Problem: Samba Replication: WERR_DS_DRA_ACCESS_DENIED

Knowledge Base Community
, , , , , , ,
#1

Problem

You might facing an issue with Samba replication on hosts reporting issues on INBOUND connections. Status might look like this:

root@master:~# samba-tool drs showrepl
Default-First-Site-Name\MASTER
DSA Options: 0x00000001
DSA object GUID: 9088bd86-0353-426d-a7e6-8f1613443bc0
DSA invocationId: 6ac364e8-f2f4-473b-a220-e3c28a4a8007

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=univention,DC=ucs
	Default-First-Site-Name\SLAVE1 via RPC
		DSA object GUID: 2856bcc1-a7ab-422c-82eb-78b417f7027e
		Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
		556 consecutive failure(s).
		Last success @ Thu Aug 30 10:18:48 2018 CEST

CN=Configuration,DC=univention,DC=ucs
	Default-First-Site-Name\SLAVE2 via RPC
		DSA object GUID: 47fe84c6-617f-4345-b26e-2a488da89a6f
		Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
		556 consecutive failure(s).
		Last success @ Thu Aug 30 10:18:48 2018 CEST
[...]

These error messages might appear in combination with

WERR_DS_DRA_INTERNAL_ERROR

error messages.

First check the connection to the machines using the nc command:

nc -zvw10 <IP> <PORT>

If you get a message like

nc: connect to XXX port YYY (tcp) failed: Connection refused

then make sure that the ports are accessable and not blocked by a firewall. You can see here which ports need to be accessable: Which TCP / UDP ports on the DC master must be accessable by other systems?

On the hosts mentioned above with issues (ie SLAVE1) you might find the following in the Samba logs (you might need to increase loglevel for samba to see these entries):

[2018/08/30 11:00:26.885473,  1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=ucs, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:26.885558,  0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15
[2018/08/01 11:00:27.580273,  1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=univention,DC=ucs, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:27.580362,  0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15

Solution

Apply errata updates according to your UCS version
UCS 4.2
UCS 4.3

And then force synchronization with the following commands:

samba-tool drs replicate --local $(hostname) slave2 CN=Configuration,$(ucr get samba4/ldap/base)

Followed by

samba-tool dbcheck --cross-ncs --fix --yes

Restart services on both servers:

root@slave1:~#  /etc/init.d/samba restart
root@slave2:~#  /etc/init.d/samba restart
Mastodon