[Samba] samba-tool hangs on one dc
Thomas Schachtner
Thomas.schachtner at eltheim.de
Wed Nov 22 07:42:27 UTC 2023
> On Tue, 2023-11-21 at 23:50 +0100, Thomas Schachtner via samba wrote:
>>> On Tue, 2023-11-21 at 10:33 -0500, James Atwell via samba wrote:
>>>>> -----Original Message-----
>>>>> From: samba<samba-bounces at lists.samba.org> On Behalf Of Thomas
>>>>> Schachtner via samba
>>>>> Sent: Tuesday, November 21, 2023 9:16 AM
>>>>> To:samba at lists.samba.org
>>>>> Subject: [Samba] samba-tool hangs on one dc
>>>>>
>>>>> Hello,
>>>>>
>>>>> since some time (I don't remember since when) I have a strange
>>>>> phenomenon
>>>>> with one of my two samba4 DCs.
>>>>> Both dc1 and dc2 seem to run pretty fine and when working with
>>>>> Windows, I
>>>>> do not see any issues.
>>>>>
>>>>> But when issuing the following command on dc1, the command does
>>>>> not
>>>>> return but seems to be stuck.
>>>>>
>>>>> samba-tool drs showrepl
>>>>>
>>>>> When issuing the same command on dc2, it takes a second or so
>>>>> and
>>>>> the result
>>>>> is printed on the screen.
>>>>> The same with other commands like "samba-tool dns add"
>>>>>
>>>>> I already checked the samba log files, but I did not find any
>>>>> log
>>>>> entry.
>>>>>
>>>>> I know that it is difficult to provide a solution for a problem
>>>>> that is described so
>>>>> poorly, but I don't know how to further debug it.
>>>>> Any hints on how to move forward here and/or how to get more
>>>>> information?
>>>>>
>>>>> The output of samba-tool drs showrepl on dc2 does not show
>>>>> issues,
>>>>> regardless of which dc is replicated to which one (i.e. dc1 to
>>>>> tc2
>>>>> or vice-versa).
>>>>> When executing repadmin /replsummary on a Windows client, also
>>>>> no
>>>>> errors
>>>>> are shown.
>>>>>
>>>>> Here's the output:
>>>>>
>>>>> root at dc2:/var/lib/samba# samba-tool drs showrepl
>>>>> Default-First-Site-Name\DC2
>>>>> DSA Options: 0x00000001
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-00a0db86e6a8
>>>>> DSA invocationId: 0e649cb7-efc8-47ad-a841-4453973dbcec
>>>>>
>>>>> ==== INBOUND NEIGHBORS ====
>>>>>
>>>>> DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ Tue Nov 21 12:26:25 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:26:25 2023 CET
>>>>>
>>>>> CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ Tue Nov 21 12:26:25 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:26:25 2023 CET
>>>>>
>>>>> CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ Tue Nov 21 12:26:25 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:26:25 2023 CET
>>>>>
>>>>> DC=DomainDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ Tue Nov 21 12:26:25 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:26:25 2023 CET
>>>>>
>>>>> DC=ForestDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ Tue Nov 21 12:26:25 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:26:25 2023 CET
>>>>>
>>>>> ==== OUTBOUND NEIGHBORS ====
>>>>>
>>>>> DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> DC=DomainDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> DC=ForestDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC1 via RPC
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-
>>>>> 1ceaeecf92eb
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> ==== KCC CONNECTION OBJECTS ====
>>>>>
>>>>> Connection --
>>>>> Connection name: 138dbf8f-16ef-406e-87aa-72a25b4e03b6
>>>>> Enabled : TRUE
>>>>> Server DNS name : dc1.local.example.de
>>>>> Server DN name : CN=NTDS
>>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
>>>>> Name,CN=Sites,CN=Configuration,DC=local,DC=example,DC=de
>>>>> TransportType: RPC
>>>>> options: 0x00000001
>>>>> Warning: No NC replicated for Connection!
>>>>>
>>>>> Now, after 10 minutes or so, also dc1 finished the command.
