[Samba] Samba suddenly restart and replication does not works anymore

Prunk Dump prunkdump at gmail.com
Sun Apr 3 08:18:32 UTC 2016


2016-04-01 23:36 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 30/03/16 13:35, Prunk Dump wrote:
>>
>> Hello Samba team !
>>
>> On my network I have three Samba-4.1.17 domain controllers (Debian Jessie)
>> :
>> -> One PDC : pdc01
>> -> Two "slave" DC : sdc02, sdc03
>>
>> I don't know why, but sometimes Samba receive the SIGTERM signal and
>> restart even if I remove it from the logrotate configuration. On
>> "pdc01" I see :
>>
>> ----------
>> pdc01 (log.samba)
>> ----------
>> SIGTERM: killing children
>> Exiting pid ... on SIGTERM
>> ...
>> samba version 4.1.17-Debian started.
>> ../lib/util/become_daemon.c:136(daemon_ready)
>> ----------
>>
>> After that, the replication stop working. And on the two other DCs I
>> can see error messages like below. But nothing on the PDC's logs !
>>
>> ----------
>> sdc02 or sdc03 (log.samba)
>> ----------
>> ../auth/gensec/gensec.c:247(gensec_update)
>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b339b873-f01c-4672-8984-61e1e48422ea._msdcs.mydom.fr[1024,seal,krb5]
>> NT_STATUS_ACCESS_DENIED
>> ...
>> ...
>> -----
>>
>> When I manually restart the two slave DCs the error messages stop. But
>> the PDC complain that it can't connect to the slave DC (due to the
>> samba restart) and after, the replication fail on the PDC :
>>
>> ----------
>> pdc01
>> ----------
>> (the slave DC restart ... on the PDC I see ...)
>>   ../source4/dsdb/repl/drepl_out_helpers.c:862(dreplsrv_update_refs_done)
>> UpdateRefs failed with NT_STATUS_END_OF_FILE
>>
>> (the slave is restarting, so the PDC cannot make the connection)
>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>> Failed to connect host 172.16.0.21 on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED
>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>> Failed to connect host 172.16.0.21
>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED.
>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>> Failed to connect host 172.16.0.21 on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED
>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>> Failed to connect host 172.16.0.21
>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>> NT_STATUS_CONNECTION_REFUSED.
>>
>> (the slave DC is restarted, but the replication does not work )
>> ../auth/gensec/gensec.c:247(gensec_update)
>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr[1024,seal,krb5]
>> NT_STATUS_ACCESS_DENIED
>> ...
>> ...
>> (same messages when I restart the other slave DC )
>> ----------
>>
>> So I need to restart the PDC to solve the problem. This very annoying
>> because I need to check every days, on the three DCs, if the
>> replication works !
>>
>> Does someone understand what's happend ? What makes samba restarting ?
>> And why the replication stop working ?
>>
>> Thanks !
>>
>> Baptiste.
>>
>
> First lets get this straight, you do not have a PDC and two slave DCs, you
> have 3 DCs, apart from the FSMO roles, all DCs are equal and you can share
> the FSMO roles between your 3 DCs.
>
> Having said that, you need to find out what is restarting your first DC, can
> you post your smb.conf files (or just one, if they are all the same.)
>
> Can you also raise the loglevel on the first DC to 10 and then see if there
> is an obvious reason for the restart.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thanks for your help !

I will raise the log level of the DCs to 10. But as the problem
appears only one time by month, and as logrotate is disabled,  I hope
that the logs will not be too big. Do you understand what can make
this series of events ?

1) pdc01 restart -> sdc02 and sdc03 say "Did not manage to negotiate
mandatory feature SIGN"
2) I restart sdc02 and sdc03 manually -> pdc01 say "Did not manage to
negotiate mandatory feature SIGN"
3) I restart pdc01 again and everything works fine

This is like a machine password desynchronization no ? When logrotate
was enabled on samba log files the problem appear must more often. So
it seem related to the samba restart, manually or not.

Il have checked the DC's time clock. No problem.


Here my smb.confs.

###########
For pdc01
###########

[global]
        netbios aliases = sambaaccount sambaaccount.fichnet.fr
        load printers = yes
        workgroup = FICHNET
        realm = FICHNET.FR
        netbios name = FICHDC
        interfaces = lo, eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/fichnet.fr/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[profiles_local]
        path = /fichsamba/smbprofile
        read only = No
        browseable  = No

[profiles]
        path = /srv/dfs/profiles
        read only = No
        msdfs root = yes

[homes_local]
        path = /fichsamba/smbhome
        read only = No
        browseable  = No

[homes]
        path = /srv/dfs/homes
        read only = No
        msdfs root = yes

[printers]
   path = /var/spool/samba
   printable = yes
   printing = CUPS

[print$]
   path = /srv/samba/Printer_drivers
   comment = Printer Drivers
   writeable = yes

#############
For sdc02 and sdc03 (in reality fichds01 and fichds02)
#############

[global]
        workgroup = FICHNET
        realm = net.fichnet.fr
        netbios name = FICHDS01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/fichnet.fr/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[profiles_local]
        path = /fichsamba/smbprofile
        read only = No
        browseable  = No

[homes_local]
        path = /fichsamba/smbhome
        read only = No
        browseable  = No

Thanks again !



More information about the samba mailing list