Problem:
samba-tool drs showrepl
shows: WERR_GEN_FAILURE
CN=Schema,CN=Configuration,DC=schein,DC=ig
Default-First-Site-Name\BACKUP via RPC
DSA object GUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
Last attempt @ Thu Jul 6 00:17:12 2017 CEST failed, result 31 (WERR_GEN_FAILURE)
6 consecutive failure(s).
Last success @ NTTIME(0)
Master: log.samba
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:2a00:1e80:71:1:250:56ff:fea6:6901[49153,seal,krb5,target_hostname=6ed13bb0-151c-426e-81c4-40f9e632ae79._msdcs.schein.ig,target_principal=GC/backup.schein.ig/schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=2a00:1e80:71:1:250:56ff:fea6:592] NT_STATUS_UNSUCCESSFUL
Backup: log.samba
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find SMB$@SCHEIN.IG(kvno 39) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)
Investigation:
On the master:
ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 39
On the backup:
ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41
Also on the Backup
ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=backup$' msDS-KeyVersionNumber
# record 1
dn: flatname=SCHEIN,cn=Primary Domains
msDS-KeyVersionNumber: 41
So we can see, that the KeyVersionNumber on the Master is wrong and does not match to one on the backup server.
Solution:
We can replicate the one object from the backup to the master.
On the master server
samba-tool drs replicate --local master backup --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P
Exop on[CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig] objects[1] linked_values[0]
Full Replication of all 1 objects and 0 links from backup to tdb:///var/lib/samba/private/sam.ldb was successful.
You can also use the IP from the servers here
After that check if the keyversionNumber is now the same on the master:
ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41