>>>>> Here's the result:
>>>>>
>>>>> root at dc1:~# samba-tool drs showrepl
>>>>> Default-First-Site-Name\DC1
>>>>> DSA Options: 0x00000001
>>>>> DSA object GUID: 4872003f-2bd7-4393-9eed-1ceaeecf92eb
>>>>> DSA invocationId: a1e3fc90-833a-476e-8c8a-0753b5593ae3
>>>>>
>>>>> ==== INBOUND NEIGHBORS ====
>>>>>
>>>>> DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ Tue Nov 21 12:41:42 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:41:42 2023 CET
>>>>>
>>>>> CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ Tue Nov 21 12:41:43 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:41:43 2023 CET
>>>>>
>>>>> CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ Tue Nov 21 12:41:43 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:41:43 2023 CET
>>>>>
>>>>> DC=DomainDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ Tue Nov 21 12:41:43 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:41:43 2023 CET
>>>>>
>>>>> DC=ForestDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ Tue Nov 21 12:41:41 2023 CET
>>>>> was
>>>>> successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ Tue Nov 21 12:41:41 2023 CET
>>>>>
>>>>> ==== OUTBOUND NEIGHBORS ====
>>>>>
>>>>> DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> CN=Configuration,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> DC=DomainDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> DC=ForestDnsZones,DC=local,DC=example,DC=de
>>>>> Default-First-Site-Name\DC2 via RPC
>>>>> DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
>>>>> 00a0db86e6a8
>>>>> Last attempt @ NTTIME(0) was successful
>>>>> 0 consecutive failure(s).
>>>>> Last success @ NTTIME(0)
>>>>>
>>>>> ==== KCC CONNECTION OBJECTS ====
>>>>>
>>>>> Connection --
>>>>> Connection name: 85d23471-63cd-4bf1-9238-1ea493d07a95
>>>>> Enabled : TRUE
>>>>> Server DNS name : dc2.local.example.de
>>>>> Server DN name : CN=NTDS
>>>>> Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
>>>>> Name,CN=Sites,CN=Configuration,DC=local,DC=example,DC=de
>>>>> TransportType: RPC
>>>>> options: 0x00000001
>>>>> Warning: No NC replicated for Connection!
>>>>>
>>>>>
>>>>>
>>>>> Both servers (Ubuntu Server) have the latest updates installed.
>>>>> The samba version is 4.15.13-Ubuntu.
>>>>>
>>>>> What could be the reason why one dc takes so long with samba-
>>>>> tool
>>>>> commands while the other one is much faster?
>>>>>
>>>>> Best
>>>>> Tom
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read
>>>>> the
>>>>> instructions:https://lists.samba.org/mailman/options/samba
>>>> I've experienced this before and it's usually transient. If you
>>>> want
>>>> to see where in the process it's hanging, you can increase the
>>>> debug
>>>> level to something like 5.
>>>>
>>>> samba-tool drs showrepl -d 5
>>>>
>>> I've had the experience of samba-tool hanging when DNS is
>>> misconfigured.
>> Sure, there may be a faulty DNS configuration, but all the
>> permissions
>> seem to be identical on both servers and the permissions of the users
>> are also the same.
>> If it's a DNS issue, why does it work on one DC then and not on the
>> other one?
>> Or in other words: How could I investigate this DNS issue?
> /etc/resolv.conf on both DC's should have both the DC listed and the
> domain name as lookup suffix
>
> nameserver 10.0.0.1
> nameserver 10.10.0.1
> domain example.com
>
> netstat -atunp |grep 53
>
> on both DC's will tell you what interface is listening on udp and tcp
> port 53 -- should have the same addresses as above
>
> find out if your DC's can both resolve all the addresses
>
> host dc1.example.com 10.10.0.1
> host dc2.example.com 10.10.0.1
> host dc1.example.com 10.0.0.1
> host dc2.example.com 10.0.0.1
>
> strace -f -e trace=network samba-tool drs showrepl 2>&1|less
>
> on the DC where it hangs might tell you what its trying to do on the
> network
>
> (Stuff like that)
This was very helpful for me!
Thanks a lot!
It turned out, that on dc2, the dns server was not listening on ::1.
After some research I saw, that IPv6 was disabled on the loopback interface.
Issuing "sysctl net.ipv6.conf.lo.disable_ipv6"
returned "net.ipv6.conf.lo.disable_ipv6 = 1"I checked the sysctl.conf
file and lo and behold, it was disabled there. I am not sure, why this
setting led to this strange behavior, nor am I sure if it was really a
DNS issue (normally ALL AD issues are DNS issues, I heard...), but at
least the DNS configuration led me to the configuration error. Thanks
very much for that!
More information about the samba
mailing list