[Samba] Samba crashes and won't restart

L. van Belle belle at samba.org
Tue Jun 21 12:41:31 UTC 2022 

Smb.conf and other configs looks fine, except. 

Check these lines. Missing an enter, is this also same in smb.conf? 
I suggest, remove the part after controller and type it in again. 
> server role = active directory domain controller workgroup = EXAMPLE
> 
> dns forwarder = 10.0.1.100 10.0.1.110
Really 2 the same ipaddresses?  😉 

> 12:55:50.926453 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [KA-H9-DC01] remote host [ipv4:10.0.1.250:60038] became [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204]. Local

It looks like here mDNS (AVAHI) is not helping you.. 
check if avahi-daemon is installed, if so remove it or configure nsswitch.conf 
Run : dpkg-query -W avahi*  to see if its installed. 

Check/fix above, reboot, any errors,  run script again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Alexander Harm ||
> ApfelQ via samba
> Verzonden: dinsdag 21 juni 2022 13:51
> Aan: Andrew Bartlett via samba <samba at lists.samba.org>
> Onderwerp: Re: [Samba] Samba crashes and won't restart
> 
> Thanks for your reply.
> 
> I indeed run Louis’ packages on Debian Bullseye. We have 4 instances in 3
> locations. Apart from one they run in a Proxmox VM. The ones showing this
> behaviour are both in location A, one VM on Proxmox, one VM on Synology
> (both are KVM). The other sites, running the same version do not show any
> of this behaviour.
> 
> Here the requested output:
> 
> Config collected --- 2022-06-21-13:43 -----------
> 
> Hostname: ka-h9-dc01
> DNS Domain: ds.example.com
> Realm: DS.EXAMPLE.COM
> FQDN: ka-h9-dc01.ds.example.com
> ipaddress: 10.0.1.250
> 
> -----------
> 
> This computer is running Debian 11.3 x86_64
> 
> -----------
> 
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UP group default qlen 1000 link/ether 22:2a:f3:8f:21:8f brd
> ff:ff:ff:ff:ff:ff altname enp0s18 inet 10.0.1.250/24 brd 10.0.1.255 scope global
> noprefixroute ens18
> inet6 fe80::3b1d:5481:53e6:72c6/64 scope link noprefixroute
> 
> -----------
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 10.0.1.250 ka-h9-dc01.ds.example.com ka-h9-dc01
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> # Generated by NetworkManager
> search ds.example.com
> nameserver 10.88.80.88
> nameserver 10.0.1.250
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.ds.example.com record(s) verified ok, sample
> output:
> Server: 10.88.80.88
> Address: 10.88.80.88#53
> 
> _kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-
> dc02.ds.example.com.
> _kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-
> dc01.ds.example.com.
> _kerberos._tcp.ds.example.com service = 0 100 88 es-dc01.ds.example.com.
> _kerberos._tcp.ds.example.com service = 0 100 88 vmdc-azure-
> 01.ds.example.com.
> 
> -----------
> 
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
> 
> -----------
> 
> Samba is running as an AD DC
> 
> -----------
> 
> Checking file: /etc/krb5.conf
> 
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = DS.EXAMPLE.COM
> 
> -----------
> 
> Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd: files systemd
> group: files systemd
> shadow: files
> gshadow: files
> 
> hosts: files dns
> networks: files
> 
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> 
> netgroup: nis
> 
> -----------
> 
> Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
> log level = 1 auth_audit:3
> netbios name = KA-H9-DC01
> realm = DS.EXAMPLE.COM
> server role = active directory domain controller workgroup = EXAMPLE
> 
> dns forwarder = 10.0.1.100 10.0.1.110
> 
> ntlm auth = mschapv2-and-ntlmv2-only
> 
> tls enabled = yes
> tls keyfile = tls/ka-h9-dc01.key
> tls certfile = tls/ka-h9-dc01.crt
> tls cafile = tls/ds-ca.pem
> 
> [netlogon]
> path = /var/lib/samba/sysvol/ds.example.com/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> -----------
> 
> This DC is not being used as a fileserver
> 
> BIND_DLZ not detected in smb.conf
> 
> -----------
> 
> Time on the DC with PDC Emulator role is: 2022-06-21T13:43:32
> 
> Time on this computer is: 2022-06-21T13:43:32
> 
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
> 
> -----------
> 
> Installed packages:
> ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64
> utilities for manipulating filesystem extended attributes ii krb5-config
> 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-locales 1.18.3-
> 6+deb11u1 all internationalization support for MIT Kerberos ii krb5-user
> 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii
> libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime
> libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-
> 6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-
> winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba nameservice
> integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT
> Kerberos ii libpam-winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64
> Windows domain authentication integration plugin ii libsmbclient:amd64
