Samba AD DC Troubleshooting: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (Updated link) |
Mmuehlfeld (talk | contribs) m (Added category) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
This |
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC). |
||
Line 15: | Line 15: | ||
== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address == |
|||
For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]]. |
|||
= Process Management = |
|||
== Making sure samba is running == |
|||
Use the following command to check if Samba is running: |
|||
# ps axf | egrep "samba|smbd|nmbd|winbindd" |
|||
= Process Management = |
|||
The output should look similar to the following: |
|||
1577 ? Ss 0:00 samba |
|||
1578 ? S 0:00 \_ samba |
|||
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
1579 ? S 0:00 \_ samba |
|||
1580 ? S 0:00 \_ samba |
|||
1582 ? S 0:00 \_ samba |
|||
... |
|||
== Verifying That Samba Is Running == |
|||
Use the <code>ps</code> utility to verify that Samba processes are executed: |
|||
# ps axf | egrep "samba|smbd|winbindd" |
|||
== "samba" or child processes do not start == |
|||
... |
|||
917 ? Ss 0:00 /usr/local/samba/sbin/samba -D |
|||
923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground |
|||
924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
... |
|||
935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
... |
|||
{{Imbox |
|||
Check out the [[Samba_AD_DC_Port_Usage|Samba port usage for a Domain Controller]] documentation and compare it with the output of |
|||
| type = note |
|||
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed. |
|||
}} |
|||
All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process. |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
|||
If you do not see a process structure as displayed: |
|||
If Samba isn't listening on all the ports it should, check your Samba logs for further debugging. |
|||
* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]] |
|||
= Samba Internal DNS does not start = |
|||
* Start Samba interactively and watch the output: |
|||
The Samba logfile shows |
|||
# samba -i |
|||
[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket) |
|||
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED |
|||
Make sure that no other service is listening on port 53/udp and 53/tcp. Typically this is caused by another DNS server listening on the port e. g. Dnsmasq. |
|||
Check by using |
|||
# netstat -tulpn | grep ":53" |
|||
If you are using the Internal DNS, it should only return the "samba" processes bound to this port. |
|||
= Kerberos = |
|||
== kinit/klist does not exist on your system == |
|||
See [[Operating_System_Requirements|Operating System Requirements]]. |
|||
Line 75: | Line 65: | ||
= DNS = |
= DNS = |
||
== |
== DNS Back End-specific Troubleshooting == |
||
See: |
|||
To verify dynamic DNS updates on an Active Directory (AD) domain controller (DC) running a DNS server, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]]. |
|||
* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]] |
|||
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]] |
|||
== DNS Replication from Windows AD DC fails == |
|||
Steps provided by xdexter. |
|||
Some users report that their windows AD DC DNS record don't replicate back to Samba DC. |
|||
# '''samba-tool drs showrepl''' |
|||
= SELinux = |
|||
Will not show DC=ForestDnsZones and DC=DomainDnsZones ON "OUTBOUND NEIGHBORS" |
|||
For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]]. |
|||
Below are some steps on windows 2003, 2008 might be different. |
|||
1. Logon to a Windows domain controller with an Enterprise admin account (Prefer to logon to the replication partner of the problematic DC) |
|||
2. Run ntdsutil in a Domain Controller |
|||
3. Run "domain management" command in ntdsutil |
|||
4. Run "Connections" command and then connect to local server by "Connect to server localdcname" command. (Replace localdcname with local DC's hostname) |
|||
5. Hit Q and enter. |
|||
6. Run the following command and you will see that your problematic server is not listed in the output, although it should, since it has DNS server installed. |
|||
If you are replicating a DNS zone to the forest then run "List NC Replicas DC=ForestDnsZones,DC=domain,DC=com" |
|||
If you are replicating a DNS zone to the domain then run "List NC Replicas DC=DomainDnsZones,DC=domain,DC=com" |
|||
Before continuing to the next step make sure that there is no object under "LostAndFoundConfig" (serves as a container for lost forestwide objects) container. |
|||
You can check this with ADSIEDIT.msc under Configuration Partition. If there is an object first check its "lastKnownParent" attribute and if you decide if this is not an orphaned object then move it to its location. |
|||
If you decide this is an orphaned object then delete it. |
|||
7. Now add your problematic Domain Controller with DNS server install to the NC's you are replicating. By running following commands. |
|||
8. For Forest wide DNS partition: |
|||
"Add NC Replica DC=ForestDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). |
|||
For Domain wide DNS partition: |
|||
"Add NC Replica DC=DomainDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). |
|||
9. Force replication on problematic DC from its partner (where follow the steps from 1 to 8). |
|||
= SELinux = |
|||
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page. |
|||
= Updating = |
|||
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]]. |
|||
= Dependencies and Libraries = |
|||
== Installing Python 2.6.5 for Samba == |
|||
If you encounter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files: |
|||
sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest |
|||
---- |
|||
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly. |
|||
[[Category:Active Directory]] |
Revision as of 20:38, 26 February 2017
Introduction
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
General
Setting the Samba Log Level
For details, see Setting the Samba Log Level.
The net
Command Fails to Connect to the 127.0.0.1
IP Address
For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.
Process Management
Verifying That Samba Is Running
Use the ps
utility to verify that Samba processes are executed:
# ps axf | egrep "samba|smbd|winbindd" ... 917 ? Ss 0:00 /usr/local/samba/sbin/samba -D 923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D ... 935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Samba Domain Controller do not support network browsing, and thus no nmbd processes are listed. |
All samba
, smbd
, and winbindd
processes must be child processes of one samba
process.
If you do not see a process structure as displayed:
- Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
- Start Samba interactively and watch the output:
# samba -i
DNS
DNS Back End-specific Troubleshooting
See:
SELinux
For details, see Troubleshooting SELinux on a Samba AD DC.
Updating
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.