Warning: SAMBA replication status


#1

Is this serious? What kind of problem is that and how can I solve it?
I have three VM.

  1. Domain-Master
  2. Domain-Slave with KOPANO (here is that warning)
  3. Domain-Slave with SMB
`samba-tool drs showrepl` gibt ein Problem mit der Replikation zurück.
In eingehend 'DC=ForestDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'CN=Schema,CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).

#2

Given that you mean that the only system where you see the error is the Kopano-Slave I would first ask why you have Samba installed here.
In case there is a use case I’d start to check the real output of samba-tool drs showrepl on this system.


#3

On the system I have a share for importing PST files. So I need Samba there too.

Default-First-Site-Name\MANNHEIM
DSA Options: 0x00000001
DSA object GUID: af9ef618-03d5-4653-958b-961a3de7454a
DSA invocationId: 973ec1f0-e253-4ea7-9bbd-46a6ed74939b

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

DC=ForestDnsZones,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST failed, result 8453                                                                                                                                                                              (WERR_DS_DRA_ACCESS_DENIED)
                16080 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

CN=Schema,CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

CN=Schema,CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST failed, result 8453                                                                                                                                                                              (WERR_DS_DRA_ACCESS_DENIED)
                15956 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST failed, result 8453                                                                                                                                                                              (WERR_DS_DRA_ACCESS_DENIED)
                15957 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

DC=DomainDnsZones,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

DC=DomainDnsZones,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST failed, result 8453                                                                                                                                                                              (WERR_DS_DRA_ACCESS_DENIED)
                16778 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST was successful
                0 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ Wed Jul 18 14:00:13 2018 CEST failed, result 8453                                                                                                                                                                              (WERR_DS_DRA_ACCESS_DENIED)
                16096 consecutive failure(s).
                Last success @ Wed Jul 18 14:00:13 2018 CEST

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=company,DC=de
        Default-First-Site-Name\CORE via RPC
                DSA object GUID: c48d9182-ff6f-478a-953b-7051008e398a
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=company,DC=de
        Default-First-Site-Name\SMB via RPC
                DSA object GUID: a4527054-2b0c-4325-9984-262333d9decd
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 6d8c7158-e017-44c8-a316-013076357a4a
        Enabled        : TRUE
        Server DNS name : smb.company.de
        Server DN name  : CN=NTDS Settings,CN=SMB,CN=Servers,CN=Default-First-Si                                                                                                                                                                             te-Name,CN=Sites,CN=Configuration,DC=company,DC=de
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 882ef3d0-5aac-476f-9e38-629db884ee37
        Enabled        : TRUE
        Server DNS name : core.company.de
        Server DN name  : CN=NTDS Settings,CN=CORE,CN=Servers,CN=Default-First-S                                                                                                                                                                             ite-Name,CN=Sites,CN=Configuration,DC=company,DC=de
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!



#4

Ok, now that I have learned how to read the translated output in the system diagnostics from samba-tool drs showrepl we can go further.

There appears to be a permission problem between the “SMB”-host and the Kopano slave.
Samba 4 Troubleshooting has some explanations and hints what to check.


#5

I rejoined the server to the domain. Now it’s fine! But it takes almost 5 Minutes for to join “bind” … It was impossible using the webinterface because of a timeout. I had to do this using the shell.


#6

Sorry to say that, but now the problem is there again…

`samba-tool drs showrepl` gibt ein Problem mit der Replikation zurück.
In eingehend 'DC=ForestDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'CN=Schema,CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/SMB (WERR_DS_DRA_ACCESS_DENIED).
In ausgehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH).


#7

I guess that the steps mentioned in the Troubleshooting Guide, starting with the KCC and testing the connection between SMB and the Kopano-Host could shed some light on the problem.


#8

Now I also rejoined the second slave (SMB) and see the following now at the first slave:

`samba-tool drs showrepl` gibt ein Problem mit der Replikation zurück. 
In ausgehend 'CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH).
In ausgehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH).

where “CORE” is the Master.