> 2:4.15.7+dfsg-0.1bullseye1 amd64 shared library for communication with
> SMB/CIFS servers ii libwbclient0:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64
> Samba winbind client library ii python3-samba 2:4.15.7+dfsg-0.1bullseye1
> amd64 Python 3 bindings for Samba ii samba 2:4.15.7+dfsg-0.1bullseye1
> amd64 SMB/CIFS file, print, and login server for Unix ii samba-common
> 2:4.15.7+dfsg-0.1bullseye1 all common files used by both the Samba server
> and client ii samba-common-bin 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba
> common files used by both the server and the client ii samba-dsdb-
> modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba Directory Services
> Database ii samba-libs:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba core
> libraries ii samba-vfs-modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64
> Samba Virtual FileSystem plugins ii smbclient 2:4.15.7+dfsg-0.1bullseye1
> amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.15.7+dfsg-
> 0.1bullseye1 amd64 service to resolve user and group information from
> Windows NT servers
> 
> -----------
> 
> The only change I can remember was that I gave ka-h9-dc01FSMO-role for
> some minutes when I tried to upgrade from 2008R2 to 2012 functionality.
> 
> Regards, Alexander
> 
> > On Monday, Jun 20, 2022 at 2:36 PM, Alexander Harm || ApfelQ
> <alexander.harm at apfelq.com (mailto:alexander.harm at apfelq.com)>
> wrote:
> > Hi, we have Samba (4.15.7-Debian) running on Debian as our domain
> controller. In the last weeks we suffer from frequent failures of the samba-
> ad-dc.service which is also not restarted automatically by systemd. Manual
> restart works 100%.
> >
> > The logs show the following entries:
> >
> > [2022/06/19 12:55:34.464069, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > Auth: [LDAP,simple bind/TLS] user
> > [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19
> > Jun 2022 12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK]
> > workstation [KA-H9-DC01] rem[2022/06/19 12:18:33.218787, 1]
> > ../../librpc/ndr/ndr.c:630(_ndr_pull_error)
> > [2022/06/19 12:36:31.346007, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > [2022/06/19 12:49:52.376820, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > [2022/06/19 12:49:56.569063, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > [2022/06/19 12:52:05.973201, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > [2022/06/19 12:54:21.548309, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > [2022/06/19 12:54:52.559657, 0]
> > ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> > dnsupdate_nameupdate_done: Failed DNS update with exit code 110
> > [2022/06/19 12:54:52.625303, 0]
> > ../../source4/dsdb/dns/dns_update.c:108(dnsupdate_spnupdate_done)
> > ../../source4/dsdb/dns/dns_update.c:108: Failed SPN update - with
> > error code 110
> > [2022/06/19 12:55:34.464069, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > Auth: [LDAP,simple bind/TLS] user
> > [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19
> > Jun 2022 12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK]
> > workstation [KA-H9-DC01] remote host [ipv4:10.0.1.250:34546] became
> > [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204].
> > local host [ipv4:10.0.1.250:389]
> > [2022/06/19 12:55:41.861689, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > Auth: [LDAP,simple bind/TLS] user
> > [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19
> > Jun 2022 12:55:41.838245 CEST] with [Plaintext] status [NT_STATUS_OK]
> > workstation [KA-H9-DC01] remote host [ipv4:10.0.1.250:60036] became
> > [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204].
> > local host [ipv4:10.0.1.250:389]
> > [2022/06/19 12:55:50.963672, 3]
> > ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> > Auth: [LDAP,simple bind/TLS] user
> > [CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19
> > Jun 2022 12:55:50.926453 CEST] with [Plaintext] status [NT_STATUS_OK]
> > workstation [KA-H9-DC01] remote host [ipv4:10.0.1.250:60038] became
> > [CRAZE]\[ka.h9.dc01] [S-1-5-21-1451753080-565542361-3466525082-1204].
> > local host [ipv4:10.0.1.250:389]
> > [2022/06/19 12:56:20.945016, 0]
> > ../../source4/dsdb/kcc/kcc_periodic.c:790(samba_kcc_done)
> > ../../source4/dsdb/kcc/kcc_periodic.c:790: Failed samba_kcc -
> > NT_STATUS_IO_TIMEOUT
> > [2022/06/19 12:56:49.827883, 0]
> > ../../source4/samba/process_prefork.c:538(prefork_child_pipe_handler)
> > prefork_child_pipe_handler: Parent 995, Child 1010 terminated with
> > signal 9
> > [2022/06/19 12:56:50.029270, 0]
> > ../../source4/samba/process_prefork.c:481(prefork_restart)
> > prefork_restart: Restarting [rpc] pre-fork worker(0)
> > [2022/06/20 11:32:52.524375, 0]
> > ../../source4/samba/server.c:626(binary_smbd_main)
> > samba version 4.15.7-Debian started.
> > Copyright Andrew Tridgell and the Samba Team 1992-2021
> >
> >
> > Does anyone have an idea why samba terminates and why it is not
> restarted?
> >
> > Greetings, Alexander
> >
> >
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list