Problem
You might facing an issue with Samba replication on hosts reporting issues on INBOUND connections. Status might look like this:
root@master:~# samba-tool drs showrepl
Default-First-Site-Name\MASTER
DSA Options: 0x00000001
DSA object GUID: 9088bd86-0353-426d-a7e6-8f1613443bc0
DSA invocationId: 6ac364e8-f2f4-473b-a220-e3c28a4a8007
==== INBOUND NEIGHBORS ====
CN=Configuration,DC=univention,DC=ucs
Default-First-Site-Name\SLAVE1 via RPC
DSA object GUID: 2856bcc1-a7ab-422c-82eb-78b417f7027e
Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
556 consecutive failure(s).
Last success @ Thu Aug 30 10:18:48 2018 CEST
CN=Configuration,DC=univention,DC=ucs
Default-First-Site-Name\SLAVE2 via RPC
DSA object GUID: 47fe84c6-617f-4345-b26e-2a488da89a6f
Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
556 consecutive failure(s).
Last success @ Thu Aug 30 10:18:48 2018 CEST
[...]
These error messages might appear in combination with
WERR_DS_DRA_INTERNAL_ERROR
error messages.
First check the connection to the machines using the nc
command:
nc -zvw10 <IP> <PORT>
If you get a message like
nc: connect to XXX port YYY (tcp) failed: Connection refused
then make sure that the ports are accessable and not blocked by a firewall. You can see here which ports need to be accessable: Which TCP / UDP ports on the DC master must be accessable by other systems?
On the hosts mentioned above with issues (ie SLAVE1) you might find the following in the Samba logs (you might need to increase loglevel for samba to see these entries):
[2018/08/30 11:00:26.885473, 1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=ucs, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:26.885558, 0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15
[2018/08/01 11:00:27.580273, 1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=ucs, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:27.580362, 0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15
Solution
Apply errata updates according to your UCS version
UCS 4.2
UCS 4.3
And then force synchronization with the following commands:
samba-tool drs replicate --local $(hostname) slave2 CN=Configuration,$(ucr get samba4/ldap/base)
Followed by
samba-tool dbcheck --cross-ncs --fix --yes
Restart services on both servers:
root@slave1:~# /etc/init.d/samba restart
root@slave2:~# /etc/init.d/samba restart