Difference between revisions of "Samba AD DC Troubleshooting"

From SambaWiki
(Moving "Replication DNS between Win AD DC fail" from the "Join as DC" documentation to this page. Here it is more suitable.)
Line 1: Line 1:
= Introduction =
= Introduction =
This page will treat common problems when setting up or running a [[Samba_AD_DC_HOWTO|Samba AD Domain Controller]].
This page will help to find & cure common problems that may occur when setting up or running a [[Samba_AD_DC_HOWTO|Samba AD Domain Controller]].
= Making sure samba is running =
= Making sure samba is running =

Revision as of 18:15, 22 April 2015


This page will help to find & cure common problems that may occur when setting up or running a Samba AD Domain Controller.

Making sure samba is running

Use the following command to check if Samba is running:

# ps axf | egrep "samba|smbd|nmbd|winbindd"

The output should look like the following:

 1577 ?        Ss     0:00 samba
 1578 ?        S      0:00  \_ samba
 1581 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1594 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1579 ?        S      0:00  \_ samba
 1580 ?        S      0:00  \_ samba
 1582 ?        S      0:00  \_ samba

„samba“ or child processes don't start

Check out the Samba port usage for a Domain Controller documentation and compare it with the output of

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

If Samba isn't listening on all ports it should, check your Samba logs for further debugging.

Samba Internal DNS doesn't start

The Samba logfile shows

[2014/07/05 22:46:07.334864,  0] ../source4/smbd/service_stream.c:346(stream_setup_socket)

Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmasq or a different DNS server is listening on this port. Check by using

# netstat -tulpn | grep ":53"

It should return only „samba“ processes, bound to this port, if using the Internal DNS.

kinit/klist don't exist on your system

See OS Requirements.

Replication DNS between Win AD DC fail

Steps provided by xdexter. Some users report that their windows AD DC DNS record don't replicate back to Samba DC.

# samba-tool drs showrepl

Will not show DC=ForestDnsZones and DC=DomainDnsZones ON "OUTBOUND NEIGHBORS"

Below are some steps on windows 2003, 2008 might be different.

1. Logon to a Windows domain controller with an Enterprise admin account (Prefer to logon to the replication partner of the problematic DC)

2. Run ntdsutil in a Domain Controller

3. Run "domain management" command in ntdsutil

4. Run "Connections" command and then connect to local server by "Connect to server localdcname" command. (Replace localdcname with local DC's hostname)

5. Hit Q and enter.

6. Run the following command and you will see that your problematic server is not listed in the output, although it should since it has DNS server installed.

 If you are replicating a DNS zone to the forest then run "List NC Replicas DC=ForestDnsZones,DC=domain,DC=com"
 If you are replicating a DNS zone to the domain then run "List NC Replicas DC=DomainDnsZones,DC=domain,DC=com"
 Before continuing to the next step make sure that there is no object under "LostAndFoundConfig" (serves as a container for lost forestwide objects) container. 
 You can check this with ADSIEDIT.msc under Configuration Partition. If there is an object first check its "lastKnownParent" attribute and if you decide if this is not an orphaned object then move it to its location. 
 If you decide this is an orphaned object then delete it.

7. Now add your problematic Domain Controller with DNS server install to the NC's you are replicating. By running following commands.

8. For Forest wide DNS partition:

  "Add NC Replica DC=ForestDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format). 
  For Domain wide DNS partition:
  "Add NC Replica DC=DomainDnsZones,DC=domain,DC=com problemdcname.domain.com" (problematic DC name must be in full DNS name format).

9. Force replication on problematic DC from its partner (where follow the steps from 1 to 8).


Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the Samba AD DC Access Control Settings page.

Installing Python 2.6.5 for Samba

If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:

sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest

You will also need to add export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH to the end of your ~/.bashrc file before things will work properly.

Checking the logs

If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in /usr/local/samba/var/, unless you have specified a log file = directive in your smb.conf. This can be checked by using either testparm -v (for the samba 3.X series) or samba-tool testparm -v (for the samba 4.X series), this will provide a lot of output so you can also add a | grep "log file"

Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:

log level = 3

by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.

  • Note: If you add grep to the command it will silently prompt you to press enter.