Samba AD DC Troubleshooting

From SambaWiki
Revision as of 08:52, 15 February 2021 by B3it (talk | contribs) (→‎DNS rcode name error)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


This documentation helps you to troubleshoot problems users can encounter when running Samba as an Active Directory (AD) domain controller (DC).


Setting the Samba Log Level

For details, see Setting the Samba Log Level.

The net Command Fails to Connect to the IP Address

For details, see Troubleshooting Samba Domain Members - The net Command Fails to Connect to the IP Address.

Process Management

Verifying That Samba Is Running

Use the ps utility to verify that Samba processes are executed:

# ps axf | egrep "samba|smbd|winbindd"
917 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
923 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
936 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
940 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
941 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
943 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
924 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
925 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
935 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
939 ?        S      0:00  |       \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground

All samba, smbd, and winbindd processes must be child processes of one samba process.

If you do not see a process structure as displayed:

  • Verify your Samba log files to locate the problem. For a detailed output, increase the log level. For details, see Setting the Samba Log Level
  • Start Samba interactively and watch the output:
# samba -i


DNS Back End-specific Troubleshooting


Issues with DNS during DC join

DNS rcode name error

There is a bug adding DNS entries while joining a domain 13298 - note that this should only affect Samba v4.7 and later.

Adding DNS A record XXX.XXX.XXX.XXX for IPv4 IP: XX.XX.XX.XX
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for MYDOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=RID Set,CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local
Deleted CN=MYDC,OU=Domain Controllers,DC=mydomain,DC=local
Deleted CN=dns-MYDC,CN=Users,DC=mydomain,DC=local
Deleted CN=NTDS Settings,CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Deleted CN=MYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line 185, in _run
    return*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line 699, in run
  File "/usr/lib64/python2.7/site-packages/samba/", line 1535, in join_DC
  File "/usr/lib64/python2.7/site-packages/samba/", line 1436, in do_join
  File "/usr/lib64/python2.7/site-packages/samba/", line 1178, in join_add_dns_records
  File "/usr/lib64/python2.7/site-packages/samba/", line 1069, in dns_lookup

DNS zone does not exist

ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/", line 176, in _run
    return*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/", line 1474, in join_DC
  File "/usr/lib/python2.7/dist-packages/samba/", line 1384, in do_join
  File "/usr/lib/python2.7/dist-packages/samba/", line 1138, in join_add_dns_records

Name or zone errors like above may happen for a number of different reasons. In particular, the name error has been much more common (particularly against Windows). If the domain has been migrated from Windows 2000 or 2003 (including R2 variants and possibly 2008 non-R2), the DNS zones may not have been migrated correctly. Legacy DNS zone locations are not supported in Samba, which only supports fully replicated AD DNS zones (ForestDnsZones, DomainDnsZones). Where an error occurs indicating zone may not exist, it may be the case that the standard AD zone has not been created (despite it appearing to serve records from that location). A full re-import of your DNS database via PowerShell is one way to ensure that DNS records are only in the modern locations.

Assuming that these errors are not the result of migration issues, and are the result of issues with the running server, there is a workaround available:

1. During samba-tool domain join, specify the --dns-backend=NONE command line option.

2. Perform a samba-tool drs replicate of the DC=ForestDnsZones and DC=DomainDnsZones partitions with the options --local --full-sync.

3. Run samba_upgradedns against the new DC database.

4. Perform a samba-tool dbcheck with the --cross-ncs option to correct discrepancies in the creation of the partitions.

Optionally, you can now run samba-tool ldapcmp in order to verify that the databases are consistent (noting attributes msDs-masteredBy, msDS-NC-Replica-Locations, msDS-hasMasterNCs have been changed).

Other Windows compatibility issues

For some more detail in regards to issues with domains migrated from Windows 2003 R2 or earlier:


For details, see Troubleshooting SELinux on a Samba AD DC.


If you have any problems with your Active Directory (AD) domain controller (DC) after updating Samba, see: Notable Enhancements and Changes.