First Last Prev Next    This bug is not in your last search results.
Bug 47814 - DRS replication blocked for newly joined UCS Samba AD DCs (4.2)
DRS replication blocked for newly joined UCS Samba AD DCs (4.2)
Status: CLOSED DUPLICATE of bug 47749
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: Stefan Gohmann
Felix Botner
https://help.univention.com/t/warning...
:
Depends on: 47441
Blocks: 47749
  Show dependency treegraph
 
Reported: 2018-09-14 09:16 CEST by Christian Völker
Modified: 2018-10-04 13:24 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.343
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018081721000337
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-09-14 09:16:24 CEST 
+++ This bug was initially created as a clone of Bug #47441 +++

We have two reports of admins experiencing a block in DRS replication, showing symptoms of https://bugzilla.samba.org/show_bug.cgi?id=12972 . I checked the Samba 4.7.5 version we ship with UCS 4.3 and the proposed upstream patch applies. I think we should ship it as erratum to avoid other people running into this for newly joined UCS Samba/AD DCs.

We released a fix for UCS 4.3 but customer has 4.2 and it is currently not able to upgrade.


Having a customer system with same symptoms:
===================================================
root@slave1:~# samba-tool drs replicate slave1.sys.de slave2.sys.de dc=sys,dc=de
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
===================================================

log.samba at slave1:
===================================================
[2018/08/30 09:44:58.446387,  0, pid=1186] ../source4/dsdb/repl/drepl_out_helpers.c:1070(dreplsrv_update_refs_done)
  UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 30e92ae1-1df6-4c07-a826-8437a5f28c51._msdcs.sys.de CN=Schema,CN=Configuration,DC=sys,DC=de
[2018/08/30 09:46:09.812241,  1, pid=1176] ../source4/dsdb/common/util.c:4747(dsdb_validate_dsa_guid)
  ../source4/dsdb/common/util.c:4747: Failed to find account dn (serverReference) for CN=SLAVE1,CN=Servers,CN=Slave1,CN=Sites,CN=Configuration,DC=sys,DC=de, parent of DSA with objectGUID c211c67a-98d3-4824-921c-4fb6e504a66a, sid S-1-5-21-1015148340-2934120095-3012182469-8605
[2018/08/30 09:46:09.812359,  0, pid=1176] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs)
  ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-1015148340-2934120095-3012182469-8605 with GUID c211c67a-98d3-4824-921c-4fb6e504a66a
===================================================

samba-tool drs showrepl
===================================================
Slave1\SLAVE
DSA Options: 0x00000001
DSA object GUID: c211c67a-98d3-4824-921c-4fb6e504a66a
DSA invocationId: 0f3c7ab4-692f-43e6-be77-0eb9c8b6ec1c

==== INBOUND NEIGHBORS ====
CN=Configuration,DC=sys,DC=de
        Slave2\SLAVE2 via RPC
                DSA object GUID: 30e92ae1-1df6-4c07-a826-8437a5f28c51
                Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED)
                556 consecutive failure(s).
                Last success @ Thu Aug 30 10:18:48 2018 CEST
===================================================
Outbound connections are all fine.
Comment 1 Stefan Gohmann univentionstaff 2018-09-17 14:17:57 CEST 
I guess it is a duplicate of Bug #47749.

*** This bug has been marked as a duplicate of bug 47749 ***
Comment 2 Stefan Gohmann univentionstaff 2018-10-04 13:24:27 CEST 
Nothing to release
First Last Prev Next    This bug is not in your last search results.