Problem: samba-tool drs showrepl shows WERR_GEN_FAILURE

Problem:

samba-tool drs showrepl shows: WERR_GEN_FAILURE

CN=Schema,CN=Configuration,DC=schein,DC=ig
	Default-First-Site-Name\BACKUP via RPC
		DSA object GUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
		Last attempt @ Thu Jul  6 00:17:12 2017 CEST failed, result 31 (WERR_GEN_FAILURE)
		6 consecutive failure(s).
		Last success @ NTTIME(0)

Master: log.samba

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:2a00:1e80:71:1:250:56ff:fea6:6901[49153,seal,krb5,target_hostname=6ed13bb0-151c-426e-81c4-40f9e632ae79._msdcs.schein.ig,target_principal=GC/backup.schein.ig/schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=2a00:1e80:71:1:250:56ff:fea6:592] NT_STATUS_UNSUCCESSFUL

Backup: log.samba

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find SMB$@SCHEIN.IG(kvno 39) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

Investigation:

Please make sure, if you test it on your server to adjust the hostnames from your server.
In this case my Backupservers hostname is “backup”

On the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 39

On the backup:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41

Also on the Backup

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=backup$' msDS-KeyVersionNumber
# record 1
dn: flatname=SCHEIN,cn=Primary Domains
msDS-KeyVersionNumber: 41

So we can see, that the KeyVersionNumber on the Master is wrong and does not match to one on the backup server.

ktutil list on the backup also shows the right keyversionNumber

FILE:/etc/krb5.keytab:

Vno Type Principal Aliases
41 des-cbc-crc HOST/backup@SCHEIN.IG
41 des-cbc-crc HOST/backup.schein.ig@SCHEIN.IG
41 des-cbc-crc BACKUP$@SCHEIN.IG
41 des-cbc-md5 HOST/backup@SCHEIN.IG
41 des-cbc-crc host/backup.schein.ig@SCHEIN.IG
41 des-cbc-md5 BACKUP$@SCHEIN.IG
41 arcfour-hmac-md5 HOST/backup@SCHEIN.IG
41 des-cbc-crc ldap/backup.schein.ig@SCHEIN.IG
41 arcfour-hmac-md5 BACKUP$@SCHEIN.IG
41 aes128-cts-hmac-sha1-96 HOST/backup@SCHEIN.IG
41 des-cbc-md5 HOST/backup.schein.ig@SCHEIN.IG
41 aes128-cts-hmac-sha1-96 BACKUP$@SCHEIN.IG
41 des-cbc-md5 host/backup.schein.ig@SCHEIN.IG
41 des-cbc-md5 ldap/backup.schein.ig@SCHEIN.IG
[…]

Solution:

Command explanation first:

samba-tool drs replicate --single-object \
 --local "$(hostname)" \
"$System_B" \
"$Single_Object_DN" 

--local "$(hostname)" means that the data is replicated to the local system. The hostname is kind of irrelevat, important is, where you initiate the comand.
$System_B must be replaced by the FQDN of the remote system that is to be the source of the data.
$Single_Object_DN is the object to be synced.

Now for this special case

We can replicate the one object from the backup to the master.
On the master server

samba-tool drs replicate --local master backup  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P
Exop on[CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig] objects[1] linked_values[0]
Full Replication of all 1 objects and 0 links from backup to tdb:///var/lib/samba/private/sam.ldb was successful.

-P uses the machineaccount and the machine.secret. You can also use the IP from the servers in the command (to prevent usage of kerberos) here:

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P

And if the machine accound does not work anymore you can try the administrator account.
Indication could be this message:

The attempted logon is invalid. This is either due to a bad username or authentication information."

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P -U Administrator

To ensure kerberos is not used you can add -k no to the command (with IP no kerberos can be used, but for completeness)

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P -U Administrator -k no

After that check if the keyversionNumber is now the same on the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41

Last but not least you have to restart the samba service on the DCs. Master and Backup!

/etc/init.d/samba restart
4 Likes
Mastodon