Hello,
Following an update of our UCS server, request on the LDAP and LDAPS (both 389,636, 7389, 7636) no longer give result. Now, all I get is a timeout on the client side.
Any idea on how to assess the real problem?
Thx
Thomas
Hey,
first, determine if the LDAP servers are currently running and listening on those ports (and if they are, which addresses they’re listening on):
lsof -PniTCP:389,636,7389,7636 -sTCP:LISTEN
Next, check if firewall rules prevent the connection:
# This checks if the firewall is active; a policy of "drop" means that it is:
iptables -L INPUT -nv | grep policy
# This checks if the firewall allows traffic to the four LDAP ports:
iptables -L INPUT -nv | grep -E 'dpt:(389|636|7389|7636)$'
For example, here’s how an active firewall allowing all four ports looks like:
[0 root@master ~] iptables -L INPUT -nv | grep policy
Chain INPUT (policy DROP 0 packets, 0 bytes)
[0 root@master ~] iptables -L INPUT -nv | grep -E 'dpt:(389|636|7389|7636)$'
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7636
2398 144K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7389
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
m.
Hello Moritz,
It seems that the issue is coming from samba related services dying unexpectedly.
I will investigate this, but right now, a service samba restart does the job.
Tom
Hello,
Today, the LDAP server has gone again in “timeout”, and a service samba did not restore the functionnality.
The IPTABLES policies are similar to yours, except that I have 2 network interfaces, and it shows more lines. However, I see ACCEPT for all LDAP related ports on all network interfaces.
Any Idea on how I can troubleshoot this?
Thx again,
Tom
Hi again,
Following these previous discussions, I have been testing many options (expand RAM, reboot, upgrade…) with no success. The LDAP (636) server is still randomly timeouting requests about 1/2 of the overall time.
The only logging info I have that may be linked to this issue is in the /var/log/samba/log.smbd:
[2018/08/27 16:10:15.224285, 0, pid=18599] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2018/08/27 16:10:15.234320, 1, pid=18599] ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2018/08/27 16:15:12.641856, 1, pid=2150] ../source3/profile/profile_dummy.c:30(set_profile_level)
INFO: Profiling support unavailable in this build.
[2018/08/27 16:15:14.105776, 0, pid=2150] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2018/08/27 16:15:14.149483, 1, pid=2150] ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2018/08/27 16:15:14.271837, 1, pid=2216] ../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:10.124.5.21:62425 read error = NT_STATUS_CONNECTION_RESET.
[2018/08/27 16:15:19.093057, 1, pid=2597] ../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:10.124.5.30:60839 read error = NT_STATUS_CONNECTION_RESET.
[2018/08/27 16:16:43.300622, 1, pid=3307] ../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:10.124.0.29:61711 read error = NT_STATUS_CONNECTION_RESET.
[2018/08/27 16:19:19.315554, 1, pid=2228] ../source3/smbd/smb2_server.c:3861(smbd_smb2_io_handler)
ignore NBT[0x85] msg
This doesn’t help me much, be if any of you have any idea about ho I can solve this…
BR
Tom