Discussion:
[Samba] DomainDnsZones inbound replication issue
Donaldson Jeff
2016-07-28 13:24:28 UTC
Permalink
Greetings,


I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).


If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:


ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ncsauth3[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
ERROR(ldb): LDAP connection to ncsauth3 failed - None
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
credentials=ctx.creds, lp=ctx.lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
options=options)
File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
options=options)


I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.

Regards,
Jeff

Jeff Donaldson
Technology Director
Newark Charter School
***@ncs.k12.de.us
(302) 369-2001 ext: 625
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-07-28 13:45:01 UTC
Permalink
On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> Greetings,
>
>
> I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
>
>
> If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:
>
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:ncsauth3[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to ncsauth3 failed - None
> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
> options=options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
> self.connect(url, flags, options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
> options=options)
>
>
> I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> ***@ncs.k12.de.us
> (302) 369-2001 ext: 625

What is the value of

"ldap server require strong auth =" in your smb.conf? You may need to
run 'samba-tool testparm -v'

--
-James


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Donaldson Jeff
2016-07-28 14:25:05 UTC
Permalink
Here's my edited smb.conf and the output of the testparm. As you can see I'm not setting that in my smb.conf and it appears to be turned on by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4 as well, but haven't done that yet. It's currently on 4.2.3. Should I upgrade that as well before changing anything else? Thanks!


Jeff Donaldson
Technology Director
Newark Charter School
***@ncs.k12.de.us
(302) 369-2001 ext: 625


________________________________
From: samba <samba-***@lists.samba.org> on behalf of ***@gmail.com <***@gmail.com>
Sent: Thursday, July 28, 2016 9:45 AM
To: ***@lists.samba.org
Subject: Re: [Samba] DomainDnsZones inbound replication issue

On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> Greetings,
>
>
> I am having a problem with one of my DCs (DC3) replicating DomainDnsZones. On DC3 replication is successful on both Inbound and Outbound with both of my other DCs. On both of my other DCs (DC1 & DC2) I only get a failure with Inbound replication for DomainDnsZones from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
>
>
> If I try to force replication to DC3 from DC1 using samba-tool drs replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com --full-sync, I get the following:
>
>
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:ncsauth3[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to ncsauth3 failed - None
> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 48, in samdb_connect
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 56, in __init__
> options=options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 114, in __init__
> self.connect(url, flags, options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line 71, in connect
> options=options)
>
>
> I didn't have any replication issues prior to upgrading Samba to 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to resolve the issue. Would the best solution be to demote the affected DC, wipe out all of private, then join as a DC again? Any help or suggestions are greatly appreciated.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> ***@ncs.k12.de.us
> (302) 369-2001 ext: 625

What is the value of

"ldap server require strong auth =" in your smb.conf? You may need to
run 'samba-tool testparm -v'

--
-James


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[https://lists.samba.org/images/mailman/gnu-head-tiny.jpg]<https://lists.samba.org/mailman/options/samba>

samba list: member options login page<https://lists.samba.org/mailman/options/samba>
lists.samba.org
Unsubscribe: By clicking on the Unsubscribe button, a confirmation message will be emailed to you. This message will have a link that you should click on to ...
l***@gmail.com
2016-07-28 15:18:24 UTC
Permalink
On 7/28/2016 10:25 AM, Donaldson Jeff wrote:
>
> Here's my edited smb.conf and the output of the testparm. As you can
> see I'm not setting that in my smb.conf and it appears to be turned on
> by default in Samba 4.4.4. I was going to update Samba on DC1 to 4.4.4
> as well, but haven't done that yet. It's currently on 4.2.3. Should I
> upgrade that as well before changing anything else? Thanks!
>
>
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> ***@ncs.k12.de.us
> (302) 369-2001 ext: 625
>
>
> ------------------------------------------------------------------------
> *From:* samba <samba-***@lists.samba.org> on behalf of
> ***@gmail.com <***@gmail.com>
> *Sent:* Thursday, July 28, 2016 9:45 AM
> *To:* ***@lists.samba.org
> *Subject:* Re: [Samba] DomainDnsZones inbound replication issue
> On 7/28/2016 9:24 AM, Donaldson Jeff wrote:
> > Greetings,
> >
> >
> > I am having a problem with one of my DCs (DC3) replicating
> DomainDnsZones. On DC3 replication is successful on both Inbound and
> Outbound with both of my other DCs. On both of my other DCs (DC1 &
> DC2) I only get a failure with Inbound replication for DomainDnsZones
> from DC3 with a result 8442 (WERR_DS_DRA_INTERNAL_ERROR).
> >
> >
> > If I try to force replication to DC3 from DC1 using samba-tool drs
> replicate DC3 DC1 DC=DomainDnsZones,DC=our,DC=domain,DC=com
> --full-sync, I get the following:
> >
> >
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:ncsauth3[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name ncsauth3<0x20>
> > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> > Failed to connect to 'ldap://ncsauth3' with backend 'ldap': (null)
> > ERROR(ldb): LDAP connection to ncsauth3 failed - None
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 48, in samdb_connect
> > credentials=ctx.creds, lp=ctx.lp)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 56, in __init__
> > options=options)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line
> 114, in __init__
> > self.connect(url, flags, options)
> > File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 71, in connect
> > options=options)
> >
> >
> > I didn't have any replication issues prior to upgrading Samba to
> 4.4.4 and the server to Ubuntu 14.04.4. After upgrading I ran
> samba-tool dbcheck --cross-ncs --fix. Not sure how to proceed to
> resolve the issue. Would the best solution be to demote the affected
> DC, wipe out all of private, then join as a DC again? Any help or
> suggestions are greatly appreciated.
> >
> > Regards,
> > Jeff
> >
> > Jeff Donaldson
> > Technology Director
> > Newark Charter School
> > ***@ncs.k12.de.us
> > (302) 369-2001 ext: 625
>
> What is the value of
>
> "ldap server require strong auth =" in your smb.conf? You may need to
> run 'samba-tool testparm -v'
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba>
>
> samba list: member options login page
> <https://lists.samba.org/mailman/options/samba>
> lists.samba.org
> Unsubscribe: By clicking on the Unsubscribe button, a confirmation
> message will be emailed to you. This message will have a link that you
> should click on to ...
>
>
Yes, updating should fix the issue. However I would strongly suggest
you read the release notes of each version you may be skipping. The
default behavior for

LDAP_STRONG_AUTH_REQUIRED was no.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112

Changing 'ldap server require strong auth = No' should fix the
replication issue. Just understand what this means. I assume your other
DC's were 4.2.3 before you upgraded to 4.4.4?


--
-James

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...