Samba AD DC Troubleshooting: Difference between revisions
No edit summary |
m (update dbcheck link) |
||
(43 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
This page will treat common problems when setting up or running a [[Samba_AD_DC_HOWTO|Samba AD Domain Controller]]. |
|||
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC). |
|||
= Making sure samba is running = |
|||
Use the following command to check if Samba is running: |
|||
= General = |
|||
# ps axf | egrep "samba|smbd|nmbd|winbindd" |
|||
== Setting the Samba Log Level == |
|||
The output should look like the following: |
|||
1577 ? Ss 0:00 samba |
|||
1578 ? S 0:00 \_ samba |
|||
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1579 ? S 0:00 \_ samba |
|||
1580 ? S 0:00 \_ samba |
|||
1582 ? S 0:00 \_ samba |
|||
... |
|||
For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]]. |
|||
= „samba“ or child processes don't start = |
|||
== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address == |
|||
Check out the [[Samba_port_usage#Port_usage_when_Samba_runs_as_DC|Samba port usage for a Domain Controller]] documentation and compare it with the output of |
|||
For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]]. |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
|||
If Samba isn't listening on all ports it should, check your Samba logs for further debugging. |
|||
= Samba Internal DNS doesn't start = |
|||
The Samba logfile shows |
|||
= Process Management = |
|||
[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket) |
|||
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED |
|||
== Verifying That Samba Is Running == |
|||
Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmasq or a different DNS server is listening on this port. Check by using |
|||
Use the <code>ps</code> utility to verify that Samba processes are executed: |
|||
# netstat -tulpn | grep ":53" |
|||
# ps axf | egrep "samba|smbd|winbindd" |
|||
It should return only „samba“ processes, bound to this port, if using the Internal DNS. |
|||
... |
|||
917 ? Ss 0:00 /usr/local/samba/sbin/samba -D |
|||
923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
... |
|||
935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
... |
|||
{{Imbox |
|||
= kinit/klist don't exist on your system = |
|||
| type = note |
|||
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed. |
|||
}} |
|||
All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process. |
|||
See [[OS Requirements|OS Requirements]]. |
|||
If you do not see a process structure as displayed: |
|||
* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]] |
|||
* Start Samba interactively and watch the output: |
|||
= SELinux = |
|||
# samba -i |
|||
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page. |
|||
= Installing Python 2.6.5 for Samba = |
|||
If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files: |
|||
sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest |
|||
= DNS = |
|||
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly. |
|||
== DNS Back End-specific Troubleshooting == |
|||
See: |
|||
* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]] |
|||
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]] |
|||
== Issues with DNS during DC join == |
|||
=== DNS rcode name error === |
|||
<pre> |
|||
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX |
|||
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') |
|||
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run |
|||
return self.run(*args, **kwargs) |
|||
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run |
|||
backend_store=backend_store) |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC |
|||
ctx.do_join() |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join |
|||
ctx.join_add_dns_records() |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records |
|||
dns_partition=domaindns_zone_dn) |
|||
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup |
|||
dns_partition=dns_partition) |
|||
</pre> |
|||
=== DNS zone does not exist === |
|||
<pre> |
|||
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') |
|||
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run |
|||
return self.run(*args, **kwargs) |
|||
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run |
|||
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC |
|||
ctx.do_join() |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join |
|||
ctx.join_add_dns_records() |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records |
|||
None) |
|||
</pre> |
|||
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations. |
|||
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available: |
|||
{{Imbox |
|||
| type = important |
|||
| text = Performing these steps out of order may cause replication issues due to some objects being created twice. |
|||
}} |
|||
1. During <code>samba-tool</code> domain join, specify the <code>--dns-backend=NONE</code> command line option. |
|||
2. Perform a <code>samba-tool</code> drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options <code>--local --full-sync</code>. |
|||
3. Run <code>samba_upgradedns</code> against the new DC database. |
|||
4. Perform a <code>samba-tool</code> [[dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions. |
|||
Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting attributes <code>msDs-masteredBy</code>, <code>msDS-NC-Replica-Locations</code>, <code>msDS-hasMasterNCs</code> have been changed). |
|||
=== Other Windows compatibility issues === |
|||
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier: |
|||
* [[Windows_2012_Server_compatibility#Pre-2003_functional_level| Windows Server Compatibility]] |
|||
= SELinux = |
|||
For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]]. |
|||
= Updating = |
|||
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]]. |
|||
= Checking the logs = |
|||
If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt> |
|||
Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section: |
|||
log level = 3 |
|||
by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change. |
|||
---- |
|||
*Note: If you add grep to the command it will silently prompt you to press enter. |
|||
[[Category:Active Directory]] |
Revision as of 04:05, 31 July 2019
Introduction
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
General
Setting the Samba Log Level
For details, see Setting the Samba Log Level.
The net
Command Fails to Connect to the 127.0.0.1
IP Address
For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.
Process Management
Verifying That Samba Is Running
Use the ps
utility to verify that Samba processes are executed:
# ps axf | egrep "samba|smbd|winbindd" ... 917 ? Ss 0:00 /usr/local/samba/sbin/samba -D 923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D ... 935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Samba Domain Controller do not support network browsing, and thus no nmbd processes are listed. |
All samba
, smbd
, and winbindd
processes must be child processes of one samba
process.
If you do not see a process structure as displayed:
- Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
- Start Samba interactively and watch the output:
# samba -i
DNS
DNS Back End-specific Troubleshooting
See:
Issues with DNS during DC join
DNS rcode name error
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join ctx.join_add_dns_records() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records dns_partition=domaindns_zone_dn) File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup dns_partition=dns_partition)
DNS zone does not exist
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join ctx.join_add_dns_records() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records None)
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:
Performing these steps out of order may cause replication issues due to some objects being created twice. |
1. During samba-tool
domain join, specify the --dns-backend=NONE
command line option.
2. Perform a samba-tool
drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync
.
3. Run samba_upgradedns
against the new DC database.
4. Perform a samba-tool
dbcheck with the --cross-ncs
option to correct discrepancies in the creation of the partitions.
Optionally, you can now run samba-tool
ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy
, msDS-NC-Replica-Locations
, msDS-hasMasterNCs
have been changed).
Other Windows compatibility issues
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:
SELinux
For details, see Troubleshooting SELinux on a Samba AD DC.
Updating
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.