[Samba] Samba crashes and won't restart

Alexander Harm || ApfelQ alexander.harm at apfelq.com
Tue Jun 21 11:51:16 UTC 2022

Thanks for your reply.

I indeed run Louis’ packages on Debian Bullseye. We have 4 instances in 3 locations. Apart from one they run in a Proxmox VM. The ones showing this behaviour are both in location A, one VM on Proxmox, one VM on Synology (both are KVM). The other sites, running the same version do not show any of this behaviour.

Here the requested output:

Config collected --- 2022-06-21-13:43 -----------

Hostname: ka-h9-dc01
DNS Domain: ds.example.com
FQDN: ka-h9-dc01.ds.example.com


This computer is running Debian 11.3 x86_64


running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 22:2a:f3:8f:21:8f brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet brd scope global noprefixroute ens18
inet6 fe80::3b1d:5481:53e6:72c6/64 scope link noprefixroute


Checking file: /etc/hosts localhost ka-h9-dc01.ds.example.com ka-h9-dc01

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Checking file: /etc/resolv.conf

# Generated by NetworkManager
search ds.example.com


Kerberos SRV _kerberos._tcp.ds.example.com record(s) verified ok, sample output:

_kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-dc02.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-dc01.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 es-dc01.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 vmdc-azure-01.ds.example.com.


'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.


Samba is running as an AD DC


Checking file: /etc/krb5.conf

dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = DS.EXAMPLE.COM


Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files systemd
group: files systemd
shadow: files
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


Checking file: /etc/samba/smb.conf

# Global parameters
log level = 1 auth_audit:3
netbios name = KA-H9-DC01
server role = active directory domain controller
workgroup = EXAMPLE

dns forwarder =

ntlm auth = mschapv2-and-ntlmv2-only

tls enabled = yes
tls keyfile = tls/ka-h9-dc01.key
tls certfile = tls/ka-h9-dc01.crt
tls cafile = tls/ds-ca.pem

path = /var/lib/samba/sysvol/ds.example.com/scripts
read only = No

path = /var/lib/samba/sysvol
read only = No


This DC is not being used as a fileserver

BIND_DLZ not detected in smb.conf


Time on the DC with PDC Emulator role is: 2022-06-21T13:43:32

Time on this computer is: 2022-06-21T13:43:32

Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds


Installed packages:
ii acl 2.2.53-10 amd64 access control list - utilities
ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.18.3-6+deb11u1 all internationalization support for MIT Kerberos
ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba winbind client library
ii python3-samba 2:4.15.7+dfsg-0.1bullseye1 amd64 Python 3 bindings for Samba
ii samba 2:4.15.7+dfsg-0.1bullseye1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.7+dfsg-0.1bullseye1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.7+dfsg-0.1bullseye1 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.7+dfsg-0.1bullseye1 amd64 service to resolve user and group information from Windows NT servers


The only change I can remember was that I gave ka-h9-dc01FSMO-role for some minutes when I tried to upgrade from 2008R2 to 2012 functionality.

Regards, Alexander

> On Monday, Jun 20, 2022 at 2:36 PM, Alexander Harm || ApfelQ <alexander.harm at apfelq.com (mailto:alexander.harm at apfelq.com)> wrote:
> Hi, we have Samba (4.15.7-Debian) running on Debian as our domain controller. In the last weeks we suffer from frequent failures of the samba-ad-dc.service which is also not restarted automatically by systemd. Manual restart works 100%.
> The logs show the following entries:
> [2022/06/19 12:55:34.464069, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022 12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [KA-H9-DC01] rem[2022/06/19 12:18:33.218787, 1] ../../librpc/ndr/ndr.c:630(_ndr_pull_error)
> [2022/06/19 12:36:31.346007, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:49:52.376820, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:49:56.569063, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:52:05.973201, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:54:21.548309, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:54:52.559657, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> dnsupdate_nameupdate_done: Failed DNS update with exit code 110
> [2022/06/19 12:54:52.625303, 0] ../../source4/dsdb/dns/dns_update.c:108(dnsupdate_spnupdate_done)
> ../../source4/dsdb/dns/dns_update.c:108: Failed SPN update - with error code 110
> [2022/06/19 12:55:34.464069, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022 12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [KA-H9-DC01] remote host [ipv4:] became [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204]. local host [ipv4:]
> [2022/06/19 12:55:41.861689, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022 12:55:41.838245 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [KA-H9-DC01] remote host [ipv4:] became [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204]. local host [ipv4:]
> [2022/06/19 12:55:50.963672, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022 12:55:50.926453 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [KA-H9-DC01] remote host [ipv4:] became [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204]. local host [ipv4:]
> [2022/06/19 12:56:20.945016, 0] ../../source4/dsdb/kcc/kcc_periodic.c:790(samba_kcc_done)
> ../../source4/dsdb/kcc/kcc_periodic.c:790: Failed samba_kcc - NT_STATUS_IO_TIMEOUT
> [2022/06/19 12:56:49.827883, 0] ../../source4/samba/process_prefork.c:538(prefork_child_pipe_handler)
> prefork_child_pipe_handler: Parent 995, Child 1010 terminated with signal 9
> [2022/06/19 12:56:50.029270, 0] ../../source4/samba/process_prefork.c:481(prefork_restart)
> prefork_restart: Restarting [rpc] pre-fork worker(0)
> [2022/06/20 11:32:52.524375, 0] ../../source4/samba/server.c:626(binary_smbd_main)
> samba version 4.15.7-Debian started.
> Copyright Andrew Tridgell and the Samba Team 1992-2021
> Does anyone have an idea why samba terminates and why it is not restarted?
> Greetings, Alexander

More information about the samba mailing list