Samba 4 Troubleshooting Guide
DRS Replication
Further Articles for Replication issues are samba-tool-drs-showrepl-shows-werr-gen-failure
and drs-replication-fails
samba-tool drs showrepl
To get an overview of the current drs replication status you can use this command at every UCS Samba 4 DC which is joined to the domain:
samba-tool drs showrepl
Sitename\Servername
DSA Options: 0x00000001
DSA object GUID: ffad9f19-0e90-457b-b733-469e4b2280a1
DSA invocationId: 908dbb52-12a6-47a2-ae03-1a71014cc4f4
==== INBOUND NEIGHBORS ====
DC=domain,DC=base
Sitename\Servername via RPC
DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
Last attempt @ Tue Jun 18 03:30:23 2013 MDT was successful
0 consecutive failure(s).
Last success @ Tue Jun 18 03:30:23 2013 MDT
CN=Schema,CN=Configuration,DC=domain,DC=base
Sitename\Servername via RPC
DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
Last attempt @ Tue Jun 18 03:30:31 2013 MDT failed, result 2 (WERR_BADFILE)
14 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=domain,DC=base
Sitename\Servername via RPC
DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe
Last attempt @ Tue Jun 18 03:30:34 2013 MDT failed, result 2 (WERR_BADFILE)
14 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: facd713f-869d-4672-ad9b-b694e7c53cd8
Enabled : TRUE
Server DNS name : Servername
Server DN name : CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=domain,DC=base
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
The output shows four sections. The header shows the GUID of the local directory service agent (DSA), which can be thought of as an ID for the local DC. The second section shows inbound connections. The local domain controller replicates directory objects from the inbound neighbors. Each directory partition is replicated separately. The section outbound neighbors lists remote domain controllers that are replicating objects from the local domain controller. In this case, the output shows a situation directly after the join of the local domain controller, where it replicated from the neighbor DC it joined to, but no other DC has replicated any objects from the local DC yet. The third section shows a summary of the connections to neighbor DCs.
The output will always show “Warning: No NC replicated for Connections” as last line. This Warning is expected and completely harmless.
samba-tool drs kcc (-UAdministrator <fqdn of remote dc>)
This command can be used to manually trigger the Samba 4 “Knowledge Consistency Checker” (KCC) to update its current knowledge about connections to neighbor DCs. The command can also conveniently e used to trigger the KCC on a remote host by adding -UAdministrator <fqdn>.
This can be useful in case DC objects are absend in the output of samba-tool drs showrepl or are showing consecutive failures.
It is always recommend to also have a look in /var/log/samba/log.samba for further hints when facing drs replication issues.
samba-tool drs replicate <destination dc> <source dc> <nc>
You can trigger the drs replication with the help of this command. Most likely you will get specific hints and error messages directly when used during an in depth analysis of DRS replication issues.
An example would be:
samba-tool drs replicate destinationhost sourcehost dc=domain,dc=base
We have an example in this Article
Comparing msDS-KeyVersionNumber
For a given user, computer, or built-in account, this attribute specifies the Kerberos version number of the current key for that account.
Therefore it can be used to compare the replication status of systems:
root@master:~# univention-s4search cn=master msDS-KeyVersionNumber
root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber
The values have to be equal - otherweise the replication seems to be broken. If a system uses another value in comparison to the master, then it has to be rejoined or you first try to replicate just the Server account. → again this article
Example:
root@master:~# univention-s4search cn=master msDS-KeyVersionNumber
dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain
msDS-KeyVersionNumber: 7
root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber
dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain
msDS-KeyVersionNumber: 1
Here the system backup is obviously out of sync and a rejoin should be considered.
Samba-tool dbcheck
This checks the database of samba4. Samba saves its date not just in one database,but it slits it up in 5 partitions. To check al partitions and not just the basic one you need to add the parameter --cross-ncs
samba-tool dbcheck --cross-ncs
To fix upcomming issues you can use --fix
and --yes
if you do not want to be asked for approval each error or warning.
samba-tool dbcheck --cross-ncs --fix --yes
DNS
For a complete overview of the relevant dns records you have the possibility to check the output of the following script:
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Please have a look at dns-probleme-in-alteren-samba-ad-domanen, dns-problems-in-samba4, and when-renaming-a-computer-the-old-dns-entry-remains-in-dns
Sysvol Replication
Here are some related article for troubleshooting:
remove-a-file-from-sysvol, sysvol-sync-placing-triggerfile-with-ssh-failed, how-gpos-and-sysvol-are-working-together-in-ucs-school, reduce-the-sysvol-replication-complexity, samba-tool-ntacl-sysvolcheck, samba-tool-ntacl-sysvolcheck-shows-nt-status-object-name-not-found/, rsync-to-local-sysvol-exited-with-23
Removal of Domain Controllers
The best way to completely remove a DC object would be the following steps but for more detail look here: How-To: Remove a Server
-
samba-tool dbcheck --fix
(see LDB Tools) /usr/share/univention-samba4/scripts/purge_s4_computer.py --computername=hostname
samba-tool domain demote --remove-other-dead-server=<hostname>
- Checking for references in the LDB and eventually remove them. You can use the objectGUID of the DC object for these searches to determine objects with remaining references, for example:
ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs | grep -A10 f5031d0e-86a7-4b60-ad6b-1ff8108a3e2a
Rejoin of an existing DC
It should be sufficient to use
univention-join
If this does not succeed, there could be old references in the ldb. You can use the steps underneath “LDB Tools” or use the following:
The next commands have to be executed at the dc which has to be rejoined
/etc/init.d/samba stop
mv /var/lib/samba/private /var/tmp/samba_backup
univentioin-join
In case this does not work either, the DC account can be removed first by logging into the UCS domain controller running the S4 Connector (usually the DC Master) and executing the steps described in the section “Removal of Domain Controllers” (see above). After that, the join process can be started again using the three steps above (samba4 stop, move directory, univention-join).
LDB Tools
In some cases a deeper inspection of the Samba database backend (sam.ldb) is required.
Searching within the LDB:
ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs [-b <dn> ] [<ldap-filter>]
ldbdel can be used to remove objects. This could be needed e.g. if removed computer objects left reference objects underneath cn=configuration,$ldap_base:
ldbdel -H /var/lib/samba/private/sam.ldb <dn>
The other way to determine such inconsistent references (and automatically fix them) is the usage of samba-tool dbcheck.
samba-tool dbcheck [--cross-ncs --fix --yes]
FSMO Roles
You can use the following command to have a look at the current fsmo roles:
samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
RidAllocationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
DomainNamingMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan
SchemaMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan