Difference between revisions of "Samba AD DC Troubleshooting"

(Installing Python 2.6.5 for samba)
m (update dbcheck link)
 
(56 intermediate revisions by 7 users not shown)
Line 1: Line 1:
= Making sure samba is running =
+
= Introduction =
You can use the following command to check to see if Samba 3 is running currently
 
ps ax | grep "mbd\|winbindd" | grep -v grep
 
  
If its running you will see something like:
+
This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).
16491 ?        S      0:48 /usr/local/samba/sbin/smbd -D
 
16494 ?        S      0:48 /usr/local/samba/sbin/nmbd -D
 
16509 ?        S      0:02 /usr/local/samba/sbin/winbindd -D
 
  
You can check Samba 4 by:
 
ps ax | grep "samba" | grep -v grep
 
  
If its running you should see something like:
 
8258 ?        S      0:47 samba
 
8261 ?        S      0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground
 
You will only see lines like the last one if you are using ''s3fs'' (which is default).
 
  
= Installing Python 2.6.5 for Samba =
 
If you are having issues with your distribution version of python, you can install python 2.6.5 from this install script, included with the tarball or git files.
 
  
sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest
 
  
= Making pastebin easy =
+
= General =
First thing, if you are asking for samba help, you may be asked for logs, configs, exact error messages, or a variety of other things. I use a program called <tt>pastebinit</tt> which can be installed on Ubuntu using <tt>apt-get install pastebinit</tt>.
 
  
I have setup a config in my users home directory called .pastebinit.xml and it contains the following:
+
== Setting the Samba Log Level ==
  
<pastebinit>
+
For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]].
<pastebin>http://paste.ubuntu.com</pastebin>
 
<author>IRC_Nick</author>
 
<format>text</format>
 
</pastebinit>
 
  
change IRC_Nick to your IRC nickname. You can find out more at http://www.stgraber.org/category/pastebinit/ including other sites pastebinit works with.
 
  
After this is setup, if someone asks you for a config file, you can simply type <tt>pastebinit some.cfg</tt> and it will return a link the other use can use to see your pastebin.
+
 
If you are trying to capture an error you may use something like <tt>samba-tool domain provision 2>&1 | pastebinit</tt>
+
== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address ==
 +
 
 +
For details, see [[Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address|Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Process Management =
 +
 
 +
== Verifying That Samba Is Running ==
 +
 
 +
Use the <code>ps</code> utility to verify that Samba processes are executed:
 +
 
 +
# ps axf | egrep "samba|smbd|winbindd"
 +
...
 +
917 ?        Ss    0:00 /usr/local/samba/sbin/samba -D
 +
923 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
 +
936 ?        Ss    0:00  |  \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
940 ?        S      0:00  |      \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
941 ?        S      0:00  |      \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
943 ?        S      0:00  |      \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
924 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
 +
925 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
 +
...
 +
935 ?        Ss    0:00  |  \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
 +
939 ?        S      0:00  |      \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
 +
...
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = Samba Domain Controller do not support network browsing, and thus no <code>nmbd</code> processes are listed.
 +
}}
 +
 
 +
All <code>samba</code>, <code>smbd</code>, and <code>winbindd</code> processes must be child processes of one <code>samba</code> process.
 +
 
 +
If you do not see a process structure as displayed:
 +
 
 +
* Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see [[#Setting_the_Samba_Log_Level|Setting the Samba Log Level]]
 +
 
 +
* Start Samba interactively and watch the output:
 +
 
 +
# samba -i
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= DNS =
 +
 
 +
== DNS Back End-specific Troubleshooting ==
 +
 
 +
See:
 +
 
 +
* [[Samba_Internal_DNS_Back_End#Troubleshooting|Samba INTERNAL_DNS Back End - Troubleshooting]]
 +
* [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ DNS Back End - Troubleshooting]]
 +
 
 +
== Issues with DNS during DC join ==
 +
 
 +
=== DNS rcode name error ===
 +
<pre>
 +
Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX
 +
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
 +
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run
 +
    return self.run(*args, **kwargs)
 +
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run
 +
    backend_store=backend_store)
 +
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC
 +
    ctx.do_join()
 +
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join
 +
    ctx.join_add_dns_records()
 +
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records
 +
    dns_partition=domaindns_zone_dn)
 +
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup
 +
    dns_partition=dns_partition)
 +
</pre>
 +
 
 +
=== DNS zone does not exist ===
 +
<pre>
 +
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
 +
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
 +
    return self.run(*args, **kwargs)
 +
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
 +
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
 +
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
 +
    ctx.do_join()
 +
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
 +
    ctx.join_add_dns_records()
 +
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records
 +
    None)
 +
</pre>
 +
 
 +
Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.
 +
 
 +
Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = Performing these steps out of order may cause replication issues due to some objects being created twice.
 +
}}
 +
 
 +
 
 +
1. During <code>samba-tool</code> domain join, specify the <code>--dns-backend=NONE</code> command line option.
 +
 
 +
2. Perform a <code>samba-tool</code> drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options <code>--local --full-sync</code>.
 +
 
 +
3. Run <code>samba_upgradedns</code> against the new DC database.
 +
 
 +
4. Perform a <code>samba-tool</code> [[dbcheck]] with the <code>--cross-ncs</code> option to correct discrepancies in the creation of the partitions.
 +
 
 +
Optionally, you can now run <code>samba-tool</code> ldapcmp in order to verify that the databases are consistent (noting attributes <code>msDs-masteredBy</code>, <code>msDS-NC-Replica-Locations</code>, <code>msDS-hasMasterNCs</code> have been changed).
 +
 
 +
=== Other Windows compatibility issues ===
 +
 
 +
For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:
 +
* [[Windows_2012_Server_compatibility#Pre-2003_functional_level| Windows Server Compatibility]]
 +
 
 +
= SELinux =
 +
 
 +
For details, see [[Troubleshooting_SELinux_on_a_Samba_AD_DC|Troubleshooting SELinux on a Samba AD DC]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Updating =
 +
 
 +
If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: [[Updating_Samba#Notable_Enhancements_and_Changes|Notable Enhancements and Changes]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
----
 +
[[Category:Active Directory]]

Latest revision as of 04:05, 31 July 2019

Introduction

This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.


The net Command Fails to Connect to the 127.0.0.1 IP Address

For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the 127.0.0.1 IP Address.



Process Management

Verifying That Samba Is Running

Use the ps utility to verify that Samba processes are executed:

# ps axf | egrep "samba|smbd|winbindd"
...
917 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
923 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
936 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
925 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
...
935 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ?        S      0:00  |       \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...

All samba, smbd, and winbindd processes must be child processes of one samba process.

If you do not see a process structure as displayed:

  • Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
  • Start Samba interactively and watch the output:
# samba -i



DNS

DNS Back End-specific Troubleshooting

See:

Issues with DNS during DC join

DNS rcode name error

Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1436, in do_join
    ctx.join_add_dns_records()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1178, in join_add_dns_records
    dns_partition=domaindns_zone_dn)
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 1069, in dns_lookup
    dns_partition=dns_partition)

DNS zone does not exist

ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1138, in join_add_dns_records
    None) 

Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.

Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:


1. During samba-tool domain join, specify the --dns-backend=NONE command line option.

2. Perform a samba-tool drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync.

3. Run samba_upgradedns against the new DC database.

4. Perform a samba-tool dbcheck with the --cross-ncs option to correct discrepancies in the creation of the partitions.

Optionally, you can now run samba-tool ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy, msDS-NC-Replica-Locations, msDS-hasMasterNCs have been changed).

Other Windows compatibility issues

For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:

SELinux

For details, see Troubleshooting SELinux on a Samba AD DC.



Updating

If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.