Hi all, We would appreciate some input here. Not sure where to look... We have three AD DCs, all running samba 4.5.10, and since a few days, the samba DCs are getting stuck regularly, at ramdon times. Happens to all three of them, randomly, and currently it is happening up to a few times per day..! Must be some common cause. For the rest, the systems appear fine, enough diskspace, nothing special in syslog, etc. We usually detect that a DC has become stuck, because LDAP auth no longer works in that DC. Checking with "service sernet-samba-ad status" will still report "Running". After shutting down samba ("service sernet-samba-ad stop") one process usually is still running, and prevents a restart from succeeding, always because:> Failed to listen on 0.0.0.0:135 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATEDps aux tells me that the process is: "samba -D" Killing that process makes samba startup succeed, replication work again, and samba funcion, until the next time this happens. But WHY is samba getting stuck in the first place? We are getting the following unusual in the logs on all three DCs:> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=a_username,CN=Users,DC=samba,DC=company,DC=com) > ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) > ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com)and the last line keeps repeating 2 - 3 times per second, completely filling up the logs. The start-off username differs per DC, but on each DC it usually remains the same. (I have seen 5 or 6 different usernames in total) samba-tool dbcheck --cross-ncs looks similar on all three DCs, with *many* errors about unsorted attributes, that I think I've been told in the past are harmless:> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0002000d > CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020002 > CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020001 > CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0000000d > CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000003 > CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000000 > ERROR: unsorted attributeID values in replPropertyMetaData on CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com > > Not fixing replPropertyMetaData on CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com > > Please use --fix to fix these errors > Checked 4948 objects (4193 errors)All 4948 errors are about unsorted attributeID, with the following exception: There appear still some references to an old (many YEARS ago removed) DC:> ERROR: no target object found for GUID component for msDS-NC-Replica-Locations in object CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com - <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187541>;<RMD_ORIGINATING_USN=3630>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com > ERROR: no target object found for GUID component for msDS-NC-Replica-Locations in object CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com - <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187515>;<RMD_ORIGINATING_USN=3631>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=comThat's about all info I can gather. The very basic smb.conf on the DCs::> [global] > workgroup = WRKGRP > realm = samba.company.com > netbios name = DC4 > server role = active directory domain controller > log level = 3 > dns forwarder = 192.x.x.x > server signing = mandatory > ntlm auth = yes > ldap server require strong auth = no > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samba.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acls = yesWe have been running 4.5.10 since may 2017, and this issue started this week. Anyone with an idea?
A bit more info: We are currently getting those errors on DC2:> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=a_username,CN=Users,DC=samba,DC=company,DC=com) > ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) > ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com)and they are also causing very high cpu usage on that DC. (85 - 90%) On the other DCs, cpu usage is normal. Replication still going strong, so DC2 is buzy, but functional. The pid with high cpu usage is 3155, processlist:> root at DC2:/var/log/samba# ps aux > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.0 0.0 10656 800 ? Ss 17:22 0:00 init [2]....> root 1732 0.0 0.0 25304 420 ? Ss 17:22 0:00 /usr/sbin/rpc.idmapd > root 3153 0.0 0.5 553028 45272 ? Ss 17:49 0:00 /usr/sbin/samba -D > root 3154 0.0 0.3 553028 32644 ? S 17:49 0:00 /usr/sbin/samba -D > root 3155 85.5 0.7 561376 60052 ? R 17:49 134:29 /usr/sbin/samba -D > root 3156 0.0 0.6 541756 49448 ? Ss 17:49 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 3157 0.0 0.4 557180 35124 ? S 17:49 0:00 /usr/sbin/samba -D > root 3158 0.0 0.3 553028 32636 ? S 17:49 0:00 /usr/sbin/samba -D > root 3159 3.3 0.8 554536 70464 ? S 17:49 5:16 /usr/sbin/samba -D > root 3160 0.1 0.4 553028 34016 ? S 17:49 0:10 /usr/sbin/samba -D > root 3161 0.3 0.4 557180 36440 ? S 17:49 0:31 /usr/sbin/samba -D > root 3162 0.1 0.4 568024 37800 ? S 17:49 0:09 /usr/sbin/samba -D > root 3163 0.0 0.3 553028 32636 ? S 17:49 0:00 /usr/sbin/samba -D > root 3164 0.0 0.4 553028 33752 ? S 17:49 0:00 /usr/sbin/samba -D > root 3165 0.0 0.7 557180 60000 ? S 17:49 0:00 /usr/sbin/samba -D > root 3166 0.0 0.4 553028 33588 ? S 17:49 0:00 /usr/sbin/samba -D > root 3167 0.0 0.4 553548 35232 ? S 17:49 0:08 /usr/sbin/samba -D > root 3170 0.0 0.5 484364 46824 ? Ss 17:49 0:00 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 3171 0.0 0.3 530724 32708 ? S 17:49 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 3172 0.0 0.4 530740 32828 ? S 17:49 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 3174 0.0 0.4 541748 34048 ? S 17:49 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 3175 0.0 0.4 489260 35340 ? S 17:49 0:00 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 3195 0.0 0.4 484364 34448 ? S 17:49 0:00 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 3262 0.0 0.4 550092 38520 ? S 17:52 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 3856 0.0 0.4 550092 38592 ? S 18:38 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 4821 0.0 0.4 550116 38716 ? S 20:06 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > 1464 4976 0.0 0.4 550116 38720 ? S 20:20 0:00 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 5033 0.0 0.0 25216 1336 pts/0 R+ 20:26 0:00 ps auxSuggestions?
