[Samba] samba-tool hangs on one dc

Ray Klassen ray.klassen at icloud.com
Tue Nov 21 23:07:11 UTC 2023


On Tue, 2023-11-21 at 23:50 +0100, Thomas Schachtner via samba wrote:
> > On Tue, 2023-11-21 at 10:33 -0500, James Atwell via samba wrote:
> > > 
> > > > -----Original Message-----
> > > > From: samba<samba-bounces at lists.samba.org>  On Behalf Of Thomas
> > > > Schachtner via samba
> > > > Sent: Tuesday, November 21, 2023 9:16 AM
> > > > To:samba at lists.samba.org
> > > > Subject: [Samba] samba-tool hangs on one dc
> > > > 
> > > > Hello,
> > > > 
> > > > since some time (I don't remember since when) I have a strange
> > > > phenomenon
> > > > with one of my two samba4 DCs.
> > > > Both dc1 and dc2 seem to run pretty fine and when working with
> > > > Windows, I
> > > > do not see any issues.
> > > > 
> > > > But when issuing the following command on dc1, the command does
> > > > not
> > > > return but seems to be stuck.
> > > > 
> > > > samba-tool drs showrepl
> > > > 
> > > > When issuing the same command on dc2, it takes a second or so
> > > > and
> > > > the result
> > > > is printed on the screen.
> > > > The same with other commands like "samba-tool dns add"
> > > > 
> > > > I already checked the samba log files, but I did not find any
> > > > log
> > > > entry.
> > > > 
> > > > I know that it is difficult to provide a solution for a problem
> > > > that is described so
> > > > poorly, but I don't know how to further debug it.
> > > > Any hints on how to move forward here and/or how to get more
> > > > information?
> > > > 
> > > > The output of samba-tool drs showrepl on dc2 does not show
> > > > issues,
> > > > regardless of which dc is replicated to which one (i.e. dc1 to
> > > > tc2
> > > > or vice-versa).
> > > > When executing repadmin /replsummary on a Windows client, also
> > > > no
> > > > errors
> > > > are shown.
> > > > 
> > > > Here's the output:
> > > > 
> > > > root at dc2:/var/lib/samba# samba-tool drs showrepl
> > > > Default-First-Site-Name\DC2
> > > > DSA Options: 0x00000001
> > > > DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-00a0db86e6a8
> > > > DSA invocationId: 0e649cb7-efc8-47ad-a841-4453973dbcec
> > > > 
> > > > ==== INBOUND NEIGHBORS ====
> > > > 
> > > > DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ Tue Nov 21 12:26:25 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:26:25 2023 CET
> > > > 
> > > > CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ Tue Nov 21 12:26:25 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:26:25 2023 CET
> > > > 
> > > > CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ Tue Nov 21 12:26:25 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:26:25 2023 CET
> > > > 
> > > > DC=DomainDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ Tue Nov 21 12:26:25 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:26:25 2023 CET
> > > > 
> > > > DC=ForestDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ Tue Nov 21 12:26:25 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:26:25 2023 CET
> > > > 
> > > > ==== OUTBOUND NEIGHBORS ====
> > > > 
> > > > DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > DC=DomainDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > DC=ForestDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC1 via RPC
> > > >                   DSA object GUID: 4872003f-2bd7-4393-9eed-
> > > > 1ceaeecf92eb
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > ==== KCC CONNECTION OBJECTS ====
> > > > 
> > > > Connection --
> > > >           Connection name: 138dbf8f-16ef-406e-87aa-72a25b4e03b6
> > > >           Enabled        : TRUE
> > > >           Server DNS name : dc1.local.example.de
> > > >           Server DN name  : CN=NTDS
> > > > Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
> > > > Name,CN=Sites,CN=Configuration,DC=local,DC=example,DC=de
> > > >                   TransportType: RPC
> > > >                   options: 0x00000001
> > > > Warning: No NC replicated for Connection!
> > > > 
> > > > Now, after 10 minutes or so, also dc1 finished the command.
> > > > Here's the result:
> > > > 
> > > > root at dc1:~# samba-tool drs showrepl
