                    3293080
dnsupdate                       3293104
dreplsrv                        3293084
kccsrv                          3293101
kdc_server                      3293082
kdc_server(worker 3)            3293108
kdc_server(worker 0)            3293087
kdc_server(worker 1)            3293091
kdc_server(worker 2)            3293105
ldap_server                     3293078
ldap_server(worker 1)           3293135
ldap_server(worker 2)           3293139
ldap_server(worker 0)           3293133
ldap_server(worker 3)           3293141
notify-daemon                   3293142
rpc_server                      3293073
rpc_server(worker 2)            3293107
rpc_server(worker 0)            3293096
rpc_server(worker 1)            3293100
rpc_server(worker 3)            3293111
samba                           3293067
winbind_server                  3293098

scheinig · January 26, 2026, 11:13am

hm, strange, I see wrepl_server service missing. Could be a hint. If I kill this service on my testenv, it gets started again, with the samba-tool drs showrepl call.
Can you check /var/log/samba/log.samba for some hints regarding wrepl please?

Can we nevertheless check, if samba things there is a server it wants to replicate from:

univention-s4search --cross-ncs repsFrom=* repsFrom --show-binary
and
univention-s4search --cross-ncs repsTo=* repsTo --show-binary

forenuser · January 26, 2026, 1:51pm

I grepped for “wrepl” through /var/log/samba and haven’t found anything. I also checked for a wrepl_server Service without any luck.

Here is the output for both “univention-s4search” commands:

repsfrom.log (38.1 KB)
repsto.log (35.2 KB)

scheinig · January 26, 2026, 2:15pm

okay, there seems to be an other server, samba wants to replicate to. Are you really sure about:

I have only one server.

Can you please check via UMC→ Module DNS → Your dom.yyyy.net zone, and filter for Alias Record, search for “*” to get all entries and check here for

96ce7458-2b67-4b79-bb61-d4556b557e7f
and
ffff78fd-9079-49e5-80ad-c42f6232c82d

You posted in an osther thread you did a Ad-Takeover, maybe one of the entries belong to the Windows Server you took over from.
Please do not remove the entries. We should check things first.

forenuser · January 26, 2026, 3:23pm

You are right. I forgot to mention the AD takeover.

Sorry, I thought the old windows AD servers are not relevant anymore, after the AD takeover.

Here are the anonymized canonical names for the Aliases:

abc-DC01.dom.yyyy.net.
cde-DC02.dom.yyyy.net.

scheinig · January 26, 2026, 3:42pm

okay, DC01 is the primary? And DC02 is the old Windows AD?

forenuser · January 26, 2026, 4:07pm

Both are the old windows AD servers, that offered services like Active Directory, DNS and DHCP. They were replicated with each other.

scheinig · January 27, 2026, 9:33am

I am thinking of deleting these references, because I do not have them in on my single DC.
But first I want to make sure, not missing something. So lets check DNS with the output of

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

first.

forenuser · February 25, 2026, 9:58am

After many attempts to get this issue fixed and reverting to a snapshot after AD takeover, I have now mainly two problems, I am still not able to solve.

samba-tool drs showrepl

ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to ucs-8802.contoso.net failed - drsException: DRS connection to ucs-8802.dom.contoso.net failed: (3221226047, 'No service is operating at the destination port of the transport on the remote system.')

40_samba_tool_dbcheck

"samba.NTSTATUSError: (3221226047, 'No service is operating at the destination port of the transport on the remote system.')"

/var/log/samba/log.samba

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.34[49668,seal,krb5,target_hostname=96ce7458-2b67-4b79-bb61-d4556b557e7f._msdcs.dom.contoso.net,target_principal=GC/abc-DC02.dom.contoso.net/dom.contoso.net,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.103] NT_STATUS_LOGON_FAILURE

