[Samba] Samba suddenly restart and replication does not works anymore

Rowland penny rpenny at samba.org
Mon Apr 4 16:02:15 UTC 2016 

On 04/04/16 16:47, Prunk Dump wrote:
>>> Hello Samba team !
>>>
>>> On my network I have three Samba-4.1.17 domain controllers (Debian Jessie)
>>> :
>>> -> One PDC : pdc01
>>> -> Two "slave" DC : sdc02, sdc03
>>>
>>> I don't know why, but sometimes Samba receive the SIGTERM signal and
>>> restart even if I remove it from the logrotate configuration. On
>>> "pdc01" I see :
>>>
>>> ----------
>>> pdc01 (log.samba)
>>> ----------
>>> SIGTERM: killing children
>>> Exiting pid ... on SIGTERM
>>> ...
>>> samba version 4.1.17-Debian started.
>>> ../lib/util/become_daemon.c:136(daemon_ready)
>>> ----------
>>>
>>> After that, the replication stop working. And on the two other DCs I
>>> can see error messages like below. But nothing on the PDC's logs !
>>>
>>> ----------
>>> sdc02 or sdc03 (log.samba)
>>> ----------
>>> ../auth/gensec/gensec.c:247(gensec_update)
>>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>
>>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:b339b873-f01c-4672-8984-61e1e48422ea._msdcs.mydom.fr[1024,seal,krb5]
>>> NT_STATUS_ACCESS_DENIED
>>> ...
>>> ...
>>> -----
>>>
>>> When I manually restart the two slave DCs the error messages stop. But
>>> the PDC complain that it can't connect to the slave DC (due to the
>>> samba restart) and after, the replication fail on the PDC :
>>>
>>> ----------
>>> pdc01
>>> ----------
>>> (the slave DC restart ... on the PDC I see ...)
>>>    ../source4/dsdb/repl/drepl_out_helpers.c:862(dreplsrv_update_refs_done)
>>> UpdateRefs failed with NT_STATUS_END_OF_FILE
>>>
>>> (the slave is restarting, so the PDC cannot make the connection)
>>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>>> Failed to connect host 172.16.0.21 on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED
>>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>>> Failed to connect host 172.16.0.21
>>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED.
>>> ../source4/librpc/rpc/dcerpc_sock.c:262(continue_socket_connect)
>>> Failed to connect host 172.16.0.21 on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED
>>> ../source4/librpc/rpc/dcerpc_sock.c:425(continue_ip_open_socket)
>>> Failed to connect host 172.16.0.21
>>> (04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr) on port 1024 -
>>> NT_STATUS_CONNECTION_REFUSED.
>>>
>>> (the slave DC is restarted, but the replication does not work )
>>> ../auth/gensec/gensec.c:247(gensec_update)
>>> Did not manage to negotiate mandetory feature SIGN for dcerpc auth_level 6
>>> ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>
>>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.mydom.fr[1024,seal,krb5]
>>> NT_STATUS_ACCESS_DENIED
>>> ...
>>> ...
>>> (same messages when I restart the other slave DC )
>>> ----------
>>>
>>> So I need to restart the PDC to solve the problem. This very annoying
>>> because I need to check every days, on the three DCs, if the
>>> replication works !
>>>
>>> Does someone understand what's happend ? What makes samba restarting ?
>>> And why the replication stop working ?
>>>
>>> Thanks !
>>>
>>> Baptiste.
>>>
> 2016-04-03 22:59 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:
>> I'd check for differences in the ldap trees with
>> samba-tool ldapcmp first
>> If such are found try an manual full sync replication to fix the difference.
>> I had an similar issue a while back and an deleted object on one dc caused
>> such sigterm's.
>> Had to get that deleted object out of the way afterwards the dc's where
>> stable again.
>>
>>
>>
>> Am 30.03.2016 um 14:35 schrieb Prunk Dump:
> Thanks Achim Gottinger for the tips !
>
> But sadly, I have checked the ldap databases and ldapcmp give no differences...
>
> Yes Rowland penny, you're right, Samba 4.1 is a little bit old now.
> But as I have 380 stations and 1260 users on my network, upgrading the
> three DCs is not really the easy way. But now, samba-4.3 is on debian
> testing. Maybe I will try to backport this package and test it on
> virtual machines. But this procedure need time to be tested before
> deploying it.

Andrew Bartlett is pushing for 4.3 to be backported to Jessie, 4.1 will 
not get any further updates

Also, have you seen this: http://badlock.org/

Rowland

> Thanks again !
>
> Baptiste.
>

More information about the samba mailing list