Hallo,
das scheint den dreplsrv zu betreffen - gibt es mehrere Samba 4 DC’s in der Umgebung? Welche Ausgabe gibt:
samba-tool drs showrepl
Viele Grüße,
Tim Petersen
Hallo,
das scheint den dreplsrv zu betreffen - gibt es mehrere Samba 4 DC’s in der Umgebung? Welche Ausgabe gibt:
samba-tool drs showrepl
Viele Grüße,
Tim Petersen
Hallo Herr Petersen,
hier kommt ide Ausgabe:
root@ucsmaster:~# samba-tool drs showrepl
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[2open]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[umg_ordner]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[pvs_vergleich]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[install]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[dokumente]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[entwicklung]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[www-dev]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[profile]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[statistik]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Processing section "[personal]"
Unknown parameter encountered: "security mask"
Ignoring unknown parameter "security mask"
Unknown parameter encountered: "directory security mask"
Ignoring unknown parameter "directory security mask"
Unknown parameter encountered: "force security mode"
Ignoring unknown parameter "force security mode"
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ucsmaster.gilching.local[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucsmaster.gilching.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucsmaster.gilching.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 295
Received smb_krb5 packet of length 1336
Received smb_krb5 packet of length 1326
Received smb_krb5 packet of length 1310
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
added interface eth0 ip=192.168.100.110 bcast=192.168.100.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ucsmaster.gilching.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Received smb_krb5 packet of length 1326
Received smb_krb5 packet of length 1310
Default-First-Site-Name\UCSMASTER
DSA Options: 0x00000001
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
DSA invocationId: dbe8111e-164e-413d-86f6-96503553afe5
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:46:10 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
13144 consecutive failure(s).
Last success @ Sat Jan 17 01:04:38 2015 CET
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:46:10 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
13144 consecutive failure(s).
Last success @ Sat Jan 17 01:04:39 2015 CET
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:46:10 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
13171 consecutive failure(s).
Last success @ Sat Jan 17 01:04:40 2015 CET
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:46:11 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
13144 consecutive failure(s).
Last success @ Sat Jan 17 01:04:43 2015 CET
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:46:11 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
13144 consecutive failure(s).
Last success @ Sat Jan 17 01:04:45 2015 CET
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:47:33 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
35 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:47:33 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
35 consecutive failure(s).
Last success @ NTTIME(0)
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:47:33 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
35 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:47:34 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
36 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Tue Mar 10 18:47:34 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
36 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 4ae098b1-dedc-410a-88d3-fed52834879e
Enabled : TRUE
Server DNS name : DCBACKUP.gilching.local
Server DN name : CN=NTDS Settings,CN=DCBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root@ucsmaster:~#
Gruß Volker Hahn
Habe mit den neuen Infos hier im Forum einen weitern Beitrag gefunden, der sich mit dem gleichen Problem beschäftigt (aber keine Lösung bietet):
https://help.univention.com/t/samba4-prozess/2000/1
Vielleicht kann man das zusammenlegen.
Gruß Hahn
Hallo,
zuerst würde ich vorschlagen, das Debuglevel herabzusetzen - das scheint mir sehr hoch:
ucr set samba/debug/level=1
/etc/init.d/samba restart
Eventuell ändert das das Verhalten bereits.
Alternativ sollte man sich separat in jedem Fall die DRS-Situation anschauen. Die DRS-Replikation zum DC Backup funktioniert seit dem 17.01., morgens 01:04 nicht mehr.
Eventuell fand dort eine Passwort-Rotation oder Ähnliches statt und Samba konnte nicht neugestartet werden (befindet sich der Backup ggfs. auf einem älteren Versionsstand? Da gab es mal Probleme in der Richtung…):
#Auf dem Backup:
/etc/init.d/samba restart
ps aux | grep samba
less /var/log/univention/server_password_change.log #ggfs. ältere Logdateien, interessant ist der 17.01.
Viele Grüße,
Tim Petersen
Hallo Herr Petersen,
loglevel ist geändert, die samba Daemon sind neu gestartet.
Beide System habe ich heute nochmals geupdated. Die Versionen sind auf beiden Maschinen gleich:
Die momentan installierte Version ist 4.0-1 errata111.
Es sind keine Paket-Aktualisierungen verfügbar.
