[Samba] AD connection interruptions
van Vloten Kees
keesvanvloten at gmail.com
Wed Apr 13 12:14:41 UTC 2022
Hi Team,
I am seeing connection interruptions between a memberserver (a Samba
smb-server) and the Samba DC servers.
All are running on the same machine in privileged lxc containers. All are
Debian Bullseye, Samba 4.15.6.
I have 2 DCs and a single SMB-server.
For debugging purposes I ran a loop with wbinfo --ping-dc every second:
checking the NETLOGON for domain[SAMDOM] dc connection to "
controller01.samdom.net" succeeded
checking the NETLOGON for domain[SAMDOM] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
---- this repeats for 35 seconds ----
checking the NETLOGON for domain[SAMDOM] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
checking the NETLOGON for domain[SAMDOM] dc connection to "
controller01.samdom.net" succeeded
In log.wb-SAMDOM on the smb-server I see the same issue:
[2022/04/13 13:43:49.182548, 3]
../../source3/winbindd/winbindd_cm.c:1873(connection_ok)
connection_ok: Connection to controller01.samdom.net for domain SAMDOM is
not connected
[2022/04/13 13:43:49.182685, 3]
../../source3/lib/util_sock.c:457(open_socket_out_send)
Connecting to 192.168.15.3 at port 445
[2022/04/13 13:43:54.185873, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:05.188868, 3]
../../source3/libsmb/namequery.c:3475(get_sorted_dc_list)
get_sorted_dc_list: no server for name samdom.net available in site
Default-First-Site-Name, fallback to all servers
[2022/04/13 13:44:05.188936, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:16.191335, 3]
../../source3/libads/ldap.c:560(ads_find_dc)
ads_find_dc: failed to find a valid DC on our site
(Default-First-Site-Name), Trying to find another DC for realm 'samdom.net'
(domain '')
[2022/04/13 13:44:16.191569, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:27.193854, 1]
../../source3/libads/ldap.c:592(ads_find_dc)
ads_find_dc: name resolution for realm 'samdom.net' (domain '') failed:
NT_STATUS_NO_LOGON_SERVERS
[2022/04/13 13:44:27.193936, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:27.193961, 3]
../../libcli/nbt/lmhosts.c:182(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name SAMDOM<0x1c>
[2022/04/13 13:44:27.193991, 3]
../../source3/libsmb/namequery.c:2162(resolve_wins_send)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2022/04/13 13:44:27.194018, 3]
../../source3/libsmb/namequery_dc.c:183(rpc_dc_name)
Could not look up dc's for domain SAMDOM
[2022/04/13 13:44:27.194044, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:38.195695, 3]
../../source3/libsmb/namequery.c:3475(get_sorted_dc_list)
get_sorted_dc_list: no server for name samdom.net available in site
Default-First-Site-Name, fallback to all servers
[2022/04/13 13:44:38.195762, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:38.201661, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:38.201712, 3]
../../source3/lib/util_sock.c:457(open_socket_out_send)
Connecting to 192.168.15.3 at port 445
[2022/04/13 13:44:38.203247, 3]
../../source3/libads/ldap.c:705(ads_connect)
Successfully contacted LDAP server 192.168.15.3
[2022/04/13 13:44:38.203302, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:38.212878, 3]
../../source3/libsmb/namequery.c:3243(get_dc_list)
get_dc_list: preferred server list: ", *"
[2022/04/13 13:44:41.228281, 3]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could
not open file /var/lib/samba/private/secrets.ldb: No such file or directory
[2022/04/13 13:44:41.228315, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
[2022/04/13 13:44:41.228326, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No
such file or directory
[2022/04/13 13:44:41.307505, 3]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could
not open file /var/lib/samba/private/secrets.ldb: No such file or directory
[2022/04/13 13:44:41.307536, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
[2022/04/13 13:44:41.307546, 1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No
such file or directory
[2022/04/13 13:44:41.307821, 3]
../../source3/lib/util_sock.c:457(open_socket_out_send)
Connecting to 192.168.15.3 at port 135
[2022/04/13 13:44:41.308670, 3]
../../source3/lib/util_sock.c:457(open_socket_out_send)
Connecting to 192.168.15.3 at port 50000
Apart from DNS, the IPs of the DCs are also in /etc/hosts on the smb-server.
