Problem: samba-tool drs showrepl shows WERR_GEN_FAILURE

Knowledge Base Community
, , , , ,
#1

Problem:

samba-tool drs showrepl shows: WERR_GEN_FAILURE

CN=Schema,CN=Configuration,DC=schein,DC=ig
	Default-First-Site-Name\BACKUP via RPC
		DSA object GUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2
		Last attempt @ Thu Jul  6 00:17:12 2017 CEST failed, result 31 (WERR_GEN_FAILURE)
		6 consecutive failure(s).
		Last success @ NTTIME(0)

Master: log.samba

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:2a00:1e80:71:1:250:56ff:fea6:6901[49153,seal,krb5,target_hostname=6ed13bb0-151c-426e-81c4-40f9e632ae79._msdcs.schein.ig,target_principal=GC/backup.schein.ig/schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=2a00:1e80:71:1:250:56ff:fea6:592] NT_STATUS_UNSUCCESSFUL

Backup: log.samba

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find SMB$@SCHEIN.IG(kvno 39) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

Investigation:

On the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 39

On the backup:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41

Also on the Backup

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=backup$' msDS-KeyVersionNumber
# record 1
dn: flatname=SCHEIN,cn=Primary Domains
msDS-KeyVersionNumber: 41

So we can see, that the KeyVersionNumber on the Master is wrong and does not match to one on the backup server.

Solution:

We can replicate the one object from the backup to the master.
On the master server

samba-tool drs replicate --local master backup  --single-object 'CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig' -P
Exop on[CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig] objects[1] linked_values[0]
Full Replication of all 1 objects and 0 links from backup to tdb:///var/lib/samba/private/sam.ldb was successful.

You can also use the IP from the servers here

After that check if the keyversionNumber is now the same on the master:

ldbsearch -H /var/lib/samba/private/sam.ldb samaccountname='backup$' msds-keyversionnumber
# record 1
dn: CN=BACKUP,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 41
2 Likes
Problem: No access on networkpaths and shares
#2