Informationen zu den Aktualisierungen
Es sind keine App Center-Aktualisierungen verfügbar.
Hier die Prozess - Ausgabe des DCBackup (nachdem der Samba neu gestartet wurde):
root@dcbackup:~# ps aux | grep samba
root 2318 0.0 0.0 176 0 ? Ss Feb11 0:00 runsv univention-bind-samba4
root 2450 0.0 1.8 589576 38036 ? Sl Feb11 6:30 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0
root 22140 0.0 2.4 508876 51196 ? SNs 15:24 0:00 /usr/sbin/samba -D
root 22147 0.0 1.6 508876 34412 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22148 0.3 2.4 515500 49408 ? SN 15:24 0:03 /usr/sbin/samba -D
root 22150 0.0 1.6 508876 34412 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22151 1.0 2.1 511424 43804 ? SN 15:24 0:09 /usr/sbin/samba -D
root 22152 0.0 1.8 508876 38684 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22153 0.0 2.2 515084 45356 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22154 0.1 2.2 517672 45340 ? SN 15:24 0:01 /usr/sbin/samba -D
root 22155 0.0 1.6 508876 34412 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22156 0.0 1.6 508876 34412 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22158 0.0 2.5 513028 51472 ? SN 15:24 0:00 /usr/sbin/samba -D
root 22159 0.0 1.7 508876 36404 ? SN 15:24 0:00 /usr/sbin/samba -D
root 25084 0.0 0.0 4192 552 ? Ss 15:40 0:00 /bin/sh -c /usr/sbin/jitter 60 /usr/share/univention-samba4/scripts/sysvol-sync.sh >>/var/log/univention/sysvol-sync.log 2>&1
root 25085 0.0 0.1 9232 2168 ? S 15:40 0:00 /bin/bash /usr/sbin/jitter 60 /usr/share/univention-samba4/scripts/sysvol-sync.sh
root 25107 0.0 0.0 9916 1944 pts/0 R+ 15:40 0:00 grep samba
root@dcbackup:~#
Und hier kommt noch das server_password_change.log das auch den 17.01. enthält …
[code]root@dcbackup:/var/log/univention# less server_password_change.log.8
Starting server password change (Mon Jan 12 01:03:24 CET 2015)
No server password change scheduled for today, terminating without a change
Starting server password change (Tue Jan 13 01:07:27 CET 2015)
No server password change scheduled for today, terminating without a change
Starting server password change (Wed Jan 14 01:02:34 CET 2015)
No server password change scheduled for today, terminating without a change
Starting server password change (Thu Jan 15 01:09:18 CET 2015)
No server password change scheduled for today, terminating without a change
Starting server password change (Fri Jan 16 01:09:46 CET 2015)
No server password change scheduled for today, terminating without a change
Starting server password change (Sat Jan 17 01:05:04 CET 2015)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
Create mail/postfix/stoppedbyserverpasswordchange
Stopping Postfix Mail Transport Agent: postfix.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-mail-cyrus prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=dcbackup,cn=dc,cn=computers,dc=gilching,dc=local
Restarting univention-directory-listener daemon.
timeout: finish: univention-directory-listener: (pid 9819) 498833s, normally down
done.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.virtualdomains
Starting Postfix Mail Transport Agent: postfix.
Unsetting mail/postfix/stoppedbyserverpasswordchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-mail-cyrus postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting Name Service Cache Daemon: nscd.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Modified 1 records successfully
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Changed password OK
Stopping Samba AD DC daemon: sambaretry #1…
Starting Samba AD DC daemon: samba.
done (Sat Jan 17 01:06:15 CET 2015)
Starting server password change (Sun Jan 18 01:09:06 CET 2015)
No server password change scheduled for today, terminating without a change
~
~
~
~
~
~
[/code]
Soweit von uns! Gruß Hahn
Hallo Herr Hahn,
tatsächlich gab es am 17.01. eine Passwortrotation. Ein Problem kann ich dabei aber in der Logdatei nicht erkennen.
Wie hat sich die Speicherverwendung des Samba-Prozesses und die DRS-Replikation in der Zwischenzeit nach Neustart von Samba auf dem DC-Backup entwickelt?
