Bug#695137: [Pkg-samba-maint] Bug#695137: samba4-common-bin: failed drs replication
Sorry, i copy/paste one more result my experiment (with error data). Test with correct query: root@pdc:~# samba-tool drs replicate pdc.mydomain.net mydomain-pdc.mydomain.net DC=DomainDnsZones,DC=mydomain,DC=net --full-sync -U smbadmin -d9 INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 lpcfg_load: refreshing parameters from /etc/samba/smb.conf params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] Processing section [homes] Processing section [printers] Processing section [print$] Processing section [sysvol] Processing section [netlogon] pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:pdc.mydomain.net[,seal,print] Mapped to DCERPC endpoint 135 added interface eth0 ip=fe80::5054:ff:fea2:bc46%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.1.2 bcast=192.168.1.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fea2:bc46%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.1.2 bcast=192.168.1.255 netmask=255.255.255.0 Mapped to DCERPC endpoint 1024 added interface eth0 ip=fe80::5054:ff:fea2:bc46%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.1.2 bcast=192.168.1.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fea2:bc46%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.1.2 bcast=192.168.1.255 netmask=255.255.255.0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Password for [mydomain\smbadmin]: Received smb_krb5 packet of length 143 Received smb_krb5 packet of length 1214 Received smb_krb5 packet of length 1194 Received smb_krb5 packet of length 1190 ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0 gensec_gssapi: credentials were delegated GSSAPI Connection will be cryptographically sealed ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0 drsuapi_DsBind: struct drsuapi_DsBind in: struct drsuapi_DsBind bind_guid: * bind_guid: e24d201a-4fd6-11d1-a3da-f875ae0d bind_info: * bind_info: struct drsuapi_DsBindInfoCtr length : 0x001c (28) info : union drsuapi_DsBindInfo(case 28) info28: struct drsuapi_DsBindInfo28 supported_extensions : 0x0fefff7f (267386751) 1: DRSUAPI_SUPPORTED_EXTENSION_BASE 1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION 1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI 1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2 1: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1 1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION 0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY 1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE 1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2 1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2 1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD 1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND 1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO 1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION 1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01 1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP 1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY 1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3 0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5 1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2 1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6 1:
Bug#688004: Was that the problem?
12.10.2012 16:51, Jelmer Vernooij пишет: Hi, On Fri, 2012-10-12 at 12:59 +0400, dronozavr wrote: 10.10.2012 16:17, Jelmer Vernooij пишет: Have you verified that out of sync times was actually the problem in this case? if you run with a higher debug level (-d5) what is the output you get? Jelmer Hi, with debug level 5, I have this errors: root@sdc:~# samba-tool domain join testdomain.net RODC -U administrator -d5 Thanks for posting this. This doesn't look like an issue with time synchronisation to me. Can you explain the rationale behind the bug report (suggesting time problems) ? CUT We seem to have trouble finding the domain. Can you manually find the SID for the domain in LDAP? Jelmer Hi! My PDC works on Win2k3, and it's no any troubles with resolving SIDs in names objects. These errors disappear, if I'm synchronize time on this server with clock on PDC. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688004: Was that the problem?
10.10.2012 16:17, Jelmer Vernooij пишет: Have you verified that out of sync times was actually the problem in this case? if you run with a higher debug level (-d5) what is the output you get? Jelmer Hi, with debug level 5, I have this errors: root@sdc:~# samba-tool domain join testdomain.net RODC -U administrator -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /etc/samba/smb.conf params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 Finding a writeable DC for domain 'testdomain.net' added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain testdomain.net finddcs: looking for SRV records for _ldap._tcp.testdomain.net ads_dns_lookup_srv: 3 records returned in the answer section. finddcs: DNS SRV response 0 at '192.168.12.1' finddcs: DNS SRV response 1 at '192.168.12.150' finddcs: DNS SRV response 2 at '192.168.12.150' finddcs: performing CLDAP query on 192.168.12.1 finddcs: Found matching DC 192.168.12.1 with server_type=0x03fc Found DC sdc01.testdomain.net added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=fe80::5054:ff:fe71:ff6e%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.12.145 bcast=192.168.12.255 netmask=255.255.255.0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Password for [TESTDOMAIN\administrator]: Received smb_krb5 packet of length 283 Received smb_krb5 packet of length 90 Received smb_krb5 packet of length 283 Failed to get kerberos credentials: kinit for administra...@testdomain.net failed (Looping detected inside krb5_get_in_tkt) Aquiring initiator credentials failed: kinit for administra...@testdomain.net failed (Looping detected inside krb5_get_in_tkt) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x60898235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH workgroup is TESTDOMAIN realm is testdomain.net checking sAMAccountName Adding CN=SDC,OU=Domain Controllers,DC=testdomain,DC=net Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM