Samba AD DC Troubleshooting: Difference between revisions

From SambaWiki
m (moved Samba troubleshooting temp to Samba AD DC Troubleshooting: Removing the "temp" from the title and add "AD DC" (that's what it is for))
(Adding some more topics to troubleshoot a Samba AD DC.)
Line 1: Line 1:
= Making sure samba is running =
= Making sure samba is running =
You can use the following command to check to see if Samba 3.X is running currently
ps ax | grep "mbd\|winbindd" | grep -v grep


Use the following command to check if Samba is running:
If its running you will see something like:
16491 ? S 0:48 /usr/local/samba/sbin/smbd -D
16494 ? S 0:48 /usr/local/samba/sbin/nmbd -D
16509 ? S 0:02 /usr/local/samba/sbin/winbindd -D


# ps axf | egrep "samba|smbd|nmbd|winbindd"
You can check Samba 4.X by:
ps ax | grep "samba" | grep -v grep


The output should look like the following:
If its running you should see something like:
8258 ? S 0:47 samba
1577 ? Ss 0:00 samba
8261 ? S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground
1578 ? S 0:00 \_ samba
1581 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
You will only see lines like the last one if you are using ''s3fs'' (which is default).
1594 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1579 ? S 0:00 \_ samba
1580 ? S 0:00 \_ samba
1582 ? S 0:00 \_ samba
...


= Installing Python 2.6.5 for Samba =
If you are having issues with your distribution version of python, you can install python 2.6.5 from this install script, included with the tarball or git files.


sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest


= „samba“ or child processes don't start =
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.


Check out the [[Samba_port_usage#Port_usage_when_Samba_runs_as_DC|Samba port usage for a Domain Controller]] documentation and compare it with the output of
= Making pastebin easy =
First thing, if you are asking for samba help, you may be asked for logs, configs, exact error messages, or a variety of other things. I use a program called <tt>pastebinit</tt> which can be installed on Ubuntu using <tt>apt-get install pastebinit</tt>.


# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
I have setup a config in my users home directory called .pastebinit.xml and it contains the following:


If Samba isn't listening on all ports it should, check your Samba logs for further debugging.
<pastebinit>

<pastebin>http://paste.ubuntu.com</pastebin>

<author>IRC_Nick</author>
= Samba Internal DNS doesn't start =
<format>text</format>

</pastebinit>
The Samba logfile shows

[2014/07/05 22:46:07.334864, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmask or a different DNS server is listening on this port. Check by using

# netstat -tulpn | grep ":53"

It should return only „samba“ processes, bound to this port, if using the Internal DNS.



= kinit/klist don't exist on your system =

See [[OS Requirements|OS Requirements]].



= SELinux =

Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page.



= Installing Python 2.6.5 for Samba =
If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:

sh install_with_python.sh /usr/local/samba --enable-debug --enable-selftest

You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.


change IRC_Nick to your IRC nickname. You can find out more at http://www.stgraber.org/category/pastebinit/ including other sites pastebinit works with.


After this is setup, if someone asks you for a config file, you can simply type <tt>pastebinit some.cfg</tt> and it will return a link the other use can use to see your pastebin.
If you are trying to capture an error you may use something like <tt>samba-tool domain provision 2>&1 | pastebinit</tt>


= Checking the logs =
= Checking the logs =

If you installed samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>
If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>


Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:
Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:

log level = 3
log level = 3

by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.
by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.
*Note: If you add grep to the command it will silently prompt you to press enter.

= Checking your system for ports samba needs =
If samba appears to be running, but something isn't working quite right, you should double check that another program isn't using a port it needs. The first thing to do is look through the logs for lines like
Failed to bind to 0.0.0.0:'''53''' TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
If you find one use the following method to check what is using the port. In the following example I will be checking to see if something is using the DNS port ('''53'''), but this could easily be adapted to LDAP (ports 389 and 636), a KDC Server (port 464) or any other port that may be in use:
netstat -anp | grep "LISTEN " | grep 53


*Note: If you add grep to the command it will silently prompt you to press enter.
you should receive output like the following:
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 27805/samba

if anything else is running on that port it may look like:
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1075/named

in which case you will need to either specifically bind samba to a certain interface, or simply kill the program that is running (in this example the pid is 1075 for named) by using <tt>kill 1075</tt>, to bind samba to a certain interface add the following to the [global] section of your smb.conf
bind interfaces only = yes
interfaces = 192.168.1.1
you can have more interfaces by using something like <tt>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</tt>

Revision as of 23:41, 5 July 2014

Making sure samba is running

Use the following command to check if Samba is running:

# ps axf | egrep "samba|smbd|nmbd|winbindd"

The output should look like the following:

 1577 ?        Ss     0:00 samba
 1578 ?        S      0:00  \_ samba
 1581 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1594 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1579 ?        S      0:00  \_ samba
 1580 ?        S      0:00  \_ samba
 1582 ?        S      0:00  \_ samba
 ...


„samba“ or child processes don't start

Check out the Samba port usage for a Domain Controller documentation and compare it with the output of

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

If Samba isn't listening on all ports it should, check your Samba logs for further debugging.


Samba Internal DNS doesn't start

The Samba logfile shows

[2014/07/05 22:46:07.334864,  0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
  Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmask or a different DNS server is listening on this port. Check by using

# netstat -tulpn | grep ":53"

It should return only „samba“ processes, bound to this port, if using the Internal DNS.


kinit/klist don't exist on your system

See OS Requirements.


SELinux

Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the Samba AD DC Access Control Settings page.


Installing Python 2.6.5 for Samba

If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:

sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest

You will also need to add export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH to the end of your ~/.bashrc file before things will work properly.


Checking the logs

If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in /usr/local/samba/var/, unless you have specified a log file = directive in your smb.conf. This can be checked by using either testparm -v (for the samba 3.X series) or samba-tool testparm -v (for the samba 4.X series), this will provide a lot of output so you can also add a | grep "log file"

Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:

log level = 3

by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.

  • Note: If you add grep to the command it will silently prompt you to press enter.