[Samba] port 135 - NT_STATUS_CONNECTION_REFUSED

Rowland Penny rpenny at samba.org
Sun Dec 4 16:25:38 UTC 2016


On Sun, 04 Dec 2016 09:43:25 -0600
Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:

> On 2016-12-04 09:11, Rowland Penny via samba wrote:
> 
> > On Sun, 04 Dec 2016 08:01:09 -0600
> > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:
> > 
> >> I have two DC's running Samba 4.5.0 and the "dtdc03" log.samba is
> >> showing the following: 
> >> 
> >> root at dtdc03:~# tail -f /usr/local/samba/var/log.samba
> >> [2016/12/01 10:14:39.167794,  0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED.
> >> [2016/12/01 10:14:39.212551,  0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect)
> >> Failed to connect host 192.168.16.50 on port 135 -
> >> NT_STATUS_CONNECTION_REFUSED
> >> [2016/12/01 10:14:39.212757,  0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED.
> >> [2016/12/01 10:14:39.258017,  0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect)
> >> Failed to connect host 192.168.16.50 on port 135 -
> >> NT_STATUS_CONNECTION_REFUSED
> >> [2016/12/01 10:14:39.258234,  0]
> >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket)
> >> Failed to connect host 192.168.16.50
> >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port
> >> 135 - NT_STATUS_CONNECTION_REFUSED. 
> >> 
> >> So, I found the "Verifying_and_Creating_a_DC_DNS_Record" page of
> >> the wiki and ran: 
> >> 
> >> root at dtdc03:~# ldbsearch -H /usr/local/samba/private/sam.ldb
> >> '(invocationId=*)' --cross-ncs objectguid
> >> # record 1
> >> dn: CN=NTDS
> >> Settings,CN=DTDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt
> >> objectGUID: d3298cdc-aed1-48e6-b8fc-f3cdb80b1066
> >> 
> >> # record 2
> >> dn: CN=NTDS
> >> Settings,CN=DTDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt
> >> objectGUID: aa03011a-94c2-4c52-bc60-6fd2f75d35e5
> >> 
> >> # returned 2 records
> >> # 2 entries
> >> # 0 referrals 
> >> 
> >> And then ran: 
> >> 
> >> root at dtdc03:~# host -t CNAME
> >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt.
> >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt is an alias
> >> for dtdc04.dtshrm.dt. 
> >> 
> >> The objectGUID string matches. How do I correct this log entry and
> >> resolve the "NT_STATUS_CONNECTION_REFUSED?
> > 
> > OK, is your DC listening on port 135 ?
> > Run this on the DC:
> > 
> > netstat -plnt | grep 135
> > 
> > It should return something like this:
> > 
> > tcp        0      0 0.0.0.0:135             0.0.0.0:*
> > LISTEN      2093/samba tcp6       0
> > 0 :::135                  :::*                    LISTEN
> > 2093/samba      
> > 
> > What is the 'server services' line in smb.conf ?
> > 
> > Rowland
> 
> Here is the output from "netstat -plnt | grep 135": 
> 
> root at dtdc03:~# netstat -plnt | grep 135
> tcp        0      0 192.168.16.49:135       0.0.0.0:*              
> LISTEN      1142/samba      
> tcp        0      0 127.0.0.1:135           0.0.0.0:*              
> LISTEN      1142/samba 
> 
> Here are both DC's smb.conf files: 
> 
> root at dtdc03:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     netbios name = DTDC03
>     realm = DTSHRM.DT
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>     workgroup = DTDOM
>     server role = active directory domain controller
> 
>     time server = yes
> 
> ##    log level = 5
> 
>     interfaces = 127.0.0.1    192.168.16.49
>     bind interfaces only = yes
> 
>     allow dns updates = nonsecure and secure 
>         dns forwarder = 192.168.16.49
> 
>         # Thanks to Lars for this fix, it stops the syslog
>         # being spammed by the lack of a CUPS server.
>         printing = CUPS
>         printcap name = /dev/null
> 
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts
>     read only = No
> 
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No 
> 
> root at dtdc04:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DTDC04
> realm = DTSHRM.DT
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DTDOM
> server role = active directory domain controller 
> 
> time server = yes 
> 
> ### log level = 5 
> 
> interfaces = 127.0.0.1 192.168.16.50
> bind interfaces only = yes 
> 
> allow dns updates = nonsecure and secure 
> dns forwarder = 192.168.16.50
> 
> # Thanks to Lars for this fix, it stops the syslog
> # being spammed by the lack of a CUPS server.
> printing = CUPS
> printcap name = /dev/null 
> 
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts
> read only = No 
> 
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No 
> 
> Your thoughts?
> 

You seem to be using Bind9, so you don't need the 'dns forwarder' lines
If you only have one network device installed in the DCs, I would also
loose the 'interfaces' & 'bind interfaces only' lines

I would add this line on each DC:

idmap_ldb:use rfc2307 = yes

Rowland



More information about the samba mailing list