[Samba] port 135 - NT_STATUS_CONNECTION_REFUSED
Rowland Penny
rpenny at samba.org
Sun Dec 4 16:25:38 UTC 2016
On Sun, 04 Dec 2016 09:43:25 -0600
Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:
> On 2016-12-04 09:11, Rowland Penny via samba wrote:
>
> > On Sun, 04 Dec 2016 08:01:09 -0600
> > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:
> >
> >> I have two DC's running Samba 4.5.0 and the "dtdc03" log.samba is
> >> showing the following:
> >>
> >> root at dtdc03:~# tail -f /usr/local/samba/var/log.samba
> >> [2016/12/01 10:14:39.167794, 0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED.
> >> [2016/12/01 10:14:39.212551, 0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect)
> >> Failed to connect host 192.168.16.50 on port 135 -
> >> NT_STATUS_CONNECTION_REFUSED
> >> [2016/12/01 10:14:39.212757, 0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED.
> >> [2016/12/01 10:14:39.258017, 0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect)
> >> Failed to connect host 192.168.16.50 on port 135 -
> >> NT_STATUS_CONNECTION_REFUSED
> >> [2016/12/01 10:14:39.258234, 0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED.
> >>
> >> So, I found the "Verifying_and_Creating_a_DC_DNS_Record" page of
> >> the wiki and ran:
> >>
> >> root at dtdc03:~# ldbsearch -H /usr/local/samba/private/sam.ldb
> >> '(invocationId=*)' --cross-ncs objectguid
> >> # record 1
> >> dn: CN=NTDS
> >> Settings,CN=DTDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt
> >> objectGUID: d3298cdc-aed1-48e6-b8fc-f3cdb80b1066
> >>
> >> # record 2
> >> dn: CN=NTDS
> >> Settings,CN=DTDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt
> >> objectGUID: aa03011a-94c2-4c52-bc60-6fd2f75d35e5
> >>
> >> # returned 2 records
> >> # 2 entries
> >> # 0 referrals
> >>
> >> And then ran:
> >>
> >> root at dtdc03:~# host -t CNAME
> >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt.
> >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt is an alias
> >> for dtdc04.dtshrm.dt.
> >>
> >> The objectGUID string matches. How do I correct this log entry and
> >> resolve the "NT_STATUS_CONNECTION_REFUSED?
> >
> > OK, is your DC listening on port 135 ?
> > Run this on the DC:
> >
> > netstat -plnt | grep 135
> >
> > It should return something like this:
> >
> > tcp 0 0 0.0.0.0:135 0.0.0.0:*
> > LISTEN 2093/samba tcp6 0
> > 0 :::135 :::* LISTEN
> > 2093/samba
> >
> > What is the 'server services' line in smb.conf ?
> >
> > Rowland
>
> Here is the output from "netstat -plnt | grep 135":
>
> root at dtdc03:~# netstat -plnt | grep 135
> tcp 0 0 192.168.16.49:135 0.0.0.0:*
> LISTEN 1142/samba
> tcp 0 0 127.0.0.1:135 0.0.0.0:*
> LISTEN 1142/samba
>
> Here are both DC's smb.conf files:
>
> root at dtdc03:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DTDC03
> realm = DTSHRM.DT
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DTDOM
> server role = active directory domain controller
>
> time server = yes
>
> ## log level = 5
>
> interfaces = 127.0.0.1 192.168.16.49
> bind interfaces only = yes
>
> allow dns updates = nonsecure and secure
> dns forwarder = 192.168.16.49
>
> # Thanks to Lars for this fix, it stops the syslog
> # being spammed by the lack of a CUPS server.
> printing = CUPS
> printcap name = /dev/null
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> root at dtdc04:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DTDC04
> realm = DTSHRM.DT
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DTDOM
> server role = active directory domain controller
>
> time server = yes
>
> ### log level = 5
>
> interfaces = 127.0.0.1 192.168.16.50
> bind interfaces only = yes
>
> allow dns updates = nonsecure and secure
> dns forwarder = 192.168.16.50
>
> # Thanks to Lars for this fix, it stops the syslog
> # being spammed by the lack of a CUPS server.
> printing = CUPS
> printcap name = /dev/null
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> Your thoughts?
>
You seem to be using Bind9, so you don't need the 'dns forwarder' lines
If you only have one network device installed in the DCs, I would also
loose the 'interfaces' & 'bind interfaces only' lines
I would add this line on each DC:
idmap_ldb:use rfc2307 = yes
Rowland
More information about the samba
mailing list