[Samba] RPC server is unavailable when using ADUC

Damir Dezeljin damir.dezeljin at dezo.org
Mon Aug 22 09:02:14 UTC 2016 

Hello.

We're running Samba 4.3.9 AD on two Ubuntu 16.04 LTS machines. I'm managing
AD users and DNS from Windows 10 joined to the domain, by using ADUC.

Last week I noticed the following error when starting ADUC as Administrator
of the AD domain:
----
Naming information cannot be located because:
The RPC server is unavailable.
Contact your system administrator to verify that your domain is properly
configured and is currently online
----

I did an Internet search and corrective actions I found - i.e.
1. kinit Administrator
2. made sure the smb.conf on both machines are correct
3. checked resolv.conf
3. samba_dnsupdate   (on both machines)
4. synced the /var/lib/samba/sysvol/ between both machines (rsync)
5. samba-tool ntacl sysvolcheck

But the error still persist.


Here is my smb.conf (it is same on both computers):
----
[global]
  workgroup = MYORG
  realm = MYORG.SI
  netbios name = SRV01
  wins support = yes
  server role = active directory domain controller
  tls enabled = yes
  tls cafile = tls/MyorgCA.crt
  tls certfile = tls/srv01.myorg.si.crt
  tls keyfile = tls/srv01.myorg.si.key
  tls dh params file = tls/dcdhparams.pem

  dns forwarder = 8.8.8.8
  allow dns updates = nonsecure
  idmap_ldb:use rfc2307 = yes
  time server = yes

  # Default idmap config used for BUILTIN and local accounts/groups
  idmap config *:backend = tdb
  idmap config *:range = 2000-9999

  idmap config MYORG:backend = ad
  idmap config MYORG:schema_mode = rfc2307
  idmap config MYORG:range = 20001-29999

[netlogon]
  path = /var/lib/samba/sysvol/myorg.si/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No
----

Please note also the last couple of errors from this output:
----
# service samba-ad-dc status
● samba-ad-dc.service - LSB: start Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; bad; vendor preset: enabled)
   Active: active (running) since Fri 2016-08-19 16:43:03 CEST; 2 days ago
     Docs: man:systemd-sysv-generator(8)
  Process: 2365 ExecStart=/etc/init.d/samba-ad-dc start (code=exited,
status=0/SUCCESS)
    Tasks: 23
   Memory: 249.4M
      CPU: 7min 21.875s
   CGroup: /system.slice/samba-ad-dc.service
           ├─2772 /usr/sbin/samba -D
           ├─2789 /usr/sbin/samba -D
           ├─2790 /usr/sbin/samba -D
           ├─2791 /usr/sbin/samba -D
           ├─2792 /usr/sbin/samba -D
           ├─2793 /usr/sbin/samba -D
           ├─2794 /usr/sbin/samba -D
           ├─2795 /usr/sbin/samba -D
           ├─2796 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─2797 /usr/sbin/samba -D
           ├─2798 /usr/sbin/samba -D
           ├─2799 /usr/sbin/samba -D
           ├─2800 /usr/sbin/samba -D
           ├─2801 /usr/sbin/samba -D
           ├─2802 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─2803 /usr/sbin/samba -D
           ├─2808 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─2812 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─2848 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─3096 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─7105 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─7256 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           └─7445 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground

Aug 21 12:03:15 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG error
with server: tsig verify failure
Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.008220,  0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Aug 21 12:03:16 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG error
with server: tsig verify failure
Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.020913,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Aug 21 12:03:16 IDM samba[2801]:   ../source4/dsdb/dns/dns_update.c:294:
Failed DNS update - NT_STATUS_SHARING_VIOLATION
Aug 21 16:33:14 IDM samba[2801]: [2016/08/21 16:33:14.118190,  0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Aug 21 16:33:14 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG error
with server: tsig verify failure
Aug 21 16:33:14 IDM samba[2801]: [2016/08/21 16:33:14.129562,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Aug 21 16:33:14 IDM samba[2801]:   ../source4/dsdb/dns/dns_update.c:294:
Failed DNS update - NT_STATUS_ACCESS_DENIED
Aug 22 09:06:12 IDM samba[2790]: [2016/08/22 09:06:12.381991,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1086(dnsserver_query_zone)
----

And here is the internal DNS update tool that shows there are no DNS
updates needed (same output is generated on both hosts):
----
# samba_dnsupdate --verbose | tail -1
No DNS updates needed
----


I would appreciate any hint and/or help.

Kind regards,
 Damir Dezeljin

More information about the samba mailing list