Univention Bugzilla – Bug 47814
DRS replication blocked for newly joined UCS Samba AD DCs (4.2)
Last modified: 2018-10-04 13:24:27 CEST
+++ This bug was initially created as a clone of Bug #47441 +++ We have two reports of admins experiencing a block in DRS replication, showing symptoms of https://bugzilla.samba.org/show_bug.cgi?id=12972 . I checked the Samba 4.7.5 version we ship with UCS 4.3 and the proposed upstream patch applies. I think we should ship it as erratum to avoid other people running into this for newly joined UCS Samba/AD DCs. We released a fix for UCS 4.3 but customer has 4.2 and it is currently not able to upgrade. Having a customer system with same symptoms: =================================================== root@slave1:~# samba-tool drs replicate slave1.sys.de slave2.sys.de dc=sys,dc=de ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 368, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) =================================================== log.samba at slave1: =================================================== [2018/08/30 09:44:58.446387, 0, pid=1186] ../source4/dsdb/repl/drepl_out_helpers.c:1070(dreplsrv_update_refs_done) UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 30e92ae1-1df6-4c07-a826-8437a5f28c51._msdcs.sys.de CN=Schema,CN=Configuration,DC=sys,DC=de [2018/08/30 09:46:09.812241, 1, pid=1176] ../source4/dsdb/common/util.c:4747(dsdb_validate_dsa_guid) ../source4/dsdb/common/util.c:4747: Failed to find account dn (serverReference) for CN=SLAVE1,CN=Servers,CN=Slave1,CN=Sites,CN=Configuration,DC=sys,DC=de, parent of DSA with objectGUID c211c67a-98d3-4824-921c-4fb6e504a66a, sid S-1-5-21-1015148340-2934120095-3012182469-8605 [2018/08/30 09:46:09.812359, 0, pid=1176] ../source4/rpc_server/drsuapi/updaterefs.c:276(dcesrv_drsuapi_DsReplicaUpdateRefs) ../source4/rpc_server/drsuapi/updaterefs.c:276: Refusing DsReplicaUpdateRefs for sid S-1-5-21-1015148340-2934120095-3012182469-8605 with GUID c211c67a-98d3-4824-921c-4fb6e504a66a =================================================== samba-tool drs showrepl =================================================== Slave1\SLAVE DSA Options: 0x00000001 DSA object GUID: c211c67a-98d3-4824-921c-4fb6e504a66a DSA invocationId: 0f3c7ab4-692f-43e6-be77-0eb9c8b6ec1c ==== INBOUND NEIGHBORS ==== CN=Configuration,DC=sys,DC=de Slave2\SLAVE2 via RPC DSA object GUID: 30e92ae1-1df6-4c07-a826-8437a5f28c51 Last attempt @ Thu Aug 30 10:18:48 2018 CEST failed, result 8453 (WERR_DS_DRA_ACCESS_DENIED) 556 consecutive failure(s). Last success @ Thu Aug 30 10:18:48 2018 CEST =================================================== Outbound connections are all fine.
I guess it is a duplicate of Bug #47749. *** This bug has been marked as a duplicate of bug 47749 ***
Nothing to release