Difference between revisions of "Samba AD DC Troubleshooting"

m (moved Samba troubleshooting temp to Samba AD DC Troubleshooting: Removing the "temp" from the title and add "AD DC" (that's what it is for))
(Adding some more topics to troubleshoot a Samba AD DC.)
Line 1: Line 1:
 
= Making sure samba is running =
 
= Making sure samba is running =
You can use the following command to check to see if Samba 3.X is running currently
 
ps ax | grep "mbd\|winbindd" | grep -v grep
 
  
If its running you will see something like:  
+
Use the following command to check if Samba is running:
16491 ?        S      0:48 /usr/local/samba/sbin/smbd -D
+
 
16494 ?        S      0:48 /usr/local/samba/sbin/nmbd -D
+
# ps axf | egrep "samba|smbd|nmbd|winbindd"
  16509 ?        S      0:02 /usr/local/samba/sbin/winbindd -D
+
 
 +
The output should look like the following:
 +
  1577 ?        Ss    0:00 samba
 +
  1578 ?        S      0:00  \_ samba
 +
  1581 ?        Ss    0:00  |  \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
  1594 ?        S      0:00  |      \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
  1579 ?        S      0:00 \_ samba
 +
  1580 ?        S      0:00  \_ samba
 +
  1582 ?        S      0:00  \_ samba
 +
  ...
 +
 
 +
 
 +
 
 +
= „samba“ or child processes don't start =
 +
 
 +
Check out the [[Samba_port_usage#Port_usage_when_Samba_runs_as_DC|Samba port usage for a Domain Controller]] documentation and compare it with the output of
 +
 
 +
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
 +
 
 +
If Samba isn't listening on all ports it should, check your Samba logs for further debugging.
 +
 
 +
 
 +
= Samba Internal DNS doesn't start =
 +
 
 +
The Samba logfile shows
 +
 
 +
[2014/07/05 22:46:07.334864,  0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
 +
  Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
 +
 
 +
Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmask or a different DNS server is listening on this port. Check by using
 +
 
 +
# netstat -tulpn | grep ":53"
 +
 
 +
It should return only „samba“ processes, bound to this port, if using the Internal DNS.
 +
 
 +
 
 +
 
 +
= kinit/klist don't exist on your system =
 +
 
 +
See [[OS Requirements|OS Requirements]].
 +
 
 +
 
 +
 
 +
= SELinux =
 +
 
 +
Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the [[Samba_AD_DC_access_control_settings|Samba AD DC Access Control Settings]] page.
  
You can check Samba 4.X by:
 
ps ax | grep "samba" | grep -v grep
 
  
If its running you should see something like:
 
8258 ?        S      0:47 samba
 
8261 ?        S      0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground
 
You will only see lines like the last one if you are using ''s3fs'' (which is default).
 
  
 
= Installing Python 2.6.5 for Samba =
 
= Installing Python 2.6.5 for Samba =
If you are having issues with your distribution version of python, you can install python 2.6.5 from this install script, included with the tarball or git files.
+
If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:
  
 
  sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest
 
  sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest
Line 23: Line 60:
 
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.
 
You will also need to add <tt>export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH</tt> to the end of your ~/.bashrc file before things will work properly.
  
= Making pastebin easy =
 
First thing, if you are asking for samba help, you may be asked for logs, configs, exact error messages, or a variety of other things. I use a program called <tt>pastebinit</tt> which can be installed on Ubuntu using <tt>apt-get install pastebinit</tt>.
 
  
I have setup a config in my users home directory called .pastebinit.xml and it contains the following:
 
  
<pastebinit>
+
= Checking the logs =
<pastebin>http://paste.ubuntu.com</pastebin>
 
<author>IRC_Nick</author>
 
<format>text</format>
 
</pastebinit>
 
  
change IRC_Nick to your IRC nickname. You can find out more at http://www.stgraber.org/category/pastebinit/ including other sites pastebinit works with.
+
If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>
  
After this is setup, if someone asks you for a config file, you can simply type <tt>pastebinit some.cfg</tt> and it will return a link the other use can use to see your pastebin.
+
Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:
If you are trying to capture an error you may use something like <tt>samba-tool domain provision 2>&1 | pastebinit</tt>
 
