Samba AD DC Troubleshooting: Difference between revisions
Mmuehlfeld (talk | contribs) m (Updated link) |
mNo edit summary |
||
(19 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC). |
|||
This page will help to find & cure common problems that may occur when setting up or running a [[Setup_a_Samba_Active_Directory_Domain_Controller|Samba AD Domain Controller]]. |
|||
Line 15: | Line 15: | ||
== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address == |
|||
For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]]. |
|||
= Process Management = |
|||
== Making sure samba is running == |
|||
== Join errors on Rocky Linux 8 == |
|||
Use the following command to check if Samba is running: |
|||
It has been reported that on a self built version of Samba on Rocky Linux (so presumably the same applies to RHEL, Alma linux etc), you cannot join another DC. This was tracked down to FIPS mode being enabled, you need to turn this off on all RHEL based DC's, reboot them all and then try the join. |
|||
# ps axf | egrep "samba|smbd|nmbd|winbindd" |
|||
The output should look similar to the following: |
|||
1577 ? Ss 0:00 samba |
|||
1578 ? S 0:00 \_ samba |
|||
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1579 ? S 0:00 \_ samba |
|||
1580 ? S 0:00 \_ samba |
|||
1582 ? S 0:00 \_ samba |
|||
... |
|||
= Process Management = |
|||
== "samba" or child processes do not start == |
|||
== Verifying That Samba Is Running == |
|||
Check out the [[Samba_AD_DC_Port_Usage|Samba port usage for a Domain Controller]] documentation and compare it with the output of |
|||
Use the <code>ps</code> utility to verify that Samba processes are executed: |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
|||
# ps axf | egrep "samba|smbd|winbindd" |
|||
If Samba isn't listening on all the ports it should, check your Samba logs for further debugging. |
|||
... |
|||
917 ? Ss 0:00 /usr/local/samba/sbin/samba -D |
|||
923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
... |
|||
935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
... |
|||
{{Imbox |
|||
= Samba Internal DNS does not start = |
|||
| type = note |
|||
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed. |
|||
}} |
|||
All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process. |
|||
The Samba logfile shows |
|||
If you do not see a process structure as displayed: |
|||
[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket) |
|||
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED |
|||
* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]] |
|||
Make sure that no other service is listening on port 53/udp and 53/tcp. Typically this is caused by another DNS server listening on the port e. g. Dnsmasq. |
|||
Check by using |
|||
* Start Samba interactively and watch the output: |
|||
# netstat -tulpn | grep ":53" |
|||
# samba -i |
|||
If you are using the Internal DNS, it should only return the "samba" processes bound to this port. |
|||
= Kerberos = |
|||
== kinit/klist does not exist on your system == |
|||
See [[Operating system requirements|OS Requirements]]. |
|||
Line 75: | Line 70: | ||
= DNS = |
= DNS = |
||
== |
== DNS Back End-specific Troubleshooting == |
||
See: |
|||
To verify dynamic DNS updates on an Active Directory (AD) domain controller (DC) running a DNS server, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]]. |
|||
* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]] |
|||
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]] |
|||
== Issues with DNS during DC join == |
|||
== DNS |
=== DNS rcode name error === |
||
There is a bug adding DNS entries while joining a domain [https://bugzilla.samba.org/show_bug.cgi?id=13298 13298] - note that this should only affect Samba v4.7 and later. |
|||
Steps provided by xdexter. |
|||
Some users report that their windows AD DC DNS record don't replicate back to Samba DC. |
|||
<pre> |
|||
# '''samba-tool drs showrepl''' |
|||
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX |
|||
Join failed - cleaning up |
|||
ldb_wrap open of secrets.ldb |
|||
Could not find machine account in secrets database: Failed to fetch machine account password for MYDOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO |
|||
Deleted CN=RID Set,CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local |
|||
Deleted CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local |
|||
Deleted CN=dns-MYDC,CN=Users,DC=mydomain,DC=local |
|||
Deleted CN=NTDS Settings,CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local |
|||
Deleted CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local |
|||
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') |
|||
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run |
|||
return self.run(*args, **kwargs) |
|||
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run |
|||
backend_store=backend_store) |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC |
|||
ctx.do_join() |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join |
|||
ctx.join_add_dns_records() |
|||
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records |
|||
dns_partition=domaindns_zone_dn) |
|||
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup |
|||
dns_partition=dns_partition) |
|||
</pre> |
|||
=== DNS zone does not exist === |
|||
Will not show DC=ForestDnsZones and DC=DomainDnsZones ON "OUTBOUND NEIGHBORS" |
|||
<pre> |
|||
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') |
|||
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run |
|||
return self.run(*args, **kwargs) |
|||
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run |
|||
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC |
|||
ctx.do_join() |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join |
|||
ctx.join_add_dns_records() |
|||
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records |
|||
None) |
|||
</pre> |
|||
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations. |
|||
Below are some steps on windows 2003, 2008 might be different. |
|||
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available: |
|||
1. Logon to a Windows domain controller with an Enterprise admin account (Prefer to logon to the replication partner of the problematic DC) |
|||
{{Imbox |
|||
2. Run ntdsutil in a Domain Controller |
|||
| type = important |
|||