Bei der Kontrolle der DRS-Replikation und der Verwendung bestimmter Analysetools (wie samba-tool drs showrepl) hilft sicher auch SDB-Artikel #1235 Samba 4 Troubleshooting Guide:
# Master
samba-tool drs kcc -UAdministrator <fqdn of backup dc>
samba-tool drs showrepl
tail -20 /var/log/samba/log.samba
#Backup
samba-tool drs kcc -UAdministrator <fqdn of master dc>
samba-tool drs showrepl
tail -20 /var/log/samba/log.samba
Da ich dieses Speicherverhalten in anderen aktuellen Umgebungen nicht nachvollziehen kann, gehe ich davon aus, dass es einen Zusammenhang mit der gestörten DRS-Replikation gibt.
Mit freundlichen Grüßen,
Tim Petersen
Hm … Leider ist das Problem nicht gelöst …
[code]top - 18:45:18 up 33 days, 6:45, 1 user, load average: 0,88, 0,40, 0,38
Tasks: 164 total, 2 running, 159 sleeping, 0 stopped, 3 zombie
%Cpu(s): 0,3 us, 23,6 sy, 1,0 ni, 74,4 id, 0,7 wa, 0,0 hi, 0,0 si, 0,0 st
KiB Mem: 6127200 total, 5980432 used, 146768 free, 113068 buffers
KiB Swap: 4121804 total, 354848 used, 3766956 free, 354212 cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
21686 root 22 2 3633m 3,1g 11m S 22,3 52,9 611:31.22 samba
23303 root 20 0 1764m 1,2g 14m S 2,7 20,1 69:05.24 univention-virt
21683 root 22 2 538m 74m 12m S 0,0 1,2 86:34.08 samba
27743 root 20 0 402m 64m 12m S 0,3 1,1 0:28.00 univention-mana
15270 root 20 0 485m 53m 13m S 0,0 0,9 1:26.94 python2.7
25799 root 20 0 116m 50m 2760 S 0,0 0,8 0:10.52 /usr/sbin/spamd
25809 root 20 0 116m 49m 1004 S 0,0 0,8 0:00.01 spamd child
25810 root 20 0 116m 49m 1[/code]
Hier kommen die Abfragen:
samba-tool drs kcc -UAdministrator
root@ucsmaster:~# samba-tool drs kcc -UAdministrator 192.168.100.109
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Password for [GILCHING\Administrator]:
Consistency check on 192.168.100.109 successful.
root@ucsmaster:~#
samba-tool drs showrepl:
[code]root@ucsmaster:~# samba-tool drs showrepl
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Default-First-Site-Name\UCSMASTER
DSA Options: 0x00000001
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
DSA invocationId: dbe8111e-164e-413d-86f6-96503553afe5
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:46:48 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
14874 consecutive failure(s).
Last success @ Sat Jan 17 01:04:38 2015 CET
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:46:49 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
14874 consecutive failure(s).
Last success @ Sat Jan 17 01:04:39 2015 CET
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:46:49 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
14912 consecutive failure(s).
Last success @ Sat Jan 17 01:04:40 2015 CET
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:46:50 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
14874 consecutive failure(s).
Last success @ Sat Jan 17 01:04:43 2015 CET
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:46:50 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
14874 consecutive failure(s).
Last success @ Sat Jan 17 01:04:45 2015 CET
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:47:42 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:47:42 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
29 consecutive failure(s).
Last success @ NTTIME(0)
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:47:43 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
29 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:47:43 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
29 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Mon Mar 16 18:47:43 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
29 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection –
Connection name: 4ae098b1-dedc-410a-88d3-fed52834879e
Enabled : TRUE
Server DNS name : DCBACKUP.gilching.local
Server DN name : CN=NTDS Settings,CN=DCBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root@ucsmaster:~#
[/code]
tail -20 /var/log/samba/log.samba:
root@ucsmaster:~# tail -20 /var/log/samba/log.samba
[2015/03/16 18:50:12.768437, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:13.170297, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:13.570928, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:13.967664, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:14.373396, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:17.761761, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:18.140489, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:18.566166, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:18.977470, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
[2015/03/16 18:50:19.379619, 0, pid=21686] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.100.109[1024,seal,krb5,target_hostname=75601e54-1852-4088-9334-da8c1390d2f6._msdcs.gilching.local,target_principal=GC/DCBACKUP.gilching.local/gilching.local,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.100.110] NT_STATUS_UNSUCCESSFUL
root@ucsmaster:~#
Und hier die Abragen auf dem DCBackup …
samba-tool drs kcc -UAdministrator 192.168.100.110
root@dcbackup:~# samba-tool drs kcc -UAdministrator 192.168.100.110
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Password for [GILCHING\Administrator]:
Consistency check on 192.168.100.110 successful.