The global section of smb.conf of the smbserver:
[global]
interfaces = lo eth0
bind interfaces only = yes
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240
TCP_KEEPCNT=4 TCP_KEEPINTVL=15
unix extensions = no
usershare max shares = 0
ea support = yes
# log level = 5
include = /etc/samba/smb.conf.%I
log level = 3 auth_json_audit:3@/var/log/samba/audit.log
full_audit:success = mkdir pwrite write rename
full_audit:failure = none
full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
netbios name = SMBSERVER01
security = ADS
dedicated keytab file = /etc/krb5.keytab
realm = SAMDOM.NET
workgroup = SAMDOM
min domain uid = 0
lock directory = /var/cache/samba
idmap config samdom:backend = ad
idmap config samdom:schema_mode = rfc2307
idmap config samdom:unix_primary_group = yes
idmap config samdom:unix_nss_info = yes
idmap config samdom:range = 1001-100000
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind cache time = 300
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum groups = no
winbind enum users = no
winbind expand groups = 10
winbind normalize names = no
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
tls keyfile = /var/lib/samba/private/tls/smbserver01.samdom.net.key
tls certfile = /etc/ssl/certs/smbserver01.samdom.net.crt
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb ports = 445
smbd profiling level = on
server min protocol = SMB3_11
client min protocol = SMB3_11
restrict anonymous = 2
map acl inherit = yes
store dos attributes = yes
panic action = /usr/share/samba/panic-action %d
server smb encrypt = desired
username map = /etc/samba/user.map
<share sections follow>
The whole smb.conf of a DC (both are identical)
[global]
netbios name = CONTROLLER01
realm = SAMDOM.NET
server role = active directory domain controller
server services = -dns
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
tls keyfile = /var/lib/samba/private/tls/controller01.samdom.net.key
tls certfile = /etc/ssl/certs/controller01.samdom.net.crt
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb ports = 445
smbd profiling level = on
server min protocol = SMB3_11
client min protocol = SMB3_11
restrict anonymous = 2
map acl inherit = yes
store dos attributes = yes
panic action = /usr/share/samba/panic-action %d
server smb encrypt = desired
interfaces = lo eth0
bind interfaces only = yes
allow dns updates = disabled
ldap server require strong auth = yes
ldap ssl = start tls
log level = 3 auth_json_audit:3@/var/log/samba/audit.log
full_audit:success = pwrite write rename
full_audit:failure = none
full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
password hash gpg key ids = XXXXXXXXXX
dedicated keytab file = /var/lib/samba/private/secrets.keytab
idmap config *:range = 1000000-1999999
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
[netlogon]
path = /var/lib/samba/sysvol/samdom.net/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
On the DCs I am running bind-dlz.
When I look in Windows in "Active Directory Sites and Services" my 2 DC are
listed in "Default-First-Site-Name", which is correct because I have not
done any site setup (so there are not other sites, nor ip-subnets setup).
When the intermittent error does not occur name-lookups return the right
values:
root at smbserver01:/var/log/samba# host -t SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net has SRV
record 0 100 389 controller02.samdom.net.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net has SRV
record 0 100 389 controller01.samdom.net.
root at smbserver01:/var/log/samba# host -t SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net has SRV
record 0 100 88 controller02.samdom.net.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.net has SRV
record 0 100 88 controller01.samdom.net.
I have not test that during failure. I have checked that there is no cpu,
memory or disk overload on the system.
What could be the issue here?
- Kees
More information about the samba
mailing list