[Samba] RPC server is unavailable when using ADUC

Rowland Penny rpenny at samba.org
Mon Aug 22 09:53:39 UTC 2016 

On Mon, 22 Aug 2016 11:02:14 +0200
Damir Dezeljin via samba <samba at lists.samba.org> wrote:

> Hello.
> 
> We're running Samba 4.3.9 AD on two Ubuntu 16.04 LTS machines. I'm
> managing AD users and DNS from Windows 10 joined to the domain, by
> using ADUC.
> 
> Last week I noticed the following error when starting ADUC as
> Administrator of the AD domain:
> ----
> Naming information cannot be located because:
> The RPC server is unavailable.
> Contact your system administrator to verify that your domain is
> properly configured and is currently online
> ----
> 
> I did an Internet search and corrective actions I found - i.e.
> 1. kinit Administrator
> 2. made sure the smb.conf on both machines are correct
> 3. checked resolv.conf
> 3. samba_dnsupdate   (on both machines)
> 4. synced the /var/lib/samba/sysvol/ between both machines (rsync)
> 5. samba-tool ntacl sysvolcheck
> 
> But the error still persist.
> 
> 
> Here is my smb.conf (it is same on both computers):
> ----
> [global]
>   workgroup = MYORG
>   realm = MYORG.SI
>   netbios name = SRV01
>   wins support = yes
>   server role = active directory domain controller
>   tls enabled = yes
>   tls cafile = tls/MyorgCA.crt
>   tls certfile = tls/srv01.myorg.si.crt
>   tls keyfile = tls/srv01.myorg.si.key
>   tls dh params file = tls/dcdhparams.pem
> 
>   dns forwarder = 8.8.8.8
>   allow dns updates = nonsecure
>   idmap_ldb:use rfc2307 = yes
>   time server = yes
> 
>   # Default idmap config used for BUILTIN and local accounts/groups
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-9999
> 
>   idmap config MYORG:backend = ad
>   idmap config MYORG:schema_mode = rfc2307
>   idmap config MYORG:range = 20001-29999
> 
> [netlogon]
>   path = /var/lib/samba/sysvol/myorg.si/scripts
>   read only = No
> 
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = No
> ----
> 
> Please note also the last couple of errors from this output:
> ----
> # service samba-ad-dc status
> ● samba-ad-dc.service - LSB: start Samba daemons for the AD DC
>    Loaded: loaded (/etc/init.d/samba-ad-dc; bad; vendor preset:
> enabled) Active: active (running) since Fri 2016-08-19 16:43:03 CEST;
> 2 days ago Docs: man:systemd-sysv-generator(8)
>   Process: 2365 ExecStart=/etc/init.d/samba-ad-dc start (code=exited,
> status=0/SUCCESS)
>     Tasks: 23
>    Memory: 249.4M
>       CPU: 7min 21.875s
>    CGroup: /system.slice/samba-ad-dc.service
>            ├─2772 /usr/sbin/samba -D
>            ├─2789 /usr/sbin/samba -D
>            ├─2790 /usr/sbin/samba -D
>            ├─2791 /usr/sbin/samba -D
>            ├─2792 /usr/sbin/samba -D
>            ├─2793 /usr/sbin/samba -D
>            ├─2794 /usr/sbin/samba -D
>            ├─2795 /usr/sbin/samba -D
>            ├─2796 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─2797 /usr/sbin/samba -D
>            ├─2798 /usr/sbin/samba -D
>            ├─2799 /usr/sbin/samba -D
>            ├─2800 /usr/sbin/samba -D
>            ├─2801 /usr/sbin/samba -D
>            ├─2802 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ├─2803 /usr/sbin/samba -D
>            ├─2808 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─2812 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ├─2848 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─3096 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─7105 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─7256 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            └─7445 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> 
> Aug 21 12:03:15 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG
> error with server: tsig verify failure
> Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.008220,  0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> Aug 21 12:03:16 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG
> error with server: tsig verify failure
> Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.020913,  0]
> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
> Aug 21 12:03:16 IDM
> samba[2801]:   ../source4/dsdb/dns/dns_update.c:294: Failed DNS
> update - NT_STATUS_SHARING_VIOLATION Aug 21 16:33:14 IDM samba[2801]:
> [2016/08/21 16:33:14.118190,
> 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) Aug 21
> 16:33:14 IDM samba[2801]:   /usr/sbin/samba_dnsupdate: ; TSIG error
> with server: tsig verify failure Aug 21 16:33:14 IDM samba[2801]:
> [2016/08/21 16:33:14.129562,
> 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
> Aug 21 16:33:14 IDM
> samba[2801]:   ../source4/dsdb/dns/dns_update.c:294: Failed DNS
> update - NT_STATUS_ACCESS_DENIED Aug 22 09:06:12 IDM samba[2790]:
> [2016/08/22 09:06:12.381991,
> 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1086(dnsserver_query_zone)
> ----
> 
> And here is the internal DNS update tool that shows there are no DNS
> updates needed (same output is generated on both hosts):
> ----
> # samba_dnsupdate --verbose | tail -1
> No DNS updates needed
> ----
> 
> 
> I would appreciate any hint and/or help.
> 
> Kind regards,
>  Damir Dezeljin


I think this may have the same problem as this bugreport:

https://bugzilla.samba.org/show_bug.cgi?id=11351

Rowland

More information about the samba mailing list