root@dcbackup:~#
[code]root@dcbackup:~# samba-tool drs showrepl
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Default-First-Site-Name\DCBACKUP
DSA Options: 0x00000001
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
DSA invocationId: c1719241-e2d3-4e26-a25c-51fc67bbb6f8
==== INBOUND NEIGHBORS ====
DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 18:50:21 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 18:50:21 2015 CET
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 18:50:20 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 18:50:20 2015 CET
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 18:50:21 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 18:50:21 2015 CET
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 18:50:21 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 18:50:21 2015 CET
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 18:50:21 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 18:50:21 2015 CET
==== OUTBOUND NEIGHBORS ====
DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Mon Mar 16 15:46:50 2015 CET was successful
0 consecutive failure(s).
Last success @ Mon Mar 16 15:46:50 2015 CET
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Wed Mar 11 15:26:02 2015 CET was successful
0 consecutive failure(s).
Last success @ Wed Mar 11 15:26:02 2015 CET
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Wed Mar 11 15:25:58 2015 CET was successful
0 consecutive failure(s).
Last success @ Wed Mar 11 15:25:58 2015 CET
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Wed Mar 11 15:25:58 2015 CET was successful
0 consecutive failure(s).
Last success @ Wed Mar 11 15:25:58 2015 CET
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\UCSMASTER via RPC
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
Last attempt @ Wed Mar 11 15:26:03 2015 CET was successful
0 consecutive failure(s).
Last success @ Wed Mar 11 15:26:03 2015 CET
==== KCC CONNECTION OBJECTS ====
Connection –
Connection name: 6049103f-f8e2-445b-8d57-4f2008193897
Enabled : TRUE
Server DNS name : ucsmaster.gilching.local
Server DN name : CN=NTDS Settings,CN=UCSMASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root@dcbackup:~# [/code]
tail -20 /var/log/samba/log.samba
root@dcbackup:~# tail -20 /var/log/samba/log.samba
[2015/03/16 18:54:33.587010, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:33.978876, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:34.326064, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:34.693312, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:35.017927, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:38.578039, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:38.905445, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:39.282656, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:39.710153, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
[2015/03/16 18:54:40.104344, 1, pid=22148] ../source4/auth/gensec/gensec_gssapi.c:650(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DCBACKUP$@GILCHING.LOCAL(kvno 13) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)
root@dcbackup:~#
Das System ist mit dem Update auf 4.0 gefühlt langsamer geworden. Insbesondere, wenn in der Früh die Profile abgeholt werden, dauert es bis zu einer halben Stunde, bis die Workstation normal läuft … MFG Hahn
Hallo Herr Hahn,
es sieht so aus, als gäbe es ein Problem mit der Keytab des DC Backup - in Verbindung mit der Passwortrotation vermute ich, dass die DRS-Replikation wieder in Gang kommt, wenn Sie auf dem Backup den Master als Kerberos-KDC konfigurieren:
#Auf dem DC-Backup
ucr set kerberos/kdc=192.168.100.110
invoke-rc.d samba-ad-dc restart
Anschließend bitte auf dem Master:
#Auf dem DC-Master
invoke-rc.d samba-ad-dc restart
Anschließend würde ich auf dem DC Backup eine Passwort-Rotation triggern:
#Auf dem DC-Backup
ucr set server/password/interval='-1'
/usr/lib/univention-server/server_password_change
ucr set server/password/interval='21'
Viele Grüße,
Tim Petersen
Hallo Herr Petersen,
wir sind leider noch nicht durch. Es besteht nach wie vor das Problem, dass ein Samba Prozess immer größer wird. Nach ca. 2 Tagen reicht der physische Speicher nicht mehr und das System fängt an, den Swap zu belegen (und wird langsam).
Ich bekomme auch nach wie vor noch den folgenden Fehler:
[code]root@ucsmaster:~# samba-tool drs showrepl
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Default-First-Site-Name\UCSMASTER
DSA Options: 0x00000001
DSA object GUID: 73beff4c-0e5f-47c2-9dac-13399f11d4f7
DSA invocationId: dbe8111e-164e-413d-86f6-96503553afe5
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:18 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
17743 consecutive failure(s).
Last success @ Sat Jan 17 01:04:38 2015 CET
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:19 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
17743 consecutive failure(s).
Last success @ Sat Jan 17 01:04:39 2015 CET
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:19 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
17781 consecutive failure(s).
Last success @ Sat Jan 17 01:04:40 2015 CET
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:19 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
17743 consecutive failure(s).
Last success @ Sat Jan 17 01:04:43 2015 CET
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:19 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
17743 consecutive failure(s).
Last success @ Sat Jan 17 01:04:45 2015 CET
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:58 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
158064 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:58 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
158063 consecutive failure(s).
Last success @ NTTIME(0)
DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:59 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
158061 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:59 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
158060 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=gilching,DC=local
Default-First-Site-Name\DCBACKUP via RPC
DSA object GUID: 75601e54-1852-4088-9334-da8c1390d2f6
Last attempt @ Thu Mar 26 17:44:59 2015 CET failed, result 31 (WERR_GENERAL_FAILURE)
158055 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection –
Connection name: 4ae098b1-dedc-410a-88d3-fed52834879e
Enabled : TRUE
Server DNS name : DCBACKUP.gilching.local
Server DN name : CN=NTDS Settings,CN=DCBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root@ucsmaster:~#
[/code]
Haben Sie noch eine Idee? Gruß Hahn
Hallo Herr Hahn,
[quote=“versdirekt”]
Haben Sie noch eine Idee? Gruß Hahn[/quote]
ich gehe weiterhin davon aus, dass die DRS-Situation ursächlich für die Leaks ist.
Was die DRS-Replikation in jedem Fall verbessern bzw. wieder instand setzen wird, ist ein Re-Join des DC-Backups.
Viele Grüße,
Tim Petersen
Hallo Herr Petersen,
da scheint der Hase im Pfeffer zu liegen …
Der Re-Join läuft nicht durch. Der Samba - Join bleibt hängen. Die Fehlermeldung ist allerdings recht kryptisch:
[code]RUNNING 97univention-s4-connector.inst
2015-03-30 17:35:00.315850812+02:00 (in joinscript_init)
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=gilching,dc=local
Object exists: cn=Builtin,dc=gilching,dc=local
Object exists: cn=System,dc=gilching,dc=local
Object exists: cn=Policies,cn=System,dc=gilching,dc=local
Object exists: ou=Domain Controllers,dc=gilching,dc=local
Object exists: cn=WMIPolicy,cn=System,dc=gilching,dc=local
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=gilching,dc=local
Object exists: cn=ldapschema,cn=univention,dc=gilching,dc=local
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=gilching,dc=local
INFO: No change of core data of object container/msgpo.
Object modified: cn=msgpo,cn=ldapschema,cn=univention,dc=gilching,dc=local
Object modified: cn=mswmi,cn=ldapschema,cn=univention,dc=gilching,dc=local
Object modified: cn=container/msgpo,cn=udm_module,cn=univention,dc=gilching,dc=local
Waiting for activation of the extension object msgpo:…OK
Waiting for activation of the extension object mswmi: OK
Waiting for activation of the extension object container/msgpo: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=udm_module,cn=univention,dc=gilching,dc=local
INFO: No change of core data of object settings/mswmifilter.
Object modified: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=gilching,dc=local
Waiting for activation of the extension object settings/mswmifilter: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK
Terminating running univention-cli-server processes.
Stopping univention-s4-connector daemon.
done.
Not updating connector/s4/autostart
Create connector/s4/listener/disabled
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 5224) 0s, normally down
done.
2015-03-30 17:35:49.604587397+02:00 (in joinscript_save_current_version)
EXITCODE=0
RUNNING 98univention-pkgdb-tools.inst
2015-03-30 17:35:49.621761593+02:00 (in joinscript_init)
Cannot find service-record of _pkgdb._tcp.
No DB-Server-Name found.