  
= Checking the logs =
+
log level = 3
If you installed samba from source and didn't specify a prefix during configure, your logs should be located in <tt>/usr/local/samba/var/</tt>, unless you have specified a <tt>log file = </tt> directive in your smb.conf. This can be checked by using either <tt>testparm -v</tt> (for the samba 3.X series) or <tt>samba-tool testparm -v</tt> (for the samba 4.X series), this will provide a lot of output so you can also add a <tt>| grep "log file"</tt>
 
  
Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:
 
log level = 3
 
 
by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.
 
by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.
 +
 
*Note: If you add grep to the command it will silently prompt you to press enter.
 
*Note: If you add grep to the command it will silently prompt you to press enter.
 
= Checking your system for ports samba needs =
 
If samba appears to be running, but something isn't working quite right, you should double check that another program isn't using a port it needs. The first thing to do is look through the logs for lines like
 
Failed to bind to 0.0.0.0:'''53''' TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
 
If you find one use the following method to check what is using the port. In the following example I will be checking to see if something is using the DNS port ('''53'''), but this could easily be adapted to LDAP (ports 389 and 636), a KDC Server (port 464) or any other port that may be in use:
 
netstat -anp | grep "LISTEN " | grep 53
 
 
you should receive output like the following:
 
tcp        0      0 0.0.0.0:53              0.0.0.0:*              LISTEN      27805/samba
 
 
if anything else is running on that port it may look like:
 
tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN      1075/named
 
 
in which case you will need to either specifically bind samba to a certain interface, or simply kill the program that is running (in this example the pid is 1075 for named) by using <tt>kill 1075</tt>, to bind samba to a certain interface add the following to the [global] section of your smb.conf
 
bind interfaces only = yes
 
interfaces = 192.168.1.1
 
you can have more interfaces by using something like <tt>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</tt>
 

Revision as of 23:41, 5 July 2014

Making sure samba is running

Use the following command to check if Samba is running:

# ps axf | egrep "samba|smbd|nmbd|winbindd"

The output should look like the following:

 1577 ?        Ss     0:00 samba
 1578 ?        S      0:00  \_ samba
 1581 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1594 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 1579 ?        S      0:00  \_ samba
 1580 ?        S      0:00  \_ samba
 1582 ?        S      0:00  \_ samba
 ...


„samba“ or child processes don't start

Check out the Samba port usage for a Domain Controller documentation and compare it with the output of

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

If Samba isn't listening on all ports it should, check your Samba logs for further debugging.


Samba Internal DNS doesn't start

The Samba logfile shows

[2014/07/05 22:46:07.334864,  0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
  Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

Make sure, that no other service is listening on port 53/udp and 53/tcp. Typically for this kind of problem is, that e. g. Dnsmask or a different DNS server is listening on this port. Check by using

# netstat -tulpn | grep ":53"

It should return only „samba“ processes, bound to this port, if using the Internal DNS.


kinit/klist don't exist on your system

See OS Requirements.


SELinux

Some thoughts on SELinux and discretionary access control permissions that can prevent login using AD users are on the Samba AD DC Access Control Settings page.


Installing Python 2.6.5 for Samba

If you encouter issues with your distribution version of Python, you can install Python 2.6.5 from this install script, included with the tarball or git files:

sh install_with_python.sh /usr/local/samba  --enable-debug --enable-selftest

You will also need to add export PATH=/usr/local/samba/python/bin:/usr/local/samba/bin:/usr/local/samba/sbin:$PATH to the end of your ~/.bashrc file before things will work properly.


Checking the logs

If you installed Samba from source and didn't specify a prefix during configure, your logs should be located in /usr/local/samba/var/, unless you have specified a log file = directive in your smb.conf. This can be checked by using either testparm -v (for the samba 3.X series) or samba-tool testparm -v (for the samba 4.X series), this will provide a lot of output so you can also add a | grep "log file"

Sometimes the log file will not have the info you need, so you will need to turn up the amount of logging that needs done but adding the following line to your smb.conf in the [global] section:

log level = 3

by default samba only logs at level 0, so start low and turn it up slowly, you will want to restart samba after making this change.

  • Note: If you add grep to the command it will silently prompt you to press enter.