> > > > Default-First-Site-Name\DC1
> > > > DSA Options: 0x00000001
> > > > DSA object GUID: 4872003f-2bd7-4393-9eed-1ceaeecf92eb
> > > > DSA invocationId: a1e3fc90-833a-476e-8c8a-0753b5593ae3
> > > > 
> > > > ==== INBOUND NEIGHBORS ====
> > > > 
> > > > DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ Tue Nov 21 12:41:42 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:41:42 2023 CET
> > > > 
> > > > CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ Tue Nov 21 12:41:43 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:41:43 2023 CET
> > > > 
> > > > CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ Tue Nov 21 12:41:43 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:41:43 2023 CET
> > > > 
> > > > DC=DomainDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ Tue Nov 21 12:41:43 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:41:43 2023 CET
> > > > 
> > > > DC=ForestDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ Tue Nov 21 12:41:41 2023 CET
> > > > was
> > > > successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ Tue Nov 21 12:41:41 2023 CET
> > > > 
> > > > ==== OUTBOUND NEIGHBORS ====
> > > > 
> > > > DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > CN=Schema,CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > CN=Configuration,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > DC=DomainDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > DC=ForestDnsZones,DC=local,DC=example,DC=de
> > > >           Default-First-Site-Name\DC2 via RPC
> > > >                   DSA object GUID: e4cf97f3-ad31-4a1d-bb3d-
> > > > 00a0db86e6a8
> > > >                   Last attempt @ NTTIME(0) was successful
> > > >                   0 consecutive failure(s).
> > > >                   Last success @ NTTIME(0)
> > > > 
> > > > ==== KCC CONNECTION OBJECTS ====
> > > > 
> > > > Connection --
> > > >           Connection name: 85d23471-63cd-4bf1-9238-1ea493d07a95
> > > >           Enabled        : TRUE
> > > >           Server DNS name : dc2.local.example.de
> > > >           Server DN name  : CN=NTDS
> > > > Settings,CN=DC2,CN=Servers,CN=Default-First-Site-
> > > > Name,CN=Sites,CN=Configuration,DC=local,DC=example,DC=de
> > > >                   TransportType: RPC
> > > >                   options: 0x00000001
> > > > Warning: No NC replicated for Connection!
> > > > 
> > > > 
> > > > 
> > > > Both servers (Ubuntu Server) have the latest updates installed.
> > > > The samba version is 4.15.13-Ubuntu.
> > > > 
> > > > What could be the reason why one dc takes so long with samba-
> > > > tool
> > > > commands while the other one is much faster?
> > > > 
> > > > Best
> > > > Tom
> > > > --
> > > > To unsubscribe from this list go to the following URL and read
> > > > the
> > > > instructions:https://lists.samba.org/mailman/options/samba
> > > I've experienced this before and it's usually transient.  If you
> > > want
> > > to see where in the process it's hanging, you can increase the
> > > debug
> > > level to something like 5.
> > > 
> > > samba-tool drs showrepl -d 5
> > > 
> > 
> > I've had the experience of samba-tool hanging when DNS is
> > misconfigured.
> Sure, there may be a faulty DNS configuration, but all the
> permissions 
> seem to be identical on both servers and the permissions of the users
> are also the same.
> If it's a DNS issue, why does it work on one DC then and not on the 
> other one?
> Or in other words: How could I investigate this DNS issue?

/etc/resolv.conf on both DC's should have both the DC listed and the
domain name as lookup suffix

nameserver 10.0.0.1 
nameserver 10.10.0.1 
domain example.com

netstat -atunp |grep 53 

on both DC's will tell you what interface is listening on udp and tcp
port 53 -- should have the same addresses as above

find out if your DC's can both resolve all the addresses 

host dc1.example.com 10.10.0.1
host dc2.example.com 10.10.0.1
host dc1.example.com 10.0.0.1
host dc2.example.com 10.0.0.1

strace -f -e trace=network samba-tool drs showrepl 2>&1|less

on the DC where it hangs might tell you what its trying to do on the
network

(Stuff like that)





More information about the samba mailing list