2015-03-30 17:35:49.732835127+02:00 (in joinscript_save_current_version)
EXITCODE=0
RUNNING 98univention-samba4-dns.inst
2015-03-30 17:35:49.751184335+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
Mo 30. Mär 17:35:50 CEST 2015
univention-run-join-scripts finished
univention-run-join-scripts started
Mo 30. Mär 17:40:00 CEST 2015
RUNNING 96univention-samba4.inst
2015-03-30 17:40:00.230344292+02:00 (in joinscript_init)
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=gilching,dc=local
WARNING: cannot append cn=dcbackup,cn=dc,cn=computers,dc=gilching,dc=local to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=gilching,dc=local
Object exists: (group) : Service
ldap_modify: No such object (32)
matched DN: cn=Builtin,dc=gilching,dc=local
modifying entry “cn=Service,cn=Builtin,dc=gilching,dc=local”
Stopping Samba AD DC daemon: samba.
Samba is configured as AD DC, service smbd is controlled by the main samba daemon.
Stopping NetBIOS name server: nmbd.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd …done.
Check database: …done.
Starting ldap server(s): slapd …done.
Not updating windows/wins-support
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Forest : gilching.local
Domain : gilching.local
Netbios domain : GILCHING
DC name : ucsmaster.gilching.local
DC netbios name : UCSMASTER
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Finding a writeable DC for domain ‘gilching.local’
Found DC ucsmaster.gilching.local
workgroup is GILCHING
realm is gilching.local
ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <Entry CN=DCBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local already exists> <>
File “/usr/lib/python2.7/dist-packages/samba/netcmd/init.py”, line 175, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py”, line 620, in run
keep_existing=keep_existing)
File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 1190, in join_DC
ctx.do_join()
File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 1093, in do_join
ctx.join_add_objects()
File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 562, in join_add_objects
ctx.samdb.add(rec)
checking sAMAccountName
Adding CN=DCBACKUP,OU=Domain Controllers,DC=gilching,DC=local
Adding CN=DCBACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gilching,DC=local
Join failed - cleaning up
checking sAMAccountName
removing samaccount: CN=DCBACKUP,OU=Domain Controllers,DC=gilching,DC=local
Deleted CN=DCBACKUP,OU=Domain Controllers,DC=gilching,DC=local
Failed to join the domain gilching.local.
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
2015-03-30 17:40:10.605031309+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
Mo 30. Mär 17:40:10 CEST 2015
univention-run-join-scripts finished
root@dcbackup:~# [/code]
Hallo Herr Hahn,
Das ist leider etwas undurchsichtig - haben Sie hier tatsächlich einen re-join durchgeführt (und nicht nur einzelnde Joinskripte)?
Einen Re-Join führen Sie so durch:
univention-join
Bitte hängen Sie anschließend einmal die komplette join.log an.
Hallo Herr Petersen,
Gestern habe ich über die UMC / Domaine den ReJoin angestossen. Es sind Meldungen gekommen, dass der Join in zwei Punkten nicht geklappt hat. Danach habe ich die einzelnen Joinscripte nochmals (erfolglos) gestartet.
Heute habe ich auf der Konsole den Join nochmals angestossen:
[code]root@dcbackup:~# univention-join
univention-join: joins a computer to an ucs domain
copyright © 2001-2015 Univention GmbH, Germany
Enter DC Master Account : administrator
Enter DC Master Password:
Search DC Master: done
Check DC Master: done
Stop LDAP Server: done
Stop Samba 4 Server: done
Search ldap/base done
Start LDAP Server: done
Search LDAP binddn done
Sync time: done
Join Computer Account: done
Stopping univention-directory-notifier daemon: done
Stopping univention-directory-listener daemon: … done
Sync ldap.secret: done
Sync ldap-backup.secret: done
Sync SSL directory: done
Check TLS connection: done
Download host certificate: done
Sync SSL settings: done
Restart LDAP Server: done
Sync Kerberos settings: done
Not updating kerberos/adminserver
Configure 01univention-ldap-server-init.inst done
