Author Topic: [UNRESOLVED] How to troubleshoot samba backup domain controller function?  (Read 1667 times)

TRothlis

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Was marked as SOLVED on April 20, 2017 but was observed to have recurred sometime before June 28, 2017. Upgrade to 5.0.6 apparently was not a permanent fix. All symptoms are the same as originally reported.

Running Zentyal 5.0

I used the web interface a couple years ago (before upgrading to 5.0 a few months back) to configure a Zentyal server as both a backup domain controller and a file server. This was working fine. I recently discovered that it is no longer operating as a BDC and I don't know how long this has been the case, so I can't trace it to any particular event. It may or may not have been coincident with the 5.0 upgrade, but I would think I would have noticed it then if it was. Anyway, there are three observed problems:
  • When I try to access the 'Users and Computers' page in the BDC web interface it reports "FATAL: Could not connect to samba LDAP server: connect: Connection refused".
  • I am unable to connect to the BDC through the Windows ADExplorer tool - it reports "The server is not operational".
  • If my Windows client PC is using the BDC as the logon server, I can logon but am unable to query users and groups for ACLs. From a Windows client, I am unable to query users and groups for ACLs on any of the BDC shares.
None of this is observed when using the PDC. Note that Samba is running in some capacity. The file server function is still fully operational as far as I can tell.

"service smbd status" returns:
Code: [Select]
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2017-04-19 11:12:46 PDT; 42min ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 20688 (smbd)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/smbd.service
           ├─20688 /usr/sbin/smbd
           ├─20689 /usr/sbin/smbd
           ├─20690 /usr/sbin/smbd
           ├─20692 /usr/sbin/smbd
           ├─20695 /usr/sbin/smbd
           ├─20696 /usr/sbin/smbd
           ├─20729 /usr/sbin/smbd
           ├─20830 /usr/sbin/smbd
           ├─21189 /usr/sbin/smbd
           ├─21671 /usr/sbin/smbd
           ├─21675 /usr/sbin/smbd
           └─21677 /usr/sbin/smbd

and "samba-tool processes" returns:
Code: [Select]
Service:                PID
-----------------------------
dnsupdate               4790
cldap_server            4783
rpc_server              4778
rpc_server              4778
nbt_server              4780
winbind_server          3810
winbind_server         10520
kdc_server              4784
notify-daemon          20689
ldap_server             4782
ldap_server             4782
ldap_server             4782
ldap_server             4782
kccsrv                  4789
samba                   4789
dreplsrv                4785

I've also grepped the various samba log files for "ldap" and nothing turns up.

I'm at a bit of a loss now as to where to go looking to figure out why the samba LDAP \ DC function isn't working properly. Please advise on suggested next steps for locating the source of the problem. Thanks.
« Last Edit: June 28, 2017, 11:49:36 pm by TRothlis »

TRothlis

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: How to troubleshoot samba backup domain controller function?
« Reply #1 on: April 19, 2017, 11:53:08 pm »
Additional info:
  • "samba-tool testparm" completes without error
  • "samba-tool user list" or "wbinfo -u" (and the group equivalents) return all the domain accounts, so the service is sufficiently operable to identify the domain objects from the command line.
  • "samba-tool drs showrepl" is the only samba-tool command for which I am yet to see a failure on the BDC and not on the PDC. It reports:
    "Cannot reach a KDC we require to contact ldap/BDC.MYDOMAIN.NET@MYDOMAIN.NET : kinit for BDC$@MYDOMAIN.NET failed (Cannot contact any KDC for requested realm)" and
    "Failed to connect to ldap URL 'ldap://bdc.mydomain.net' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED"

TRothlis

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: How to troubleshoot samba backup domain controller function?
« Reply #2 on: April 20, 2017, 02:46:46 am »
Problem was mysteriously resolved after updating the Domain Controller and File Sharing component from 5.0.3 to 5.0.6. I do not know what the corrective change was.

TRothlis

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Two months after the 5.0.6 upgrade mysteriously fixed the problem, the issue is back. If anybody has any ideas on where to look to better diagnose the issue, please let me know. Thanks.