Samba AD DC Troubleshooting: Difference between revisions

From SambaWiki
m (dnsmasq typo correction)
m (Added category)
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Introduction =
= Making sure samba is running =


This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
Use the following command to check if Samba is running:


# ps axf | egrep "samba|smbd|nmbd|winbindd"


The output should look like the following:
1577 ? Ss 0:00 samba
1578 ? S 0:00 \_ samba
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1579 ? S 0:00 \_ samba
1580 ? S 0:00 \_ samba
1582 ? S 0:00 \_ samba
...






= General =
= „samba“ or child processes don't start =


== Setting the Samba Log Level ==
Check out the [[Samba_port_usage#Port_usage_when_Samba_runs_as_DC|Samba port usage for a Domain Controller]] documentation and compare it with the output of


For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]].
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"


If Samba isn't listening on all ports it should, check your Samba logs for further debugging.




== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address ==
= Samba Internal DNS doesn't start =


For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]].
The Samba logfile shows


[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED


Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmasq or a different DNS server is listening on this port. Check by using


# netstat -tulpn | grep ":53"


It should return only „samba“ processes, bound to this port, if using the Internal DNS.


= Process Management =
= kinit/klist don't exist on your system =


== Verifying That Samba Is Running ==
See [[OS Requirements|OS Requirements]].


Use the <code>ps</code> utility to verify that Samba processes are executed:


# ps axf | egrep "samba|smbd|winbindd"
...
917 ? Ss 0:00 /usr/local/samba/sbin/samba -D
923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
...
935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...


{{Imbox
= SELinux =
| type = note
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed.
}}


All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process.
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page.


If you do not see a process structure as displayed:

* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]]

* Start Samba interactively and watch the output:

# samba -i





= DNS =

== DNS Back End-specific Troubleshooting ==

See:

* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]]
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]]





= SELinux =


For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]].


= Installing Python 2.6.5 for Samba =
If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:


sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest


You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.




= Updating =


If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]].
= Checking the logs =


If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>


Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:


log level = 3


by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.


----
*Note: If you add grep to the command it will silently prompt you to press enter.
[[Category:Active Directory]]

Revision as of 20:38, 26 February 2017

Introduction

This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.


The net Command Fails to Connect to the 127.0.0.1 IP Address

For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.



Process Management

Verifying That Samba Is Running

Use the ps utility to verify that Samba processes are executed:

# ps axf | egrep "samba|smbd|winbindd"
...
917 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
923 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
936 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
925 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
...
935 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ?        S      0:00  |       \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...

All samba, smbd, and winbindd processes must be child processes of one samba process.

If you do not see a process structure as displayed:

  • Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
  • Start Samba interactively and watch the output:
# samba -i



DNS

DNS Back End-specific Troubleshooting

See:



SELinux

For details, see Troubleshooting SELinux on a Samba AD DC.



Updating

If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.