Could not connect to samba LDAP server: connect: Connection refused

[MaverickZA]

Hi All,

I am having the following issue with a Zentyal server running as an additional DC, the other domain controllers are Zentyal as well.

The issue started happening after we lost power at one of our sites, now the entyal DC comes up, however the samba and DNS module in the dashboard refuse to start, this is the output of the log - /var/log/zentyal/zentyal.log;

2013/09/23 15:09:31 INFO> Service.pm:949 EBox::Module::Service::restartService - Restarting service for module: samba
2013/09/23 15:09:32 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (1 attempts)
2013/09/23 15:09:34 INFO> SysvolSync.pm:204 EBox::Samba::SysvolSync::run - Samba sysvol synchronizer script started
2013/09/23 15:09:42 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (100 attempts)
2013/09/23 15:09:52 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (200 attempts)
2013/09/23 15:10:02 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (300 attempts)
2013/09/23 15:10:02 DEBUG> LDB.pm:197 EBox::LDB::safeConnect - FATAL: Could not connect to samba LDAP server: connect: Connection refused
2013/09/23 15:10:02 ERROR> Service.pm:954 EBox::Module::Service::__ANON__ - Error restarting service: FATAL: Could not connect to samba LDAP server: connect: Connection refused
2013/09/23 15:10:07 INFO> Service.pm:949 EBox::Module::Service::restartService - Restarting service for module: samba
2013/09/23 15:10:08 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (1 attempts)
2013/09/23 15:10:09 INFO> SysvolSync.pm:204 EBox::Samba::SysvolSync::run - Samba sysvol synchronizer script started
2013/09/23 15:10:18 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (100 attempts)
2013/09/23 15:10:28 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (200 attempts)
2013/09/23 15:10:38 WARN> LDB.pm:193 EBox::LDB::safeConnect - Could not connect to samba LDAP server: connect: Connection refused, retrying. (300 attempts)
2013/09/23 15:10:38 DEBUG> LDB.pm:197 EBox::LDB::safeConnect - FATAL: Could not connect to samba LDAP server: connect: Connection refused
2013/09/23 15:10:38 ERROR> Service.pm:954 EBox::Module::Service::__ANON__ - Error restarting service: FATAL: Could not connect to samba LDAP server: connect: Connection refused

I have tried to start the services manually within the CLI but with no luck.

Any suggestions on how I can get this back up and running?

Thanks

[Cédric RICARD]

I have the same problem since the upgrade of zentyal-samba component, from version 3.2.1 (was working) to version 3.2.2 (doesn't work due to this error).

[jaykay]

I too am having the same issue with the LDAP authentication. I have set zentyal 3.2 up 5 times over the last week and had the same problem appear 5 times, I have tried on 3 different computers too. I think 3.2 is a big improvement over the previous version its just unfortunate that it doesn't work. Every time it has happened it has occurred when changes are saved but it seems to be random when it breaks (so its not the same event triggering it). The last time everything was working, users were created, shares created, groups, PCs were on the domain then I made a change to mail and it all fell in a heap when the changes were saved.

Ok ill add a little update:
I have managed to get it back up again and nothing has been lost which is great but it will be interesting to see if its a little more stable this time.
what I did was the following:

apt-get remove samba4

restarted the server

sudo apt-get upgrade

sudo apt-get install zentyal-office

Initially it still had an error with samba but all the users and shares were still there.
I then ran all the updates and rebooted the server again and there were no more errors and every thing appears to be working again.

[christian]

I too am having the same issue with the LDAP authentication.

Is it authentication issue ? Aren't you using Kerberos as authentication mechanism instead of LDAP ?

[jaykay]

sorry, poor choice of terminology.. my bad

[christian]

I'm not so sure your choice is bad. What I wanted to highlight with my point is that even "the way it works" and what should be investigated is not yet clear.

Just to take an example of why this is not that simple:
- Kerberos, high level, is quite simple but is in fact quite complex and there is a lot of reason why it may fail.
- Because of this, in the Microsoft implementation, when you authenticate with your workstation, if Kerberos fails, then client and server both revert back transparently to NTLM 
- one may imagine that Samba, in their willingness to mimic Microsoft, have implemented same mechanism that exists at client level.

Reason why I'm not finger-pointing your comment but ask question to make people investigating further    (I can't as I don't have such system installed)

[ProNetic.dk]

I had det same issue when i rebooted my Zentyal 3.0 server after i joined the domain with a test 3.2 Zentyal server. I just rebooted the PDC again,(Zentyal 3.0) and then all worked without any "Connection refused" errors.. dunno why.. Makes one wonder if Zentyal are production ready(both 3.0 and 3.2) 

[BrettonWoods]

I have 3.2 working and kerb is working fine for logon.

Its not working for squid authentication though.

With squid especially kerberos I found it hard to work out what was happening.

Then I started using wireshark with the filter set to kerberos.

Most impressed with wireshark and I know what the kerneros error is

Still can't get SSO going thought

My suggestion is run up wireshark on your internal network card and post your results

Also an ldap browse of your kerberos principles names is also a good place to start.

I am pretty sure 3.2 is production ready apart from some small items which will prob have an SP