Bug 47441 – DRS replication blocked for newly joined UCS Samba AD DCs (4.3)

Bug 47441 - DRS replication blocked for newly joined UCS Samba AD DCs (4.3)


Summary:	DRS replication blocked for newly joined UCS Samba AD DCs (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:	https://help.univention.com/t/warning...
Keywords:

Duplicates:	47077 (view as bug list)
Depends on:
Blocks:	47749 47814
	Show dependency tree / graph

Reported:	2018-08-02 12:42 CEST by Arvid Requate
Modified:	2018-09-14 09:16 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.343
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018080121000554, 2018081721000337, 2018060421000114
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2018-08-02 12:42:34 CEST

We have two reports of admins experiencing a block in DRS replication, showing symptoms of https://bugzilla.samba.org/show_bug.cgi?id=12972 . I checked the Samba 4.7.5 version we ship with UCS 4.3 and the proposed upstream patch applies. I think we should ship it as erratum to avoid other people running into this for newly joined UCS Samba/AD DCs.

Comment 1 Christian Völker

2018-08-31 11:23:26 CEST

Having a customer system with same symptoms:
===================================================
root@slave1:~# samba-tool drs replicate slave1.sys.de slave2.sys.de dc=sys,dc=de
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
===================================================

log.samba at slave1:
===================================================
[2018/08/30 09:44:58.446387,  0, pid=1186] ../source4/dsdb/repl/drepl_out_helpers.c:1070(dreplsrv_update_refs_done)
  UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 30e92ae1-1df6-4c07-a826-8437a5f28c51._msdcs.sys.de CN=Schema,CN=Configuration,DC=sys,DC=de
[2018/08/30 09:46:09.812241,  1, pid=1176] ../source4/dsdb/common/util.c:4747(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4747: Failed to find account dn (serverReference) for CN=SLAVE1,CN=Servers,CN=Slave1,CN=Sites,CN=Configuration,DC=sys,DC=de, parent of DSA with objectGUID c211c67a-98d3-4824-921c-4fb6e504a66a, sid S-1-5-21-1015148340-2934120095-3012182469-8605
[2018/08/30 09:46:09.812359,  0, pid=1176] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-1015148340-2934120095-3012182469-8605 with GUID c211c67a-98d3-4824-921c-4fb6e504a66a
===================================================

samba-tool drs showrepl
===================================================
Slave1\SLAVE
DSA Options: 0x00000001
DSA object GUID: c211c67a-98d3-4824-921c-4fb6e504a66a
DSA invocationId: 0f3c7ab4-692f-43e6-be77-0eb9c8b6ec1c

==== INBOUND NEIGHBORS ====
CN=Configuration,DC=sys,DC=de
        Slave2\SLAVE2 via RPC
                DSA object GUID: 30e92ae1-1df6-4c07-a826-8437a5f28c51
                Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                556 consecutive failure(s).
                Last success @ Thu Aug 30 10:18:48 2018 CEST
===================================================
Outbound connections are all fine.


Any workaround for this until the errata is released?

Comment 2 Arvid Requate

2018-09-03 19:34:48 CEST

I posted workaround on help.univention.de, see URL field of this Bug.

Comment 3 Christian Völker

2018-09-04 09:10:50 CEST

(In reply to Arvid Requate from comment #2)
> I posted workaround on help.univention.de, see URL field of this Bug.

The mentioned workaround does not work on UCS 4.2-4 e497:

root@master42:~# samba-tool drs replicate --local --single-object [...]

Usage: samba-tool drs replicate <destinationDC> <sourceDC> <NC> [options]

samba-tool drs replicate: error: no such option: --single-object

Comment 4 Arvid Requate

2018-09-04 17:45:22 CEST

Upstream patch applied cleanly:

svn r18269 | patches/samba/4.3-0-0-ucs/2:4.7.8-1-errata4.3-2/99_bug47441.quilt
git 5233c6a7d4 | Advisory

Comment 5 Arvid Requate

2018-09-04 22:13:35 CEST

*** Bug 47077 has been marked as a duplicate of this bug. ***

Comment 6 Felix Botner

2018-09-11 15:27:05 CEST

OK - patch
OK - installation (master, slave, backup)
OK - drs replication on all systems
OK - ucs-test samba4/samba-commonon all systems
OK - drs replication on all systems

OK - yaml

Comment 7 Philipp Hahn

2018-09-12 14:04:05 CEST

<http://errata.software-univention.de/ucs/4.3/234.html>