samba-tool drs uptodateness

GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC01.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC01.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC02.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC02.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC01.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC01.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC02.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC02.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC01.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC01.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC02.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC02.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC01.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC01.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC02.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC02.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC01.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC01.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
GSS client Update(krb5)(2) Update failed: Miscellaneous failure (see text): Message stream modified
gensec_spnego_client_negTokenTarg_step: SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://abc-DC02.dom.contoso.net' with backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
Could not contact ldap://abc-DC02.dom.contoso.net ((49, 'LDAP client internal error: NT_STATUS_LOGON_FAILURE'))
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
missing dn CN=abc-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom,DC=contoso,DC=net from UTD vector list
DOMAIN maximum: -43438760 median: -44661796.5 failure: 4
CONFIGURATION maximum: -43438759 median: -44661795.5 failure: 4
SCHEMA maximum: -43438761 median: -44661797.5 failure: 4
DNSDOMAIN maximum: -43438757 median: -44661793.5 failure: 4
DNSFOREST maximum: -43438758 median: -44661794.5 failure: 4

univention-directory-listener-ctrl-status does not show any errors. All are marked “green”.

active
Listener status:
 running

Current Notifier ID on "ucs-8802.dom.contoso.net"
 2942

Last Notifier ID processed by local Listener:
 2942

Last transaction processed:
 2942 uid=admin-johndoe,cn=users,dc=dom,dc=contoso,dc=net m

Modules:
3	ad-connector	/usr/lib/univention-directory-listener/system/ad-connector.py
3	app_attributes	/usr/lib/univention-directory-listener/system/app_attributes.py
3	bind	/usr/lib/univention-directory-listener/system/bind.py
3	dhcp	/usr/lib/univention-directory-listener/system/dhcp.py
3	directory_logger	/usr/lib/univention-directory-listener/system/directory_logger.py
3	faillog	/usr/lib/univention-directory-listener/system/faillog.py
3	gencertificate	/usr/lib/univention-directory-listener/system/gencertificate.py
3	hosteddomains	/usr/lib/univention-directory-listener/system/hosteddomains.py
3	keytab-member	/usr/lib/univention-directory-listener/system/keytab-member.py
3	keytab	/usr/lib/univention-directory-listener/system/keytab.py
3	ldap-cache-baa04df67e7af6bb0769f5cb7e72dba9	/usr/lib/univention-directory-listener/system/ldap-cache-baa04df67e7af6bb0769f5cb7e72dba9.py
3	ldap_extension	/usr/lib/univention-directory-listener/system/ldap_extension.py
3	ldap_server	/usr/lib/univention-directory-listener/system/ldap_server.py
3	license_uuid	/usr/lib/univention-directory-listener/system/license_uuid.py
3	monitoring-client	/usr/lib/univention-directory-listener/system/monitoring-client.py
3	nagios-client	/usr/lib/univention-directory-listener/system/nagios-client.py
3	nfs-homes	/usr/lib/univention-directory-listener/system/nfs-homes.py
3	nfs-shares	/usr/lib/univention-directory-listener/system/nfs-shares.py
3	nscd_update	/usr/lib/univention-directory-listener/system/nscd.py
3	nss	/usr/lib/univention-directory-listener/system/nss.py
3	pkgdb-watch	/usr/lib/univention-directory-listener/system/pkgdb-watch.py
3	portal_groups	/usr/lib/univention-directory-listener/system/portal_groups.py
3	portal_server	/usr/lib/univention-directory-listener/system/portal_server.py
3	quota	/usr/lib/univention-directory-listener/system/quota.py
3	recyclebin	/usr/lib/univention-directory-listener/system/recyclebin.py
3	s4-connector	/usr/lib/univention-directory-listener/system/s4-connector.py
3	samba4-idmap	/usr/lib/univention-directory-listener/system/samba4-idmap.py
3	samba-shares	/usr/lib/univention-directory-listener/system/samba-shares.py
3	udm_extension	/usr/lib/univention-directory-listener/system/udm_extension.py
3	udm_rest_reload	/usr/lib/univention-directory-listener/system/udm_rest_reload.py
3	umc-service-providers	/usr/lib/univention-directory-listener/system/umc-service-providers.py
3	univention-admin-diary-backend	/usr/lib/univention-directory-listener/system/univention-admin-diary-backend.py
3	well-known-sid-name-mapping	/usr/lib/univention-directory-listener/system/well-known-sid-name-mapping.py

If anybody has an idea, how to get these resolved, I am eternally grateful.