This is what I can see at the CORE

Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 270, in execute result = execute(umc_module, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins
/41_samba_tool_showrepl.py", line 149, in run problems = list(drs.replication_problems()) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins
/41_samba_tool_showrepl.py", line 98, in replication_problems for replica_info, neighbour in self.neighbours(): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic
/plugins/41_samba_tool_showrepl.py", line 93, in neighbours (info_type, info) = self._replica_info(replica_info_direction) File "/usr/lib/pymodules/python2.7/univention/management/console
/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 87, in _replica_info (info_type, info) = self.drsuapi.DsReplicaGetInfo(self.handle, 1, req1) NTSTATUSError: (-1073610699, 'The operation cannot be performed.')

And this at the freshly rejoined “SMB”

`samba-tool drs showrepl` gibt ein Problem mit der Replikation zurück. In eingehend 'DC=ForestDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/MANNHEIM (WERR_DS_DRA_ACCESS_DENIED). 
In eingehend 'CN=Schema,CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/MANNHEIM (WERR_DS_DRA_ACCESS_DENIED). 
In eingehend 'CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/MANNHEIM (WERR_DS_DRA_ACCESS_DENIED). 
In eingehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/MANNHEIM (WERR_DS_DRA_ACCESS_DENIED).
In eingehend 'DC=company,DC=de': Fehler während der DRS Replikation von Default-First-Site-Name/MANNHEIM (WERR_DS_DRA_ACCESS_DENIED). 
In ausgehend 'DC=ForestDnsZones,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH). 
In ausgehend 'CN=Schema,CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH). 
In ausgehend 'CN=Configuration,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH). 
In ausgehend 'DC=DomainDnsZones,DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH). 
In ausgehend 'DC=company,DC=de': Fehler während der DRS Replikation nach Default-First-Site-Name/CORE (WERR_BAD_NETPATH).

And I simply don’t understand that. I have basic skills on Debian, but I don’t get into the depths of a samba domain or anything like that.

I installed UCS and then only apps from the App Center. I had hoped that I would be spared such deep interventions and problems.

To solve the problem I need a little more help than a reference to complex solutions.


#9

I dont know anyone who starts to jubilate when it comes to S4-troubleshooting. But it appears that this is the only way to go.
From my knowledge the steps mentioned in the guide are very useful for this task. If you dont want to hire someone to fix this you can do it yourself. If you dont understand the output or the stuff that gets logged you are welcome to ask here.

Looking only at the things you posted I would say that for any reason the host object “SMB” is running against a permission problem on CORE. But there are no hints pointing to the reason.


#10

I add two slave servers to my infrasture and i get the same WERR_DS_DRA_ACCESS_DENIED errors in the new servers


#11

https://forge.univention.org/bugzilla/show_bug.cgi?id=47077 mentions the WERR_DS_DRA_ACCESS_DENIED.
Unfortunately there is no solution or workaround mentioned.


#12

Ok, let’s start to narrow this down by interpreting the output of samba-tool drs showrepl. The “INBOUND NEIGHBORS” section in the output of samba-tool drs showrepl reports information about directory data replicated from other Samba/AD domain controllers to the local Samba/AD DC where the command is run. The “OUTBOUND NEIGHBORS” on the other hand reports information about data replicated by other Samba/AD DCs. WERR_DS_DRA_ACCESS_DENIED errors in the “INBOUND” section mean, that the local host was unable to authenticate against the other Samba/AD DC when trying to replicate data from a specific partition. As a result, /var/log/samba/log.samba in the local host could show a log message that reports the authentication failure, e.g. something like this:

Failed to bind to uuid a4527054-2b0c-4325-9984-262333d9decd for ncacn_ip_tcp:10.20.30.40[49152,seal,krb5,target_hostname=a4527054-2b0c-4325-9984-262333d9decd._msdcs.company.  de,target_principal=GC/smb.company.de/company.de,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.20.30.41] NT_STATUS_UNSUCCESSFUL

On the other hand, the /var/log/samba/log.samba on the remote DC , which seems to go by the name “SMB” in your case, could contain a log message that reports the reason of the error. I’ll give an example here: Assuming you have a Master and two Slaves, all three with Samba/AD. If you re-join Slave2 for some reason, the replication to Slave1 may be temporarily broken, because Slave1 still holds a Kerberos Service Ticket for Slave2, that is not valid any longer. As a result samba-tool drs showrepl on Slave1 should show an error in the INBOUND section. Depending on the exact details, this situation can be observed in log.samba on Samba/AD DC Slave2, where a message like this may appear:

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find SLAVE1$@COMAPY.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)

Please note that the error message may vary, depending on the exact details and Samba versions.

Now, in this example situation (known as https://forge.univention.org/bugzilla/show_bug.cgi?id=35560 ) it’s easy to get the replication going again by restarting the samba processes on Server1 (/etc/init.d/samba restart).

Then there is the Bug that Dirk Ahrnke mentioned above. My gut feeling is that that’s not what we have here, but you may check this by running the following commands:

ldif=$(univention-s4search objectGUID=a4527054-2b0c-4325-9984-262333d9decd)
dsa_dn=$(echo "$ldif"  | sed -n 's/^dn: //p')
server_dn=$(echo "$dsa_dn" | sed -n 's/^[^,]*,//p')
univention-s4search -b "$server_dn" -s base serverReference

The output of the last command should contain a line starting with "serverReference: ". If not, then either my commands above had a problem (there should at least be a line starting with "dn: "), or your really might face the situation described in that Samba Bug report. From reading the Samba Bug report I’m not 100% sure if the attribute would be missing on the local server or on the remote “SMB” server. So, you probably should check on both.


UCS Slave diagnostics erros
#13

Hello @requate

What i get from log.samba is something like this

[2018/08/01 11:00:26.885473,  1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:26.885558,  0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15
[2018/08/01 11:00:27.580273,  1, pid=27108] ../source4/dsdb/common/util.c:4807(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4807: Failed to find account dn (serverReference) for CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local, parent of DSA with objectGUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15, sid S-1-5-21-2042430931-3186930242-3709046569-7659
[2018/08/01 11:00:27.580362,  0, pid=27108] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-2042430931-3186930242-3709046569-7659 with GUID 66b10a44-eed9-49f6-b7ce-ea433bdf8c15

This is the output from feldc01, the showrepl from miidc01 reports WERR_DS_DRA_ACCESS_DENIED for the inbound feldc01


#14

Ok, thanks for the logs, I guess I owe a beer or two to @ahrnke. I’ve created Bug #47441 to pick up the patch proposed by upstream samba. Now, you need a solution for your issue. Since I currently don’t have a server showing the symptoms that you report, we’ll have to approach this a bit iteratively. First I’d like to ask you to run the following command as root on feldc01:

 samba-tool ldapcmp "ldap://miidc01" "ldap://feldc01" configuration --sort-aces \
                    > ldapcmp-miidc01-feldc01-config.log 2>&1

You may upload the output to https://upload.univention.de/ in case it contains sensitive information or just attach it here. If you choose to use the upload please provide the upload ID you get, so I can identify it. That’s just diagnostic information for me, so I get an idea about the situation. Then I’d propose to trigger a synchronization of the problematic object by running the following command on feldc01:

samba-tool drs replicate --local --single-object feldc01 miidc01 \
   CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local

After that please check the output of the following command run on feldc01:

univention-s4search -b "CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local" -s base serverReference

There should be a “serverReference” attribute in the output. If that was successful, you should continue by running the following command, also on feldc01:

samba-tool dbcheck --cross-ncs --yes --fix > dbcheck-fix-feldc01.log 2>&1

You may want to send that file as well, maybe just zip the files. That’s all I have for now, please let us know how things go.


