Univention Bugzilla – Bug 47441
DRS replication blocked for newly joined UCS Samba AD DCs (4.3)
Last modified: 2018-09-14 09:16:24 CEST
We have two reports of admins experiencing a block in DRS replication, showing symptoms of https://bugzilla.samba.org/show_bug.cgi?id=12972 . I checked the Samba 4.7.5 version we ship with UCS 4.3 and the proposed upstream patch applies. I think we should ship it as erratum to avoid other people running into this for newly joined UCS Samba/AD DCs.
Having a customer system with same symptoms: =================================================== root@slave1:~# samba-tool drs replicate slave1.sys.de slave2.sys.de dc=sys,dc=de ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) =================================================== log.samba at slave1: =================================================== [2018/08/30 09:44:58.446387, 0, pid=1186] ../source4/dsdb/repl/drepl_out_helpers.c:1070(dreplsrv_update_refs_done) UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 30e92ae1-1df6-4c07-a826-8437a5f28c51._msdcs.sys.de CN=Schema,CN=Configuration,DC=sys,DC=de [2018/08/30 09:46:09.812241, 1, pid=1176] ../source4/dsdb/common/util.c:4747(dsdb_validate_dsa_guid) ../source4/dsdb/common/util.c:4747: Failed to find account dn (serverReference) for CN=SLAVE1,CN=Servers,CN=Slave1,CN=Sites,CN=Configuration,DC=sys,DC=de, parent of DSA with objectGUID c211c67a-98d3-4824-921c-4fb6e504a66a, sid S-1-5-21-1015148340-2934120095-3012182469-8605 [2018/08/30 09:46:09.812359, 0, pid=1176] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs) ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-1015148340-2934120095-3012182469-8605 with GUID c211c67a-98d3-4824-921c-4fb6e504a66a =================================================== samba-tool drs showrepl =================================================== Slave1\SLAVE DSA Options: 0x00000001 DSA object GUID: c211c67a-98d3-4824-921c-4fb6e504a66a DSA invocationId: 0f3c7ab4-692f-43e6-be77-0eb9c8b6ec1c ==== INBOUND NEIGHBORS ==== CN=Configuration,DC=sys,DC=de Slave2\SLAVE2 via RPC DSA object GUID: 30e92ae1-1df6-4c07-a826-8437a5f28c51 Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED) 556 consecutive failure(s). Last success @ Thu Aug 30 10:18:48 2018 CEST =================================================== Outbound connections are all fine. Any workaround for this until the errata is released?
I posted workaround on help.univention.de, see URL field of this Bug.
(In reply to Arvid Requate from comment #2) > I posted workaround on help.univention.de, see URL field of this Bug. The mentioned workaround does not work on UCS 4.2-4 e497: root@master42:~# samba-tool drs replicate --local --single-object [...] Usage: samba-tool drs replicate <destinationDC> <sourceDC> <NC> [options] samba-tool drs replicate: error: no such option: --single-object
Upstream patch applied cleanly: svn r18269 | patches/samba/4.3-0-0-ucs/2:4.7.8-1-errata4.3-2/99_bug47441.quilt git 5233c6a7d4 | Advisory
*** Bug 47077 has been marked as a duplicate of this bug. ***
OK - patch OK - installation (master, slave, backup) OK - drs replication on all systems OK - ucs-test samba4/samba-commonon all systems OK - drs replication on all systems OK - yaml
<http://errata.software-univention.de/ucs/4.3/234.html>