Samba AD DC Troubleshooting: Difference between revisions

From SambaWiki
m (update dbcheck link)
(40 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


This page will help to find & cure common problems that may occur when setting up or running a [[Samba_AD_DC_HOWTO|Samba AD Domain Controller]].
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).


= Making sure samba is running =


Use the following command to check if Samba is running:


# ps axf | egrep "samba|smbd|nmbd|winbindd"


The output should look similar to the following:
1577 ? Ss 0:00 samba
1578 ? S 0:00 \_ samba
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1579 ? S 0:00 \_ samba
1580 ? S 0:00 \_ samba
1582 ? S 0:00 \_ samba
...


= General =
= „samba“ or child processes don't start =


== Setting the Samba Log Level ==
Check out the [[Samba_port_usage#Port_usage_when_Samba_runs_as_DC|Samba port usage for a Domain Controller]] documentation and compare it with the output of


For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]].
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"


If Samba isn't listening on all ports it should, check your Samba logs for further debugging.




== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address ==


For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]].




= Samba Internal DNS doesn't start =


The Samba logfile shows


[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED


= Process Management =
Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmasq or a different DNS server is listening on this port. Check by using


== Verifying That Samba Is Running ==
# netstat -tulpn | grep ":53"


Use the <code>ps</code> utility to verify that Samba processes are executed:
It should return only „samba“ processes, bound to this port, if using the Internal DNS.


# ps axf | egrep "samba|smbd|winbindd"
= kinit/klist don't exist on your system =
...
917 ? Ss 0:00 /usr/local/samba/sbin/samba -D
923 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
936 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
925 ? S 0:00 \_ /usr/local/samba/sbin/samba -D
...
935 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...


{{Imbox
See [[OS Requirements|OS Requirements]].
| type = note
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed.
}}


All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process.


If you do not see a process structure as displayed:


* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]]


* Start Samba interactively and watch the output:


# samba -i
= Replication DNS between Win AD DC fail =


Steps provided by xdexter.
Some users report that their windows AD DC DNS record don't replicate back to Samba DC.


# '''samba-tool drs showrepl'''


Will not show DC=ForestDnsZones and DC=DomainDnsZones ON "OUTBOUND NEIGHBORS"


Below are some steps on windows 2003, 2008 might be different.


= DNS =
1. Logon to a Windows domain controller with an Enterprise admin account (Prefer to logon to the replication partner of the problematic DC)


== DNS Back End-specific Troubleshooting ==
2. Run ntdsutil in a Domain Controller


See:
3. Run "domain management" command in ntdsutil


* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]]
4. Run "Connections" command and then connect to local server by "Connect to server localdcname" command. (Replace localdcname with local DC's hostname)
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]]


== Issues with DNS during DC join ==
5. Hit Q and enter.


=== DNS rcode name error ===
6. Run the following command and you will see that your problematic server is not listed in the output, although it should since it has DNS server installed.
<pre>
If you are replicating a DNS zone to the forest then run "List NC Replicas DC=ForestDnsZones,DC=domain,DC=com"
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX
If you are replicating a DNS zone to the domain then run "List NC Replicas DC=DomainDnsZones,DC=domain,DC=com"
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
Before continuing to the next step make sure that there is no object under "LostAndFoundConfig" (serves as a container for lost forestwide objects) container.
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run
You can check this with ADSIEDIT.msc under Configuration Partition. If there is an object first check its "lastKnownParent" attribute and if you decide if this is not an orphaned object then move it to its location.
return self.run(*args, **kwargs)
If you decide this is an orphaned object then delete it.
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run
backend_store=backend_store)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC
ctx.do_join()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join
ctx.join_add_dns_records()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records
dns_partition=domaindns_zone_dn)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup
dns_partition=dns_partition)
</pre>


=== DNS zone does not exist ===
7. Now add your problematic Domain Controller with DNS server install to the NC's you are replicating. By running following commands.
<pre>
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
ctx.join_add_dns_records()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records
None)
</pre>


Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.
8. For Forest wide DNS partition:
"Add NC Replica DC=ForestDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format).
For Domain wide DNS partition:
"Add NC Replica DC=DomainDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format).


Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:
9. Force replication on problematic DC from its partner (where follow the steps from 1 to 8).


{{Imbox
| type = important
| text = Performing these steps out of order may cause replication issues due to some objects being created twice.
}}




1. During <code>samba-tool</code> domain join, specify the <code>--dns-backend=NONE</code> command line option.


2. Perform a <code>samba-tool</code> drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options <code>--local --full-sync</code>.


3. Run <code>samba_upgradedns</code> against the new DC database.
= SELinux =


4. Perform a <code>samba-tool</code> [[dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions.
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page.


Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting attributes <code>msDs-masteredBy</code>, <code>msDS-NC-Replica-Locations</code>, <code>msDS-hasMasterNCs</code> have been changed).


=== Other Windows compatibility issues ===


For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:
* [[Windows_2012_Server_compatibility#Pre-2003_functional_level| Windows Server Compatibility]]


= SELinux =


For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]].
= Installing Python 2.6.5 for Samba =

If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:

sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest


You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.








= Updating =


If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]].
= Checking the logs =


If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>


Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:


log level = 3


by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.


----
*Note: If you add grep to the command it will silently prompt you to press enter.
[[Category:Active Directory]]

Revision as of 04:05, 31 July 2019

Introduction

This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.


The net Command Fails to Connect to the 127.0.0.1 IP Address

For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.



Process Management

Verifying That Samba Is Running

Use the ps utility to verify that Samba processes are executed:

# ps axf | egrep "samba|smbd|winbindd"
...
917 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
923 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
936 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
925 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
...
935 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ?        S      0:00  |       \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...

All samba, smbd, and winbindd processes must be child processes of one samba process.

If you do not see a process structure as displayed:

  • Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
  • Start Samba interactively and watch the output:
# samba -i



DNS

DNS Back End-specific Troubleshooting

See:

Issues with DNS during DC join

DNS rcode name error

Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join
    ctx.join_add_dns_records()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records
    dns_partition=domaindns_zone_dn)
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup
    dns_partition=dns_partition)

DNS zone does not exist

ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records
    None) 

Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.

Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:


1. During samba-tool domain join, specify the --dns-backend=NONE command line option.

2. Perform a samba-tool drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync.

3. Run samba_upgradedns against the new DC database.

4. Perform a samba-tool dbcheck with the --cross-ncs option to correct discrepancies in the creation of the partitions.

Optionally, you can now run samba-tool ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy, msDS-NC-Replica-Locations, msDS-hasMasterNCs have been changed).

Other Windows compatibility issues

For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:

SELinux

For details, see Troubleshooting SELinux on a Samba AD DC.



Updating

If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.