#15

Hello @requate here the outpus

ERROR: Compare failed: -1

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1650

Comparing:
'CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local' [ldap://miidc01]
'CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local' [ldap://feldc01]
    Attributes found only in ldap://miidc01:
        serverReference
    FAILED

* Result for [CONFIGURATION]: FAILURE

SUMMARY
---------

Attributes found only in ldap://miidc01:

    serverReference

Then i run the next commands, here are the outputs:

root@FELDC01:~# samba-tool drs replicate --local --single-object feldc01 miidc01 CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local
Exop on[CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local] objects[1] linked_values[1]
Full Replication of all 1 objects and 1 links from miidc01 to tdb:///var/lib/samba/private/sam.ldb was successful.
root@FELDC01:~# univention-s4search -b "CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local" -s base serverReference
# record 1
dn: CN=MIIDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ccm,DC=local
serverReference: CN=MIIDC01,OU=Domain Controllers,DC=ccm,DC=local

# returned 1 records
# 1 entries
# 0 referrals
root@FELDC01:~# samba-tool dbcheck --cross-ncs --yes --fix > dbcheck-fix-feldc01.log 2>&1

After i check with system diagnostics in both servers and the probelns went away.

I will try replicate the commands for the other servers.

Thank you.


#16

After adapt the commands for others servers all the warnings went away.

Thanks again @requate


#17

@requate,

Sorry boring you again… but i have more issues.
Right now i add more servers and the replication problems happen again.

I have servers without errors and servers with errors, can’t sovle them, i replicate the previous posts but never can clean all the issues in all the servers.

Context:
MainDC --> CCMDC01
BACKUPDC -> CCMDBCK
SLAVES DC -> FELDC01, MIIDC01, ADMDC01

Diagnostics
CCMDC01

`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)

CCMDCBCK


`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)

FELDC01

`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)
Outbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/ADMDC01 (WERR_GEN_FAILURE)

MIIDC01

No problems

ADMDC01

`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)
Outbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/MIIDC01 (WERR_GEN_FAILURE)

Never get that error WERR_GEN_FAILURE before… searching i get this https://forge.univention.org/bugzilla/show_bug.cgi?id=35560 and that happen… i remove one of the slaves and then add it again with other ip address (change of geolocation, subnetwork)

All the servers are in errata 237 so should have the bug you refer patched …


#18

Yesterday, upgrade all the server to errata 255.
Today all the errors went away…


#19

Well the problem is back… a little different…

  • DC Master none issue
  • backup DC
`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/CCMDC01 (WERR_BAD_NET_RESP)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_SEM_TIMEOUT)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/MIIDC01 (WERR_SEM_TIMEOUT)
  • Slaves DC
`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/CCMDC01 (WERR_BAD_NET_RESP)

Any suggestion how to get ride of this errors?


#20

Are they temporary? Can you ensure that serverReference is present for all objectlcass=server objects in the CN=Configuration branch of the Samba/AD LDAP? Check univention-s4search objectclass=server --cross-ncs serverReference on each Samba/AD DC. Next check that all DCs have the corresponding backlink attribute serverReferenceBL by running univention-s4search serverReferenceBL=* serverReferenceBL on each Samba/AD DCs. All servers must be listed in both searches. In case a serverReferenceBL is missing you may fix that by running samba-tool dbcheck --fix. Please understand that I cannot diagnose this without knowledge of log.samba files on the pair of DCs that have a replication issue. Please consider our support options to handle these logs in a confidential way. WERR_SEM_TIMEOUT and WERR_BAD_NET_RESP may be due to network or server resource issues. Please note that Inbound means inbound data. These connections are made by the local system to the remote system (e.g. Slave to CCMDC01). Something breaks during this connection or during the initial connection attempt. log.samba in CCMDC01 may show some interesting messages but I can’t say which log level would be required. Also, you would only see samba related issues there (like authentication) but network issues probably not directly.