samba - Mar 2017 - Failed to connect host xx on port 135 - NT_STATUS_CONNECTION_REFUSED

Hello there,

I installed a dc1 using debian jessie-packages strictly following the
samba-manual "Setting up Samba as an Active Directory Domain
Controller".
I installed a dc2 using debian jessie-packages, also strictly following the
manual for "Joining a Samba DC to an Existing Active Directory".

It worked for a few weeks but then it quit working without having changed the
setup or making an update. I cannot demote it because it is quite an old samba:

Version 4.2.14-Debian

So I tried to repair it. The problem seems to be, that port 135 cannot be
reached.

my smb.conf on dc2

---
# Global parameters
[global]
	workgroup = RUBENS
	realm = MUSEUM.RUBENS.WORLD
	netbios name = DC2
	server role = active directory domain controller
        dns forwarder = 8.8.8.8 
        idmap_ldb:use rfc2307 = yes
	printing = bsd
	printcap name = /etc/printcap

        username map = /etc/samba/user.map

[netlogon]
	path = /var/lib/samba/sysvol/museum.rubens.world/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
---

The error message is:

---

root at dc2:~# samba-tool drs showrepl
Failed to connect host 192.168.0.123 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.123 (dc2.museum.rubens.world) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc2.museum.rubens.world failed - drsException: DRS connection to
dc2.museum.rubens.world failed: (-1073741258, 'The connection was
refused')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server,
e))

---

It really does not listen:

root at dc2:~# netstat -tulpan | grep "LISTEN" | grep "135"
| wc -l
0

Why does Samba not listen on port 135 anymore? How can I teach it to start doing
it again?

Please help

martin

On Tue, 28 Mar 2017 16:22:26 +0200 (CEST)
martin via samba <samba at lists.samba.org> wrote:
> Hello there,
> 
> Version 4.2.14-Debian
> 
> So I tried to repair it. The problem seems to be, that port 135
> cannot be reached.
> 
> my smb.conf on dc2
> 
> ---
> # Global parameters
> [global]
> 
>         username map = /etc/samba/user.map
> 
I am sure this has nothing to do with your problem, but you should
remove the 'username map' line, it has no place on a DC.
> 
> It really does not listen:
> 
> root at dc2:~# netstat -tulpan | grep "LISTEN" | grep
"135" | wc -l
> 0
> 
> Why does Samba not listen on port 135 anymore? How can I teach it to
> start doing it again?
It should be listening on port 135, is there a firewall in the way ?
What daemons are running ?
What is in /etc/resolv.conf /etc/hosts /etc/krb5.conf ?

Rowland

Hello Rowland,
>> ---
>> # Global parameters
>> [global]
>>
>>         username map = /etc/samba/user.map
>>
>
> I am sure this has nothing to do with your problem, but you should
> remove the 'username map' line, it has no place on a DC.
>
ok, did so.

>>
>> It really does not listen:
>>
>> root at dc2:~# netstat -tulpan | grep "LISTEN" | grep
"135" | wc -l
>> 0
>>
>> Why does Samba not listen on port 135 anymore? How can I teach it to
>> start doing it again?
>
> It should be listening on port 135, is there a firewall in the way ?
No:

root at dc2:~# iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

> What daemons are running ?
root at dc2:~# pstree
systemd─┬─acpid
        ├─agetty
        ├─atd
        ├─cron
        ├─dbus-daemon
        ├─exim4
        ├─named───4*[{named}]
        ├─ntpd
        ├─rpc.idmapd
        ├─rpc.statd
        ├─rpcbind
        ├─rsyslogd─┬─{in:imklog}
        │          ├─{in:imuxsock}
        │          └─{rs:main Q:Reg}
        ├─samba───smbd───smbd
        ├─samba───winbindd───winbindd
        ├─sshd───sshd───sshd───bash───su───bash───pstree
        ├─systemd-journal
        ├─systemd-logind
        └─systemd-udevd


> What is in /etc/resolv.conf 
root at dc2:~# cat /etc/resolv.conf 
domain museum.rubens.world
nameserver 192.168.0.241
nameserver 192.168.0.242

> /etc/hosts /etc/krb5.conf ?
root at dc2:~# cat /etc/hosts
127.0.0.1	localhost
192.168.0.241	dc1.museum.rubens.world	dc1
192.168.0.243	samba-fs.museum.rubens.world	samba-fs


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

--

Thank you for your quick reply.

martin

On Tue, 28 Mar 2017 17:12:33 +0200 (CEST)
Martin Hauptmann <post at mailbox.org> wrote:

> 
> > What daemons are running ?
> 
> root at dc2:~# pstree
> systemd─┬─acpid
>         ├─agetty
>         ├─atd
>         ├─cron
>         ├─dbus-daemon
>         ├─exim4
>         ├─named───4*[{named}]
>         ├─ntpd
>         ├─rpc.idmapd
>         ├─rpc.statd
>         ├─rpcbind
>         ├─rsyslogd─┬─{in:imklog}
>         │          ├─{in:imuxsock}
>         │          └─{rs:main Q:Reg}
>         ├─samba───smbd───smbd
>         ├─samba───winbindd───winbindd
>         ├─sshd───sshd───sshd───bash───su───bash───pstree
>         ├─systemd-journal
>         ├─systemd-logind
>         └─systemd-udevd
> 
> 
Why is Bind9 running ?
You are not using it for Samba.
> > What is in /etc/resolv.conf 
> 
> root at dc2:~# cat /etc/resolv.conf 
> domain museum.rubens.world
> nameserver 192.168.0.241
> nameserver 192.168.0.242
> 
I would replace 'domain' with 'search'
> 
> > /etc/hosts /etc/krb5.conf ?
> 
> root at dc2:~# cat /etc/hosts
> 127.0.0.1	localhost
> 192.168.0.241	dc1.museum.rubens.world	dc1
> 192.168.0.243	samba-fs.museum.rubens.world	samba-fs
>
Apart from '127.0.0.1' the only thing that should be there, isn't
192.168.0.242 dc2.museum.rubens.world dc2

I take it '192.168.0.242' is the IP for dc2

/etc/krb5.conf ??? 
 
Try fixing the above and then restart Samba.

Rowland

> Rowland Penny via samba <samba at lists.samba.org> hat am 28. März
2017 um 17:45 geschrieben:
> > > What daemons are running ?
> > 
> > root at dc2:~# pstree
> > systemd─┬─acpid
> >         ├─agetty
> >         ├─atd
> >         ├─cron
> >         ├─dbus-daemon
> >         ├─exim4
> >         ├─named───4*[{named}]
> >         ├─ntpd
> >         ├─rpc.idmapd
> >         ├─rpc.statd
> >         ├─rpcbind
> >         ├─rsyslogd─┬─{in:imklog}
> >         │          ├─{in:imuxsock}
> >         │          └─{rs:main Q:Reg}
> >         ├─samba───smbd───smbd
> >         ├─samba───winbindd───winbindd
> >         ├─sshd───sshd───sshd───bash───su───bash───pstree
> >         ├─systemd-journal
> >         ├─systemd-logind
> >         └─systemd-udevd
> > 
> > 
> 
> Why is Bind9 running ?
> You are not using it for Samba.
> 
That was it. Thank you. apt-get remove bind9, reboot --> works.

I installed it when I tried to repair it after it quit working. I tried bind9
instead of builtin. Forgot to uninstall.

Thank you, that went quick.

martin