Configure 02univention-directory-notifier.inst done
Configure 03univention-directory-listener.inst done
Configure 04univention-ldap-client.inst done
Configure 05univention-bind.inst done
Configure 08univention-apache.inst done
Configure 10univention-ldap-server.inst done
Configure 11univention-heimdal-init.inst done
Configure 11univention-pam.inst done
Configure 15univention-directory-notifier-post.inst done
Configure 15univention-heimdal-kdc.inst done
Configure 18python-univention-directory-manager.inst done
Configure 20univention-directory-policy.inst done
Configure 20univention-join.inst done
Configure 26univention-nagios-common.inst done
Configure 30univention-nagios-client.inst done
Configure 34univention-management-console-server.inst done
Configure 34univention-management-console-web-server.inst done
Configure 35univention-management-console-module-appcenter.done
Configure 35univention-management-console-module-diagnosticdonet
Configure 35univention-management-console-module-ipchange.idone
Configure 35univention-management-console-module-join.inst done
Configure 35univention-management-console-module-lib.inst done
Configure 35univention-management-console-module-mrtg.inst done
Configure 35univention-management-console-module-passwordchdone.inst
Configure 35univention-management-console-module-quota.instdone
Configure 35univention-management-console-module-reboot.insdone
Configure 35univention-management-console-module-services.idone
Configure 35univention-management-console-module-setup.instdone
Configure 35univention-management-console-module-sysinfo.indone
Configure 35univention-management-console-module-top.inst done
Configure 35univention-management-console-module-ucr.inst done
Configure 35univention-management-console-module-udm.inst done
Configure 35univention-management-console-module-updater.indone
Configure 36univention-management-console-module-apps.inst done
Configure 40univention-virtual-machine-manager-schema.inst done
Configure 67univention-mail-server.inst done
Configure 81univention-mail-cyrus.inst done
Configure 81univention-nfs-server.inst done
Configure 90univention-bind-post.inst done
Configure 92univention-fetchmail-schema.inst done
Configure 92univention-fetchmail.inst done
Configure 96univention-samba4.inst failed
root@dcbackup:~#
[/code]
Die Logdatei sollte im Anhang sein …
Übrigens: Das ursprüngliche Problem schein gelöst zu sein. Der samba Prozsess ist heute nicht mehr gewachsen.
MFG Hahn
join.log (321 KB)
Hallo Herr Hahn,
Sehr schön, dann lag ich meiner Vermutung ja richtig
Ich würde nun folgendermaßen vorgehen:
# Auf dem Master
/usr/share/univention-samba4/scripts/purge_s4_computer.py --computername=DCBACKUP
samba-tool dbcheck --cross-ncs --fix
#Auf dem Backup
univention-join
das bereinigt gegebenenfalls Altlasten auf dem Master und startet den Joinvorgang erneut.
Viele Grüße,
Tim Petersen
Hallo Herr Petersen,
der Hostname wird nicht gefunden:
root@ucsmaster:~# /usr/share/univention-samba4/scripts/purge_s4_computer.py --computername=DCBACKUP
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Samba 4 computer account 'DCBACKUP' not found.
root@ucsmaster:~#
habe es auch mit “dcbackup” versucht … Der DBCheck hat dann keinen Fehler gefunden:
oot@ucsmaster:~# samba-tool dbcheck --cross-ncs --fix
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Checking 3640 objects
Checked 3640 objects (0 errors)
und der Join ist beim samba wieder ausgestiegen:
[code]Configure 67univention-mail-server.inst done
Configure 81univention-mail-cyrus.inst done
Configure 81univention-nfs-server.inst done
Configure 90univention-bind-post.inst done
Configure 92univention-fetchmail-schema.inst done
Configure 92univention-fetchmail.inst done
Configure 96univention-samba4.inst failed
root@dcbackup:~# hostname
dcbackup
root@dcbackup:~#
[/code]
…
Wird der Eintrag auf dem Master oder Backup noch gefunden:
univention-s4search CN=DCBACKUP
univention-ldapsearch cn=dcbackup
Wenn ja, dann bitte die Einträge löschen und den Join erneut versuchen. Hier gibt es noch weitere Infos: sdb.univention.de/1235
Ja, die Einträge werden gefunden:
[code]root@ucsmaster:~# univention-s4search CN=DCBACKUP
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
ref: ldap://gilching.local/CN=Configuration,DC=gilching,DC=local
ref: ldap://gilching.local/DC=DomainDnsZones,DC=gilching,DC=local
ref: ldap://gilching.local/DC=ForestDnsZones,DC=gilching,DC=local
[/code]
[code]root@ucsmaster:~#
root@ucsmaster:~# univention-ldapsearch cn=dcbackup
dn: cn=dcbackup,cn=dc,cn=computers,dc=gilching,dc=local
cn: dcbackup
krb5PrincipalName: host/dcbackup.gilching.local@GILCHING.LOCAL
objectClass: top
objectClass: person
objectClass: univentionHost
objectClass: univentionDomainController
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: univentionVirtualMachineHostOC
objectClass: univentionObject
objectClass: univentionNagiosHostClass
sambaAcctFlags: [S ]
sambaPrimaryGroupSID: S-1-5-21-3567068594-2640580168-1605038393-1110
krb5MaxLife: 86400
uid: dcbackup$
univentionService: LDAP
univentionService: SMTP
univentionService: IMAP
univentionService: NFS
univentionService: DNS
univentionService: Samba 4
univentionService: Fetchmail
krb5MaxRenew: 604800
univentionNagiosEnabled: 1
uidNumber: 2086
univentionOperatingSystem: Univention Corporate Server
aRecord: 192.168.100.109
loginShell: /bin/sh
univentionObjectType: computers/domaincontroller_backup
krb5KDCFlags: 126
univentionServerRole: backup
displayName: dcbackup
associatedDomain: gilching.local
gidNumber: 5005
sn: dcbackup
homeDirectory: /dev/null
univentionOperatingSystemVersion: 3.1
macAddress: 52:54:00:33:82:a6
shadowLastChange: 16520
shadowMax: 50000
krb5PasswordEnd: 21520216000000Z
sambaPwdLastSet: 1427388155
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5Key:: ######### gelöscht
krb5KeyVersionNumber: 21
userPassword:: ######### gelöscht
sambaNTPassword: ######### gelöscht
sambaLMPassword: ######### gelöscht
sambaSID: S-1-5-21-3567068594-2640580168-1605038393-3612
search: 3
result: 0 Success
root@ucsmaster:~#
[/code]
Leider steht auch unter dem Artkikel “http://sdb.univention.de/1235” nicht wie man Einträge aus dem LDAP löscht. Eine Googlesuche ergab indifferente Ergebnisse. So die Frage: wie lösche ich LDAP Datenbank-Einträge ohne etwas kaputt zu machen. Kann ich auf der UMC unter “Geräte” / “Rechner” einfach den Rechner löschen?
Hallo,
das Löschen sollte per Univention Directory Management Console (Web oder Kommandozeile) möglich sein. Falls nicht, siehe weiter unten.
Die Kommandozeile dazu sieht in etwa so aus (wenn Sie udm auf einem anderen Rechner als dem DC Master ausführen, so kommen noch Anmeldeinformationen hinzu):
udm computers/domaincontroller_backup remove --dn <DN des Computers>
Die DN des Computers ist diejenige, die von Ihrer Suche univention-ldapsearch cn=DCBACKUP ausgegeben wurde.
Beachten Sie, dass Sie zwar zum Auflisten aller Computer das UDM-Modul computers/computer nutzen können, zum Löschen aber das zum Computertyp passende Modul benutzt werden muss. Da es sich um einen DC Backup handelt, ist das dazugehörige Modul halt computers/domaincontroller_backup.
Sollte auch das nicht klappen, können Sie zur Not direkt im LDAP löschen. Dazu gibt es den Befehl ldapdelete, dem man aber einige Parameter mitgeben muss, um sich mit den richtigen Rechten am LDAP anzumelden – und vor allem am richtigen Server, nämlich dem OpenLDAP und nicht dem Samba-4-LDAP. Glücklicherweise stehen all diese Daten in der Shell zur Verfügung, wenn man sie mit ucr shell ausgeben lässt.
Der Vorgang sieht dann grob so aus (auch hier wieder sinnvollerweise auf dem DC Master ausgeführt, ansonsten müssten die Authentifizierungsparameter -D und -y anders gesetzt werden):
eval $(ucr shell ldap/master ldap/master/port ldap/base)
ldapdelete -ZZ -h "$ldap_master" -p "$ldap_master_port" -D "$ldap_hostdn" -y /etc/machine.secret <DN des Computers>
Gruß,
Moritz
Hallo Herr Bunkus,
besten Dank für die Untersstützung … Problem gelöst!
Nun harren wir der Dinge, ob unser Samba Speicher Leck auch gestopft ist.
Gruß Volker Hahn / Versdirekt GmbH
Hallo an alle, die uns hier unterstützt haben … Auch das Problem mit dem Samba - Speicher - Leck ist verschwunden. Vielen Dank, Gruß, VERSDIREKT GmbH / Hahn