Univention Bugzilla – Bug 44115
RODC doesn't replicate via DRS after server-password-change
Last modified: 2020-07-03 20:51:42 CEST
UCS 4.2 product tests show that a Samba 4.6.1 RODC doesn't replicate Samba/AD data beyond what has been pulled during the initial join. See also Bug 44114 Comment 5 The showrepl output doesn't show any inbound traffic (don't know if it should), even though the other Samba/AD DCs in that domain list outgoing connections to the RODC. root@slave104rodc:~# samba-tool drs showrepl -UAdministrator%univention Default-First-Site-Name\SLAVE104RODC DSA Options: 0x00000025 DSA object GUID: 95168814-9a9b-4ec9-9d1f-f011ff55898d DSA invocationId: 7743f88a-af67-4d97-bc03-aaa302f91d80 ==== INBOUND NEIGHBORS ==== ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 8c641d58-8fb2-4988-9ad1-6038d46f24f3 Enabled : TRUE Server DNS name : slave102.ar41pt1.qa Server DN name : CN=NTDS Settings,CN=SLAVE102,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Connection -- Connection name: c6de97a6-81b7-4223-8a1e-a9f56fff13ba Enabled : TRUE Server DNS name : backup101.ar41pt1.qa Server DN name : CN=NTDS Settings,CN=BACKUP101,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Connection -- Connection name: RODC Connection (FRS) Enabled : TRUE Server DNS name : master100.ar41pt1.qa Server DN name : CN=NTDS Settings,CN=MASTER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar41pt1,DC=qa TransportType: RPC options: 0x00000041
Created attachment 8672 [details] RODC_server_password_change.patch It's a problem of server password change on the RODC. The attached patch fixes this. Debugging details: I noticed that the RODC already had kvno 3 in /etc/krb5.keytab but the other DCs still had msds-keyversionnumber 2. Since it's machine.secret worked against OpenLDAP I assume that the server-password-change didn't work properly. This is what the log showed: ===================================================================== Starting server password change (Tue Mar 28 01:01:51 CEST 2017) Proceeding with regular server password change scheduled for today run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange Object modified: cn=slave104rodc,cn=dc,cn=computers,dc=ar41pt1,dc=qa Restarting univention-directory-listener (via systemctl): univention-directory-listener.service. run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange File: /etc/listfilter.secret Multifile: /etc/postfix/ldap.distlist Multifile: /etc/postfix/ldap.groups Multifile: /etc/postfix/ldap.canonicalsender Multifile: /etc/postfix/ldap.sharedfolderlocal Multifile: /etc/postfix/ldap.virtualwithcanonical Multifile: /etc/postfix/ldap.sharedfolderremote Multifile: /etc/postfix/ldap.virtual Multifile: /etc/postfix/ldap.canonicalrecipient Multifile: /etc/postfix/ldap.transport Multifile: /etc/postfix/ldap.saslusermapping Multifile: /etc/postfix/ldap.virtualdomains run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange File: /etc/libnss-ldap.conf run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange Restarting nscd (via systemctl): nscd.service. run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange Modified 1 records successfully ERROR: Failed to set password for user 'slave104rodc$': (1, 'Invalid LDB reply type 1') done (Tue Mar 28 01:02:09 CEST 2017) ===================================================================== Replication started to work again after root@slave104rodc:~# samba-tool user setpassword -UAdministrator%univention \ -H ldap://master100.ar41pt1.qa "$(hostname)\$" \ --newpassword=qSqlP2CYto35Uqcw3mYJ Changed password OK root@slave104rodc:~# /etc/init.d/samba restart [ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service. [ ok ] Stopping smbd (via systemctl): smbd.service. [ ok ] Stopping nmbd (via systemctl): nmbd.service. [ ok ] Starting nmbd (via systemctl): nmbd.service. [ ok ] Starting smbd (via systemctl): smbd.service. [ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service The drs showrepl output doesn't look any different though.
*** Bug 33151 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.