4.3-1 after upgrade samba error

codedmind · June 12, 2018, 12:32pm

In master

`samba-tool drs showrepl` returned a problem with the replication.
Inbound 'DC=DomainDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)
Inbound 'DC=ForestDnsZones,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)
Inbound 'CN=Schema,CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)
Inbound 'CN=Configuration,DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)
Inbound 'DC=ccm,DC=local': error during DRS replication from Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)
Outbound 'DC=ccm,DC=local': error during DRS replication to Default-First-Site-Name/FELDC01 (WERR_CONNECTION_REFUSED)

In slave

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 270, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 148, in run
    drs = DRSUAPI()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 61, in __init__
    drs_tuple = drs_utils.drsuapi_connect(self.server, self.load_param, self.credentials)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 56, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
drsException: drsException: DRS connection to feldc01.ccm.local failed: (-1073741258, 'The transport-connection attempt was refused by the remote system.')```

Moritz_Bunkus · June 14, 2018, 8:50am

Hey,

which version were you updating from? 4.2-something? If so, note that Samba requires a lot more ports to be open in order to function correctly.

If you have any kind of firewall sitting between your DC Master and your DC Slave, make sure all of the required ports are open in both directions. Generally I’d advise to configure firewalls sitting between UCS DCs to allow unrestricted communication between UCS DCs. The firewalls on the UCS DCs themselves should take care of only allowing traffic that’s actually required by the services running on them.

Now let’s check whether the ports are open. Please post the output of the following two commands from your DC Master:

lsof -aPniTCP -c samba -sTCP:LISTEN
iptables -L INPUT -nv

Kind regards
mosu

codedmind · June 14, 2018, 8:53am

Hello @Moritz_Bunkus,

The upgrade was from the 4.3 errata 89

root@CCMDC01:~# lsof -aPniTCP -c samba -sTCP:LISTEN
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
samba    2066 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba    2066 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba    2066 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba    2066 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba    2066 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba    2066 root   38u  IPv4  27858      0t0  TCP 192.168.120.2:49153 (LISTEN)
samba    2066 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba    2066 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba    2066 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba    2066 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba    2066 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba    2066 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba    2069 root   24u  IPv6  28862      0t0  TCP [::1]:389 (LISTEN)
samba    2069 root   28u  IPv6  28863      0t0  TCP [::1]:636 (LISTEN)
samba    2069 root   30u  IPv6  28864      0t0  TCP [::1]:3268 (LISTEN)
samba    2069 root   31u  IPv6  28865      0t0  TCP [::1]:3269 (LISTEN)
samba    2069 root   32u  IPv4  28866      0t0  TCP 127.0.0.1:389 (LISTEN)
samba    2069 root   33u  IPv4  28867      0t0  TCP 127.0.0.1:636 (LISTEN)
samba    2069 root   34u  IPv4  28868      0t0  TCP 127.0.0.1:3268 (LISTEN)
samba    2069 root   35u  IPv4  28869      0t0  TCP 127.0.0.1:3269 (LISTEN)
samba    2069 root   36u  IPv4  28870      0t0  TCP 192.168.120.2:389 (LISTEN)
samba    2069 root   37u  IPv4  28871      0t0  TCP 192.168.120.2:636 (LISTEN)
samba    2069 root   38u  IPv4  28872      0t0  TCP 192.168.120.2:3268 (LISTEN)
samba    2069 root   39u  IPv4  28873      0t0  TCP 192.168.120.2:3269 (LISTEN)
samba    2072 root   24u  IPv6  27845      0t0  TCP [::1]:88 (LISTEN)
samba    2072 root   32u  IPv6  27847      0t0  TCP [::1]:464 (LISTEN)
samba    2072 root   34u  IPv4  27849      0t0  TCP 127.0.0.1:88 (LISTEN)
samba    2072 root   36u  IPv4  27851      0t0  TCP 127.0.0.1:464 (LISTEN)
samba    2072 root   38u  IPv4  27853      0t0  TCP 192.168.120.2:88 (LISTEN)
samba    2072 root   40u  IPv4  27855      0t0  TCP 192.168.120.2:464 (LISTEN)
samba    2314 root   24u  IPv6  28862      0t0  TCP [::1]:389 (LISTEN)
samba    2314 root   28u  IPv6  28863      0t0  TCP [::1]:636 (LISTEN)
samba    2314 root   30u  IPv6  28864      0t0  TCP [::1]:3268 (LISTEN)
samba    2314 root   31u  IPv6  28865      0t0  TCP [::1]:3269 (LISTEN)
samba    2314 root   32u  IPv4  28866      0t0  TCP 127.0.0.1:389 (LISTEN)
samba    2314 root   33u  IPv4  28867      0t0  TCP 127.0.0.1:636 (LISTEN)
samba    2314 root   34u  IPv4  28868      0t0  TCP 127.0.0.1:3268 (LISTEN)
samba    2314 root   35u  IPv4  28869      0t0  TCP 127.0.0.1:3269 (LISTEN)
samba    2314 root   36u  IPv4  28870      0t0  TCP 192.168.120.2:389 (LISTEN)
samba    2314 root   37u  IPv4  28871      0t0  TCP 192.168.120.2:636 (LISTEN)
samba    2314 root   38u  IPv4  28872      0t0  TCP 192.168.120.2:3268 (LISTEN)
samba    2314 root   39u  IPv4  28873      0t0  TCP 192.168.120.2:3269 (LISTEN)
samba   23581 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23581 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23581 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23581 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23581 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23581 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23581 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23581 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23581 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23581 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23581 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23623 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23623 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23623 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23623 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23623 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23623 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23623 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23623 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23623 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23623 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23623 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23641 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23641 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23641 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23641 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23641 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23641 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23641 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23641 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23641 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23641 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23641 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23651 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23651 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23651 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23651 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23651 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23651 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23651 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23651 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23651 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23651 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23651 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23667 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23667 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23667 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23667 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23667 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23667 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23667 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23667 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23667 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23667 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23667 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23673 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23673 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23673 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23673 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23673 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23673 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23673 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23673 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23673 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23673 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23673 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)
samba   23679 root   31u  IPv6  25769      0t0  TCP [::1]:49152 (LISTEN)
samba   23679 root   32u  IPv4  25770      0t0  TCP 127.0.0.1:49152 (LISTEN)
samba   23679 root   33u  IPv4  25771      0t0  TCP 192.168.120.2:49152 (LISTEN)
samba   23679 root   36u  IPv6  25787      0t0  TCP [::1]:49153 (LISTEN)
samba   23679 root   37u  IPv4  27857      0t0  TCP 127.0.0.1:49153 (LISTEN)
samba   23679 root   43u  IPv6  27878      0t0  TCP [::1]:49154 (LISTEN)
samba   23679 root   44u  IPv4  27879      0t0  TCP 127.0.0.1:49154 (LISTEN)
samba   23679 root   45u  IPv4  27880      0t0  TCP 192.168.120.2:49154 (LISTEN)
samba   23679 root   48u  IPv6  27896      0t0  TCP [::1]:135 (LISTEN)
samba   23679 root   49u  IPv4  27897      0t0  TCP 127.0.0.1:135 (LISTEN)
samba   23679 root   50u  IPv4  27898      0t0  TCP 192.168.120.2:135 (LISTEN)

root@CCMDC01:~# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 107K   18M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 207K   48M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  183 16560 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7636
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:32765:32769
   31  1608 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:137:139
  338 17372 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:135
 2743  143K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88
    8   480 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7389
   14   728 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3268
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:464
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:88
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:32765:32769
   28  1456 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
  177 15832 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3269
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:464
    6   312 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  304 73222 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:389
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
 2727  144K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:49152:65535
 7926  565K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5666
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:636
  931  119K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6670
14503  754K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
  220 13192 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  589 30676 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:389
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5001
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7777
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:7777
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6669
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:749
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:544
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1024
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11212
  474 34654 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Moritz_Bunkus · June 14, 2018, 11:15am

This looks good so far. Are there any other firewalls/routers with firewall functionality sitting between the DCs? Have you tried restarting Samba on both machines?

codedmind · June 14, 2018, 1:17pm

@Moritz_Bunkus the servers are connected via an watchguard but both networks are trusted, so no firewall.

Both servers are restarted after upgrade.