Samba AD DC Troubleshooting: Difference between revisions
Line 125: | Line 125: | ||
4. Perform a <code>samba-tool</code> [[Updating_Samba#Samba_AD_DC_Database_Check| dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions. |
4. Perform a <code>samba-tool</code> [[Updating_Samba#Samba_AD_DC_Database_Check| dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions. |
||
Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting msDs-masteredBy, msDS-NC-Replica-Locations, msDS-hasMasterNCs have been changed). |
Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting attributes <code>msDs-masteredBy</code>, <code>msDS-NC-Replica-Locations</code>, <code>msDS-hasMasterNCs</code> have been changed). |
||
=== Other Windows compatibility issues === |
=== Other Windows compatibility issues === |
Revision as of 02:43, 30 July 2019
Introduction
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
General
Setting the Samba Log Level
For details, see Setting the Samba Log Level.
The net
Command Fails to Connect to the 127.0.0.1
IP Address
For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.
Process Management
Verifying That Samba Is Running
Use the ps
utility to verify that Samba processes are executed:
# ps axf | egrep "samba|smbd|winbindd" ... 917 ? Ss 0:00 /usr/local/samba/sbin/samba -D 923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D ... 935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Samba Domain Controller do not support network browsing, and thus no nmbd processes are listed. |
All samba
, smbd
, and winbindd
processes must be child processes of one samba
process.
If you do not see a process structure as displayed:
- Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
- Start Samba interactively and watch the output:
# samba -i
DNS
DNS Back End-specific Troubleshooting
See:
Issues with DNS during DC join
DNS rcode name error
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join ctx.join_add_dns_records() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records dns_partition=domaindns_zone_dn) File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup dns_partition=dns_partition)
DNS zone does not exist
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join ctx.join_add_dns_records() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records None)
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:
Performing these steps out of order may cause replication issues due to some objects being created twice. |
1. During samba-tool
domain join, specify the --dns-backend=NONE
command line option.
2. Perform a samba-tool
drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync
.
3. Run samba_upgradedns
against the new DC database.
4. Perform a samba-tool
dbcheck with the --cross-ncs
option to correct discrepancies in the creation of the partitions.
Optionally, you can now run samba-tool
ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy
, msDS-NC-Replica-Locations
, msDS-hasMasterNCs
have been changed).
Other Windows compatibility issues
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:
SELinux
For details, see Troubleshooting SELinux on a Samba AD DC.
Updating
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.