[Samba] Samba suddenly restart and replication does not works anymore
Prunk Dump
prunkdump at gmail.com
Sun Apr 3 08:18:32 UTC 2016
2016-04-01 23:36 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 30/03/16 13:35, Prunk Dump wrote:
>>
>> Hello Samba team !
>>
>> On my network I have three Samba-4.1.17 domain controllers (Debian Jessie)
>> :
>> -> One PDC : pdc01
>> -> Two "slave" DC : sdc02, sdc03
>>
>> I don't know why, but sometimes Samba receive the SIGTERM signal and
>> restart even if I remove it from the logrotate configuration. On
>> "pdc01" I see :
>>
>> ----------
>> pdc01 (log.samba)
>> ----------
>> SIGTERM: killing children
>> Exiting pid ... on SIGTERM
>> ...
>> samba version 4.1.17-Debian started.
>> ../lib/util/become_daemon.c:136(daemon_ready)
>> ----------
>>
>> After that, the replication stop working. And on the two other DCs I
>> can see error messages like below. But nothing on the PDC's logs !
>>
>> ----------
>> sdc02 or sdc03 (log.samba)
>> ----------
>> ../auth/gensec/gensec.c:247(gensec_update)
>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b339b873-f01c-4672-8984-61e1e48422ea._msdcs.mydom.fr[1024,seal,krb5]
>> NT_STATUS_ACCESS_DENIED
>> ...
>> ...
>> -----
>>
>> When I manually restart the two slave DCs the error messages stop. But
>> the PDC complain that it can't connect to the slave DC (due to the
>> samba restart) and after, the replication fail on the PDC :
>>
>> ----------
>> pdc01
>> ----------
>> (the slave DC restart ... on the PDC I see ...)
>> ../source4/dsdb/repl/drepl_out_helpers.c:862(dreplsrv_update_refs_done)
>> UpdateRefs failed with NT_STATUS_END_OF_FILE
>>
>> (the slave is restarting, so the PDC cannot make the connection)
>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>> Failed to connect host 172.16.0.21 on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED
>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>> Failed to connect host 172.16.0.21
>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED.
>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>> Failed to connect host 172.16.0.21 on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED
>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>> Failed to connect host 172.16.0.21
>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED.
>>
>> (the slave DC is restarted, but the replication does not work )
>> ../auth/gensec/gensec.c:247(gensec_update)
>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr[1024,seal,krb5]
>> NT_STATUS_ACCESS_DENIED
>> ...
>> ...
>> (same messages when I restart the other slave DC )
>> ----------
>>
>> So I need to restart the PDC to solve the problem. This very annoying
>> because I need to check every days, on the three DCs, if the
>> replication works !
>>
>> Does someone understand what's happend ? What makes samba restarting ?
>> And why the replication stop working ?
>>
>> Thanks !
>>
>> Baptiste.
>>
>
> First lets get this straight, you do not have a PDC and two slave DCs, you
> have 3 DCs, apart from the FSMO roles, all DCs are equal and you can share
> the FSMO roles between your 3 DCs.
>
> Having said that, you need to find out what is restarting your first DC, can
> you post your smb.conf files (or just one, if they are all the same.)
>
> Can you also raise the loglevel on the first DC to 10 and then see if there
> is an obvious reason for the restart.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Thanks for your help !
I will raise the log level of the DCs to 10. But as the problem
appears only one time by month, and as logrotate is disabled, I hope
that the logs will not be too big. Do you understand what can make
this series of events ?
1) pdc01 restart -> sdc02 and sdc03 say "Did not manage to negotiate
mandatory feature SIGN"
2) I restart sdc02 and sdc03 manually -> pdc01 say "Did not manage to
negotiate mandatory feature SIGN"
3) I restart pdc01 again and everything works fine
This is like a machine password desynchronization no ? When logrotate
was enabled on samba log files the problem appear must more often. So
it seem related to the samba restart, manually or not.
Il have checked the DC's time clock. No problem.
Here my smb.confs.
###########
For pdc01
###########
[global]
netbios aliases = sambaaccount sambaaccount.fichnet.fr
load printers = yes
workgroup = FICHNET
realm = FICHNET.FR
netbios name = FICHDC
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/fichnet.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles_local]
path = /fichsamba/smbprofile
read only = No
browseable = No
[profiles]
path = /srv/dfs/profiles
read only = No
msdfs root = yes
[homes_local]
path = /fichsamba/smbhome
read only = No
browseable = No
[homes]
path = /srv/dfs/homes
read only = No
msdfs root = yes
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba/Printer_drivers
comment = Printer Drivers
writeable = yes
#############
For sdc02 and sdc03 (in reality fichds01 and fichds02)
#############
[global]
workgroup = FICHNET
realm = net.fichnet.fr
netbios name = FICHDS01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/fichnet.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles_local]
path = /fichsamba/smbprofile
read only = No
browseable = No
[homes_local]
path = /fichsamba/smbhome
read only = No
browseable = No
Thanks again !
More information about the samba
mailing list