Univention Bugzilla – Bug 53592
WERR_DS_DRA_BAD_DN - after setting connector/ad/mapping/user/password/kinit
Last modified: 2021-07-23 12:50:51 CEST
Hi, We have UCS Domain Master (latest 4.4) that recenctly took over server2012R2. A UCS member-server with kopano (latest 4.4) is a member-server. sync is working. As user-passwords are not synced as it seems from Master to domain-member (Kopano) i used: ucr set connector/ad/ldap/binddn=sync-benutzer-im-ad ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password touch /etc/univention/connector/password chmod 600 /etc/univention/connector/password echo -n "vergebenes kennwort fuer sync-benutzer" > /etc/univention/connector/password ucr set connector/ad/mapping/user/password/kinit=false This works - in general - fine with a windows DC. But UCS complains: 18.07.2021 16:24:24.025 LDAP (ERROR ): Unknown Exception during sync_to_ucs 18.07.2021 16:24:24.026 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1374, in sync_to_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line 503, in password_sync nt_hash, krb5Key = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn']), reconnect=True) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/password.py", line 283, in get_password_from_ad (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8) WERRORError: (8439, 'WERR_DS_DRA_BAD_DN') What am i doing wrong?
Can someone please clarify, if the password sync process only works with microsoft Domain Controller or also with a UCS DC, that _took over_ a Microsoft DC? The latter is our setup and we fail to sync passwords.
yes, seems so, i also get 23.07.2021 11:14:25.140 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=join-backup,cn=users,DC=five,DC=local 23.07.2021 11:14:25.151 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/ad/1627030267.897414 23.07.2021 11:14:25.151 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 817, in __sync_file_from_ucs if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, object_old): File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 2327, in sync_from_ucs post_con_modify_function(self, property_type, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/password.py", line 381, in password_sync_ucs nt_hash, krb5Key = get_password_from_ad(connector, object['dn']) File "/usr/lib/python3/dist-packages/univention/connector/ad/password.py", line 281, in get_password_from_ad (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8) samba.WERRORError: (8439, 'WERR_DS_DRA_BAD_DN') on my UCS master samba DC with the ad connector log.samba: [2021/07/23 07:40:56.027382, 3, pid=7901, effective(0, 0), real(0, 0), class=drs_repl] ../../source4/rpc_server/drsuapi/getncchanges.c:1205(getncchanges_repl_secret) ../../source4/rpc_server/drsuapi/getncchanges.c:1205: DRSUAPI_EXOP_REPL_SECRET extended op on CN=dns-master,CN=Users,DC=four,DC=five ... [2021/07/23 07:40:56.033669, 10, pid=7901, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: OU=Domain Controllers,DC=four,DC=five scope: base expr: (|(objectClass=*)(distinguishedName=*)) attr: serverReference control: 1.2.840.113556.1.4.529 crit:1 data:yes [2021/07/23 07:40:56.038027, 10, pid=7901, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: ldb_asprintf/set_errstring: Cannot find attribute serverReference of OU=Domain Controllers,DC=four,DC=five to calculate reference dn [2021/07/23 07:40:56.038061, 2, pid=7901, effective(0, 0), real(0, 0), class=drs_repl] ../../source4/rpc_server/drsuapi/getncchanges.c:1372(getncchanges_repl_secret) ../../source4/rpc_server/drsuapi/getncchanges.c:1372: Failed single secret replication for (null) by RODC S-1-5-21-2862311440-2092257086-639877991-500 [2021/07/23 07:40:56.038083, 1, pid=7901, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) drsuapi_DsGetNCChanges: struct drsuapi_DsGetNCChanges out: struct drsuapi_DsGetNCChanges level_out : * level_out : 0x00000006 (6) ctr : * ctr : union drsuapi_DsGetNCChangesCtr(case 6) ctr6: struct drsuapi_DsGetNCChangesCtr6 source_dsa_guid : e47cbc65-0fe9-486f-b919-95b978149feb source_dsa_invocation_id : 553e5c02-bdae-46bf-aa9e-a82fad4c6b42 naming_context : NULL old_highwatermark: struct drsuapi_DsReplicaHighWaterMark tmp_highest_usn : 0x0000000000000000 (0) reserved_usn : 0x0000000000000000 (0) highest_usn : 0x0000000000000000 (0) new_highwatermark: struct drsuapi_DsReplicaHighWaterMark tmp_highest_usn : 0x0000000000000000 (0) reserved_usn : 0x0000000000000000 (0) highest_usn : 0x0000000000000000 (0) uptodateness_vector : NULL mapping_ctr: struct drsuapi_DsReplicaOIDMapping_Ctr num_mappings : 0x00000000 (0) mappings : NULL extended_ret : DRSUAPI_EXOP_ERR_NONE (0x0) object_count : 0x00000000 (0) __ndr_size : 0x000000c7 (199) first_object : NULL more_data : 0x00000000 (0) nc_object_count : 0x00000000 (0) nc_linked_attributes_count: 0x00000000 (0) linked_attributes_count : 0x00000000 (0) linked_attributes : * linked_attributes: ARRAY(0) drs_error : WERR_OK result : WERR_DS_DRA_BAD_DN this Cannot find attribute serverReference of OU=Domain Controllers,DC=four,DC=five to calculate reference dn Failed single secret replication for (null) by RODC S-1-5-21-2862311440-2092257086-639877991-500 is suspicious
Too bad. As this was working with the previous windows domain controller, after the take-over, it does not anymore. It would be helpful to also have at least a note in the AD-takeover documentation to mention this limitation for now. thank you.