[Samba] Samba suddenly restart and replication does not works anymore

Rowland penny rpenny at samba.org
Sun Apr 3 08:31:48 UTC 2016 

On 03/04/16 09:18, Prunk Dump wrote:
> 2016-04-01 23:36 GMT+02:00 Rowland penny <rpenny at samba.org>:
>> On 30/03/16 13:35, Prunk Dump wrote:
>>> Hello Samba team !
>>>
>>> On my network I have three Samba-4.1.17 domain controllers (Debian Jessie)
>>> :
>>> -> One PDC : pdc01
>>> -> Two "slave" DC : sdc02, sdc03
>>>
>>> I don't know why, but sometimes Samba receive the SIGTERM signal and
>>> restart even if I remove it from the logrotate configuration. On
>>> "pdc01" I see :
>>>
>>> ----------
>>> pdc01 (log.samba)
>>> ----------
>>> SIGTERM: killing children
>>> Exiting pid ... on SIGTERM
>>> ...
>>> samba version 4.1.17-Debian started.
>>> ../lib/util/become_daemon.c:136(daemon_ready)
>>> ----------
>>>
>>> After that, the replication stop working. And on the two other DCs I
>>> can see error messages like below. But nothing on the PDC's logs !
>>>
>>> ----------
>>> sdc02 or sdc03 (log.samba)
>>> ----------
>>> ../auth/gensec/gensec.c:247(gensec_update)
>>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>
>>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b339b873-f01c-4672-8984-61e1e48422ea._msdcs.mydom.fr[1024,seal,krb5]
>>> NT_STATUS_ACCESS_DENIED
>>> ...
>>> ...
>>> -----
>>>
>>> When I manually restart the two slave DCs the error messages stop. But
>>> the PDC complain that it can't connect to the slave DC (due to the
>>> samba restart) and after, the replication fail on the PDC :
>>>
>>> ----------
>>> pdc01
>>> ----------
>>> (the slave DC restart ... on the PDC I see ...)
>>>    ../source4/dsdb/repl/drepl_out_helpers.c:862(dreplsrv_update_refs_done)
>>> UpdateRefs failed with NT_STATUS_END_OF_FILE
>>>
>>> (the slave is restarting, so the PDC cannot make the connection)
>>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>>> Failed to connect host 172.16.0.21 on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED
>>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>>> Failed to connect host 172.16.0.21
>>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED.
>>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>>> Failed to connect host 172.16.0.21 on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED
>>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>>> Failed to connect host 172.16.0.21
>>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED.
>>>
>>> (the slave DC is restarted, but the replication does not work )
>>> ../auth/gensec/gensec.c:247(gensec_update)
>>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>
>>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr[1024,seal,krb5]
>>> NT_STATUS_ACCESS_DENIED
>>> ...
>>> ...
>>> (same messages when I restart the other slave DC )
>>> ----------
>>>
>>> So I need to restart the PDC to solve the problem. This very annoying
>>> because I need to check every days, on the three DCs, if the
>>> replication works !
>>>
>>> Does someone understand what's happend ? What makes samba restarting ?
>>> And why the replication stop working ?
>>>
>>> Thanks !
>>>
>>> Baptiste.
>>>
>> First lets get this straight, you do not have a PDC and two slave DCs, you
>> have 3 DCs, apart from the FSMO roles, all DCs are equal and you can share
>> the FSMO roles between your 3 DCs.
>>
>> Having said that, you need to find out what is restarting your first DC, can
>> you post your smb.conf files (or just one, if they are all the same.)
>>
>> Can you also raise the loglevel on the first DC to 10 and then see if there
>> is an obvious reason for the restart.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> Thanks for your help !
>
> I will raise the log level of the DCs to 10. But as the problem
> appears only one time by month, and as logrotate is disabled,  I hope
> that the logs will not be too big. Do you understand what can make
> this series of events ?
>
> 1) pdc01 restart -> sdc02 and sdc03 say "Did not manage to negotiate
> mandatory feature SIGN"
> 2) I restart sdc02 and sdc03 manually -> pdc01 say "Did not manage to
> negotiate mandatory feature SIGN"
> 3) I restart pdc01 again and everything works fine
>
> This is like a machine password desynchronization no ? When logrotate
> was enabled on samba log files the problem appear must more often. So
> it seem related to the samba restart, manually or not.
>
> Il have checked the DC's time clock. No problem.
>
>
> Here my smb.confs.
>
> ###########
> For pdc01
> ###########
>
> [global]
>          netbios aliases = sambaaccount sambaaccount.fichnet.fr
>          load printers = yes
>          workgroup = FICHNET
>          realm = FICHNET.FR
>          netbios name = FICHDC
>          interfaces = lo, eth0
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/fichnet.fr/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [profiles_local]
>          path = /fichsamba/smbprofile
>          read only = No
>          browseable  = No
>
> [profiles]
>          path = /srv/dfs/profiles
>          read only = No
>          msdfs root = yes
>
> [homes_local]
>          path = /fichsamba/smbhome
>          read only = No
>          browseable  = No
>
> [homes]
>          path = /srv/dfs/homes
>          read only = No
>          msdfs root = yes
>
> [printers]
>     path = /var/spool/samba
>     printable = yes
>     printing = CUPS
>
> [print$]
>     path = /srv/samba/Printer_drivers
>     comment = Printer Drivers
>     writeable = yes
>
> #############
> For sdc02 and sdc03 (in reality fichds01 and fichds02)
> #############
>
> [global]
>          workgroup = FICHNET
>          realm = net.fichnet.fr
>          netbios name = FICHDS01
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/fichnet.fr/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [profiles_local]
>          path = /fichsamba/smbprofile
>          read only = No
>          browseable  = No
>
> [homes_local]
>          path = /fichsamba/smbhome
>          read only = No
>          browseable  = No
>
> Thanks again !
>


OK, I did an internet search and it would seem the problem you are 
having is well known, can I suggest you upgrade your version of 
Samba,especially as 4.1.x is EOL and will not get any more updates from 
Samba

Rowland

More information about the samba mailing list