Samba 4 Troubleshooting

Samba 4 Troubleshooting Guide

DRS Replication

Further Articles for Replication issues are samba-tool-drs-showrepl-shows-werr-gen-failure
and drs-replication-fails

samba-tool drs showrepl

To get an overview of the current drs replication status you can use this command at every UCS Samba 4 DC which is joined to the domain:

samba-tool drs showrepl

Sitename\Servername
DSA Options: 0x00000001
DSA object GUID: ffad9f19-0e90-457b-b733-469e4b2280a1
DSA invocationId: 908dbb52-12a6-47a2-ae03-1a71014cc4f4

==== INBOUND NEIGHBORS ====

DC=domain,DC=base
    Sitename\Servername via RPC
        DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
        Last attempt @ Tue Jun 18 03:30:23 2013 MDT was successful
        0 consecutive failure(s).
        Last success @ Tue Jun 18 03:30:23 2013 MDT

CN=Schema,CN=Configuration,DC=domain,DC=base
    Sitename\Servername via RPC
        DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
        Last attempt @ Tue Jun 18 03:30:31 2013 MDT failed, result 2 (WERR_BADFILE)
        14 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=domain,DC=base
    Sitename\Servername via RPC
        DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
        Last attempt @ Tue Jun 18 03:30:34 2013 MDT failed, result 2 (WERR_BADFILE)
        14 consecutive failure(s).
        Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: facd713f-869d-4672-ad9b-b694e7c53cd8
    Enabled : TRUE
    Server DNS name : Servername
    Server DN name : CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=domain,DC=base
    TransportType: RPC
    options: 0x00000001
Warning: No NC replicated for Connection!

The output shows four sections. The header shows the GUID of the local directory service agent (DSA), which can be thought of as an ID for the local DC. The second section shows inbound connections. The local domain controller replicates directory objects from the inbound neighbors. Each directory partition is replicated separately. The section outbound neighbors lists remote domain controllers that are replicating objects from the local domain controller. In this case, the output shows a situation directly after the join of the local domain controller, where it replicated from the neighbor DC it joined to, but no other DC has replicated any objects from the local DC yet. The third section shows a summary of the connections to neighbor DCs.

The output will always show “Warning: No NC replicated for Connections” as last line. This Warning is expected and completely harmless.

samba-tool drs kcc (-UAdministrator <fqdn of remote dc>)

This command can be used to manually trigger the Samba 4 “Knowledge Consistency Checker” (KCC) to update its current knowledge about connections to neighbor DCs. The command can also conveniently e used to trigger the KCC on a remote host by adding -UAdministrator <fqdn>.
This can be useful in case DC objects are absend in the output of samba-tool drs showrepl or are showing consecutive failures.

It is always recommend to also have a look in /var/log/samba/log.samba for further hints when facing drs replication issues.

samba-tool drs replicate <destination dc> <source dc> <nc>

You can trigger the drs replication with the help of this command. Most likely you will get specific hints and error messages directly when used during an in depth analysis of DRS replication issues.
An example would be:

samba-tool drs replicate destinationhost sourcehost dc=domain,dc=base

We have an example in this Article

Comparing msDS-KeyVersionNumber

For a given user, computer, or built-in account, this attribute specifies the Kerberos version number of the current key for that account.
Therefore it can be used to compare the replication status of systems:

root@master:~# univention-s4search cn=master msDS-KeyVersionNumber
root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber

The values have to be equal - otherweise the replication seems to be broken. If a system uses another value in comparison to the master, then it has to be rejoined or you first try to replicate just the Server account. → again this article

Example:

root@master:~# univention-s4search cn=master msDS-KeyVersionNumber
dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain
msDS-KeyVersionNumber: 7
root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber
dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain
msDS-KeyVersionNumber: 1

Here the system backup is obviously out of sync and a rejoin should be considered.

Samba-tool dbcheck

This checks the database of samba4. Samba saves its date not just in one database,but it slits it up in 5 partitions. To check al partitions and not just the basic one you need to add the parameter --cross-ncs

samba-tool dbcheck --cross-ncs

To fix upcomming issues you can use --fix and --yes if you do not want to be asked for approval each error or warning.

samba-tool dbcheck --cross-ncs --fix --yes

DNS

For a complete overview of the relevant dns records you have the possibility to check the output of the following script:

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

Please have a look at dns-probleme-in-alteren-samba-ad-domanen, dns-problems-in-samba4, and when-renaming-a-computer-the-old-dns-entry-remains-in-dns

Sysvol Replication

Here are some related article for troubleshooting:
remove-a-file-from-sysvol, sysvol-sync-placing-triggerfile-with-ssh-failed, how-gpos-and-sysvol-are-working-together-in-ucs-school, reduce-the-sysvol-replication-complexity, samba-tool-ntacl-sysvolcheck, samba-tool-ntacl-sysvolcheck-shows-nt-status-object-name-not-found/, rsync-to-local-sysvol-exited-with-23

Removal of Domain Controllers

The best way to completely remove a DC object would be the following steps but for more detail look here: How-To: Remove a Server

  1. samba-tool dbcheck --fix (see LDB Tools)
  2. /usr/share/univention-samba4/scripts/purge_s4_computer.py --computername=hostname
  3. samba-tool domain demote --remove-other-dead-server=<hostname>
  4. Checking for references in the LDB and eventually remove them. You can use the objectGUID of the DC object for these searches to determine objects with remaining references, for example:
ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs | grep -A10 f5031d0e-86a7-4b60-ad6b-1ff8108a3e2a

Rejoin of an existing DC

It should be sufficient to use

univention-join

If this does not succeed, there could be old references in the ldb. You can use the steps underneath “LDB Tools” or use the following:

The next commands have to be executed at the dc which has to be rejoined

  1. /etc/init.d/samba stop
  2. mv /var/lib/samba/private /var/tmp/samba_backup
  3. univentioin-join

In case this does not work either, the DC account can be removed first by logging into the UCS domain controller running the S4 Connector (usually the DC Master) and executing the steps described in the section “Removal of Domain Controllers” (see above). After that, the join process can be started again using the three steps above (samba4 stop, move directory, univention-join).

LDB Tools

In some cases a deeper inspection of the Samba database backend (sam.ldb) is required.
Searching within the LDB:

ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs [-b <dn> ] [<ldap-filter>]

ldbdel can be used to remove objects. This could be needed e.g. if removed computer objects left reference objects underneath cn=configuration,$ldap_base:

ldbdel -H /var/lib/samba/private/sam.ldb  <dn>

The other way to determine such inconsistent references (and automatically fix them) is the usage of samba-tool dbcheck.

samba-tool dbcheck [--cross-ncs --fix --yes]

FSMO Roles

You can use the following command to have a look at the current fsmo roles:

samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
RidAllocationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
DomainNamingMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
SchemaMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan

S4-Connector


Please see how-to-handle-s4-connector-rejects

1 Like
Mastodon