| text = Performing these steps out of order may cause replication issues due to some objects being created twice. |
|||
}} |
|||
3. Run "domain management" command in ntdsutil |
|||
1. During <code>samba-tool</code> domain join, specify the <code>--dns-backend=NONE</code> command line option. |
|||
4. Run "Connections" command and then connect to local server by "Connect to server localdcname" command. (Replace localdcname with local DC's hostname) |
|||
2. Perform a <code>samba-tool</code> drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options <code>--local --full-sync</code>. |
|||
5. Hit Q and enter. |
|||
3. Run <code>samba_upgradedns</code> against the new DC database. |
|||
6. Run the following command and you will see that your problematic server is not listed in the output, although it should, since it has DNS server installed. |
|||
If you are replicating a DNS zone to the forest then run "List NC Replicas DC=ForestDnsZones,DC=domain,DC=com" |
|||
If you are replicating a DNS zone to the domain then run "List NC Replicas DC=DomainDnsZones,DC=domain,DC=com" |
|||
Before continuing to the next step make sure that there is no object under "LostAndFoundConfig" (serves as a container for lost forestwide objects) container. |
|||
You can check this with ADSIEDIT.msc under Configuration Partition. If there is an object first check its "lastKnownParent" attribute and if you decide if this is not an orphaned object then move it to its location. |
|||
If you decide this is an orphaned object then delete it. |
|||
4. Perform a <code>samba-tool</code> [[dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions. |
|||
7. Now add your problematic Domain Controller with DNS server install to the NC's you are replicating. By running following commands. |
|||
Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting attributes <code>msDs-masteredBy</code>, <code>msDS-NC-Replica-Locations</code>, <code>msDS-hasMasterNCs</code> have been changed). |
|||
8. For Forest wide DNS partition: |
|||
"Add NC Replica DC=ForestDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). |
|||
For Domain wide DNS partition: |
|||
"Add NC Replica DC=DomainDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). |
|||
=== Other Windows compatibility issues === |
|||
9. Force replication on problematic DC from its partner (where follow the steps from 1 to 8). |
|||
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier: |
|||
* [[Windows_2012_Server_compatibility#Pre-2003_functional_level| Windows Server Compatibility]] |
|||
= SELinux = |
|||
For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]]. |
|||
= SELinux = |
|||
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page. |
|||
= Updating = |
|||
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]]. |
|||
= Dependencies and Libraries = |
|||
== Installing Python 2.6.5 for Samba == |
|||
If you encounter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files: |
|||
sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest |
|||
---- |
|||
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly. |
|||
[[Category:Active Directory]] |
Latest revision as of 10:32, 26 February 2023
Introduction
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
General
Setting the Samba Log Level
For details, see Setting the Samba Log Level.
The net
Command Fails to Connect to the 127.0.0.1
IP Address
For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.
Join errors on Rocky Linux 8
It has been reported that on a self built version of Samba on Rocky Linux (so presumably the same applies to RHEL, Alma linux etc), you cannot join another DC. This was tracked down to FIPS mode being enabled, you need to turn this off on all RHEL based DC's, reboot them all and then try the join.
Process Management
Verifying That Samba Is Running
Use the ps
utility to verify that Samba processes are executed:
# ps axf | egrep "samba|smbd|winbindd" ... 917 ? Ss 0:00 /usr/local/samba/sbin/samba -D 923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D ... 935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Samba Domain Controller do not support network browsing, and thus no nmbd processes are listed. |
All samba
, smbd
, and winbindd
processes must be child processes of one samba
process.
If you do not see a process structure as displayed:
- Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
- Start Samba interactively and watch the output:
# samba -i
DNS
DNS Back End-specific Troubleshooting
See:
Issues with DNS during DC join
DNS rcode name error
There is a bug adding DNS entries while joining a domain 13298 - note that this should only affect Samba v4.7 and later.
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for MYDOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=RID Set,CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local Deleted CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local Deleted CN=dns-MYDC,CN=Users,DC=mydomain,DC=local Deleted CN=NTDS Settings,CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local Deleted CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join ctx.join_add_dns_records() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records dns_partition=domaindns_zone_dn) File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup dns_partition=dns_partition)
DNS zone does not exist
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join ctx.join_add_dns_records() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records None)
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:
Performing these steps out of order may cause replication issues due to some objects being created twice. |
1. During samba-tool
domain join, specify the --dns-backend=NONE
command line option.
2. Perform a samba-tool
drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync
.
3. Run samba_upgradedns
against the new DC database.
4. Perform a samba-tool
dbcheck with the --cross-ncs
option to correct discrepancies in the creation of the partitions.
Optionally, you can now run samba-tool
ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy
, msDS-NC-Replica-Locations
, msDS-hasMasterNCs
have been changed).
Other Windows compatibility issues
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:
SELinux
For details, see Troubleshooting SELinux on a Samba AD DC.
Updating
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.