Problem:

samba-tool drs showrepl shows: WERR_GEN_FAILURE

CN=Schema,CN=Configuration,DC=schein,DC=ig
	Default-First-Site-Name\BACKUP via RPC
		DSA object GUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
		Last attempt @ Thu Jul  6 00:17:12 2017 CEST failed, result 31 (WERR_GEN_FAILURE)
		6 consecutive failure(s).
		Last success @ NTTIME(0)

Master: log.samba

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:2a00:1e80:71:1:250:56ff:fea6:6901[49153,seal,krb5,target_hostname=6ed13bb0-151c-426e-81c4-40f9e632ae79._msdcs.schein.ig,target_principal=GC/backup.schein.ig/schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=2a00:1e80:71:1:250:56ff:fea6:592] NT_STATUS_UNSUCCESSFUL

Backup: log.samba

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find SMB$@SCHEIN.IG(kvno 39) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

Investigation:

On the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 39

On the backup:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41

Also on the Backup

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=backup$' msDS-KeyVersionNumber
# record 1
dn: flatname=SCHEIN,cn=Primary Domains
msDS-KeyVersionNumber: 41

So we can see, that the KeyVersionNumber on the Master is wrong and does not match to one on the backup server.

ktutil list on the backup also shows the right keyversionNumber

FILE:/etc/krb5.keytab:

Vno Type Principal Aliases
41 des-cbc-crc HOST/backup@SCHEIN.IG
41 des-cbc-crc HOST/backup.schein.ig@SCHEIN.IG
41 des-cbc-crc BACKUP$@SCHEIN.IG
41 des-cbc-md5 HOST/backup@SCHEIN.IG
41 des-cbc-crc host/backup.schein.ig@SCHEIN.IG
41 des-cbc-md5 BACKUP$@SCHEIN.IG
41 arcfour-hmac-md5 HOST/backup@SCHEIN.IG
41 des-cbc-crc ldap/backup.schein.ig@SCHEIN.IG
41 arcfour-hmac-md5 BACKUP$@SCHEIN.IG
41 aes128-cts-hmac-sha1-96 HOST/backup@SCHEIN.IG
41 des-cbc-md5 HOST/backup.schein.ig@SCHEIN.IG
41 aes128-cts-hmac-sha1-96 BACKUP$@SCHEIN.IG
41 des-cbc-md5 host/backup.schein.ig@SCHEIN.IG
41 des-cbc-md5 ldap/backup.schein.ig@SCHEIN.IG
[…]

Solution:

We can replicate the one object from the backup to the master.
On the master server

samba-tool drs replicate --local master backup  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P
Exop on[CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig] objects[1] linked_values[0]
Full Replication of all 1 objects and 0 links from backup to tdb:///var/lib/samba/private/sam.ldb was successful.

You can also use the IP from the servers (to prevent usage of kerberos) here:

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P

And if the machine accound does not work anymore you can try the administrator account.
Indication could be this message:

The attempted logon is invalid. This is either due to a bad username or authentication information."

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P -U Administrator

To ensure kerberos is not used you can add -k no to the command (with IP no kerberos can be used, but for completeness)

samba-tool drs replicate --local master 10.200.43.181  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P -U Administrator -k no

After that check if the keyversionNumber is now the same on the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41

Last but not least you have to restart the samba service on the DCs. Master and Backup!

/etc/init.d/samba restart