lingpanda101
2017-Oct-09 18:52 UTC
[Samba] samba getting stuck, highwatermark replication issue?
On 10/9/2017 1:28 PM, mj via samba wrote:> Hi all, > > We would appreciate some input here. Not sure where to look... > > We have three AD DCs, all running samba 4.5.10, and since a few days, > the samba DCs are getting stuck regularly, at ramdon times. Happens to > all three of them, randomly, and currently it is happening up to a few > times per day..! Must be some common cause. > > For the rest, the systems appear fine, enough diskspace, nothing > special in syslog, etc. > > We usually detect that a DC has become stuck, because LDAP auth no > longer works in that DC. Checking with "service sernet-samba-ad > status" will still report "Running". > > After shutting down samba ("service sernet-samba-ad stop") one process > usually is still running, and prevents a restart from succeeding, > always because: > >> Failed to listen on 0.0.0.0:135 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > > ps aux tells me that the process is: "samba -D" > > Killing that process makes samba startup succeed, replication work > again, and samba funcion, until the next time this happens. > > But WHY is samba getting stuck in the first place? > > We are getting the following unusual in the logs on all three DCs: >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges 2nd >> replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=a_username,CN=Users,DC=samba,DC=company,DC=com) >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges >> 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges >> 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) > and the last line keeps repeating 2 - 3 times per second, completely > filling up the logs. The start-off username differs per DC, but on > each DC it usually remains the same. (I have seen 5 or 6 different > usernames in total) > > samba-tool dbcheck --cross-ncs looks similar on all three DCs, with > *many* errors about unsorted attributes, that I think I've been told > in the past are harmless: >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0002000d >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020002 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020001 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0000000d >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000003 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000000 >> ERROR: unsorted attributeID values in replPropertyMetaData on >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com >> >> Not fixing replPropertyMetaData on >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com >> >> Please use --fix to fix these errors >> Checked 4948 objects (4193 errors) > > All 4948 errors are about unsorted attributeID, with the following > exception: There appear still some references to an old (many YEARS > ago removed) DC: >> ERROR: no target object found for GUID component for >> msDS-NC-Replica-Locations in object >> CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com >> - >> <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187541>;<RMD_ORIGINATING_USN=3630>;<RMD_VERSION=0>;CN=NTDS >> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com >> >> ERROR: no target object found for GUID component for >> msDS-NC-Replica-Locations in object >> CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com >> - >> <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187515>;<RMD_ORIGINATING_USN=3631>;<RMD_VERSION=0>;CN=NTDS >> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com >> > > That's about all info I can gather. > > The very basic smb.conf on the DCs:: > >> [global] >> workgroup = WRKGRP >> realm = samba.company.com >> netbios name = DC4 >> server role = active directory domain controller >> log level = 3 >> dns forwarder = 192.x.x.x >> server signing = mandatory >> ntlm auth = yes >> ldap server require strong auth = no >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/samba.company.com/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> acl_xattr:ignore system acls = yes > > We have been running 4.5.10 since may 2017, and this issue started > this week. > > Anyone with an idea? >You should be able to fix the 'replPropertyMetaData' errors with; samba-tool dbcheck --cross-ncs --fix --yes 'fix_replmetadata_unsorted_attid' The highwatermark doesn't necessarily reflect an issue. It's part of how the destination DC keeps track of changes from the source DC. Can you verify the time and date is correct on all DC's? The GUID errors seem related to your old DC offline and NTDS connections still lingering. Open Microsoft Sites and Services and remove the ones no longer needed. -- -- James
Hi James, Thanks for the quick reply. On 10/09/2017 08:52 PM, lingpanda101 via samba wrote:> You should be able to fix the 'replPropertyMetaData' errors with; > > samba-tool dbcheck --cross-ncs --fix --yes > 'fix_replmetadata_unsorted_attid'Yep, worked great! Fixed all of those replPropertyMetaData errors! :-)> The highwatermark doesn't necessarily reflect an issue. It's part of how > the destination DC keeps track of changes from the source DC. Can you > verify the time and date is correct on all DC's?Date & time matches. But the fact that the same identical message is logged multiple times per second, without an end seems a bit strange... Combined with high cpu usage on the DC where this happens. (yesterday DC2, currently on DC4)> The GUID errors seem related to your old DC offline and NTDS connections > still lingering. Open Microsoft Sites and Services and remove the ones > no longer needed.There is no DC1 mentioned anywhere there. And the two errors remain:> ERROR: no target object found for GUID component for msDS-NC-Replica-Locations in object CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu - <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=4605>;<RMD_ORIGINATING_USN=3630>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu > Not removing dangling forward link > ERROR: no target object found for GUID component for msDS-NC-Replica-Locations in object CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu - <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=4579>;<RMD_ORIGINATING_USN=3631>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu > Not removing dangling forward linkI was asked a question during the samba-tool dbcheck:> Add yourself to the replica locations for DC=DomainDnsZones,DC=samba,DC=company,DC=com? [y/N/all/none] N > Not fixing missing/incorrect attributes on DC=DomainDnsZones,DC=samba,DC=company,DC=com > > Add yourself to the replica locations for DC=ForestDnsZones,DC=samba,DC=company,DC=com? [y/N/all/none] N > Not fixing missing/incorrect attributes on DC=ForestDnsZones,DC=samba,DC=company,DC=comShould I answer Yes to those two questions? MJ
Hi all, For the archives I'd like to update this thread with our latest findings, the fix for both the high cpu usage and the highwatermark errors! We had been testing in the past the Microsoft Azure Connect, to import our active directory accounts/groups/passwords into the Azure Cloud, in order to test microsoft office 365 functionality. The required tool "Microsoft Azure AD Sync" is what caused our problems! We disabled it, and poof, no more high cpu usage, no more highwatermark errors. Hope this info helps someone else, someday :-) MJ On 10/09/2017 07:28 PM, mj via samba wrote:> Hi all, > > We would appreciate some input here. Not sure where to look... > > We have three AD DCs, all running samba 4.5.10, and since a few days, > the samba DCs are getting stuck regularly, at ramdon times. Happens to > all three of them, randomly, and currently it is happening up to a few > times per day..! Must be some common cause. > > For the rest, the systems appear fine, enough diskspace, nothing special > in syslog, etc. > > We usually detect that a DC has become stuck, because LDAP auth no > longer works in that DC. Checking with "service sernet-samba-ad status" > will still report "Running". > > After shutting down samba ("service sernet-samba-ad stop") one process > usually is still running, and prevents a restart from succeeding, always > because: > >> Failed to listen on 0.0.0.0:135 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > > ps aux tells me that the process is: "samba -D" > > Killing that process makes samba startup succeed, replication work > again, and samba funcion, until the next time this happens. > > But WHY is samba getting stuck in the first place? > > We are getting the following unusual in the logs on all three DCs: >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges >> 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=a_username,CN=Users,DC=samba,DC=company,DC=com) >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges >> 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) >> ../source4/rpc_server/drsuapi/getncchanges.c:1961: DsGetNCChanges >> 2nd replication on DN DC=samba,DC=company,DC=com older highwatermark >> (last_dn CN=Schema Admins,CN=Users,DC=samba,DC=company,DC=com) > and the last line keeps repeating 2 - 3 times per second, completely > filling up the logs. The start-off username differs per DC, but on each > DC it usually remains the same. (I have seen 5 or 6 different usernames > in total) > > samba-tool dbcheck --cross-ncs looks similar on all three DCs, with > *many* errors about unsorted attributes, that I think I've been told in > the past are harmless: >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0002000d >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020002 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00020001 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x0000000d >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000003 >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com: 0x00000000 >> ERROR: unsorted attributeID values in replPropertyMetaData on >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com >> >> Not fixing replPropertyMetaData on >> CN=ykqr002614,CN=Computers,DC=samba,DC=company,DC=com >> >> Please use --fix to fix these errors >> Checked 4948 objects (4193 errors) > > All 4948 errors are about unsorted attributeID, with the following > exception: There appear still some references to an old (many YEARS ago > removed) DC: >> ERROR: no target object found for GUID component for >> msDS-NC-Replica-Locations in object >> CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com >> - >> <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187541>;<RMD_ORIGINATING_USN=3630>;<RMD_VERSION=0>;CN=NTDS >> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com >> >> ERROR: no target object found for GUID component for >> msDS-NC-Replica-Locations in object >> CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com >> - >> <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=187515>;<RMD_ORIGINATING_USN=3631>;<RMD_VERSION=0>;CN=NTDS >> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com >> > > That's about all info I can gather. > > The very basic smb.conf on the DCs:: > >> [global] >> workgroup = WRKGRP >> realm = samba.company.com >> netbios name = DC4 >> server role = active directory domain controller >> log level = 3 >> dns forwarder = 192.x.x.x >> server signing = mandatory >> ntlm auth = yes >> ldap server require strong auth = no >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/samba.company.com/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> acl_xattr:ignore system acls = yes > > We have been running 4.5.10 since may 2017, and this issue started this > week. > > Anyone with an idea? >