[Samba] AD DC out of sync

Dr. Lars Hanke lars at lhanke.de
Fri Mar 13 05:00:47 MDT 2015 

Unsure, whether this is another symptom of the same disease:

While configuring a member CUPS print server and checking the syslog for 
an entirely different reason I was surprised to see the following log 
entries (and many more similar):

Mar 13 11:36:10 snorri nslcd[11752]: [4a481a] <passwd="mgr"> 
ldap_result() failed: Can't contact LDAP server
Mar 13 11:36:10 snorri nslcd[11752]: [4a481a] <passwd="mgr"> 
ldap_abandon() failed to abandon search: Can't contact LDAP server: 
Transport endpoint is not connected
Mar 13 11:36:10 snorri nslcd[11752]: [9abb43] <passwd=1001> 
ldap_result() failed: Can't contact LDAP server
Mar 13 11:36:10 snorri nslcd[11752]: [9abb43] <passwd=1001> 
ldap_abandon() failed to abandon search: Can't contact LDAP server: 
Transport endpoint is not connected

Okay doing:

ldapsearch -LLL -D "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" 
-H ldap://ad.microsult.de -x -W '(uid=mgr)' uid uidNumber gidNumber 
sAMAccountName name gecos

works nicely. I can also specify each DC separately as LDAP URI. Login 
to the machine, id, getent everything works, but sometimes produces the 
said log entries, and take a considerable time then. =nscd= is stopped 
on the machine.

Currently everything is running smoothly. In the time where I see the 
most entries I also had several brief pauses in my music - served via 
Kerberized NFS4 with AD serving NSS and Kerberos.

Some time before that, I applied today's Debian security updates to both 
DC and changed /etc/resolv.conf for the primary DC to not point to 
itself anymore.

However, second's silences are not uncommon in my setup. When they 
become more frequent, this is usually a dire indication that something 
is about to break. And it generally does not coincide with any work on 
the DC.

>>> Any idea, what I should do next time to obtain valuable output for
>>> debugging?

Which is still the challenging question! ;)

>>
>> * What Samba version are you running?
>
> The DCs are 4.1.17-Debian.
>
>> * How many DCs?
>
> Just two.

Regards,
  - lars.

More information about the samba mailing list