Thanks for your reply.
I indeed run Louis? packages on Debian Bullseye. We have 4 instances in 3
locations. Apart from one they run in a Proxmox VM. The ones showing this
behaviour are both in location A, one VM on Proxmox, one VM on Synology (both
are KVM). The other sites, running the same version do not show any of this
behaviour.
Here the requested output:
Config collected --- 2022-06-21-13:43 -----------
Hostname: ka-h9-dc01
DNS Domain: ds.example.com
Realm: DS.EXAMPLE.COM
FQDN: ka-h9-dc01.ds.example.com
ipaddress: 10.0.1.250
-----------
This computer is running Debian 11.3 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 22:2a:f3:8f:21:8f brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 10.0.1.250/24 brd 10.0.1.255 scope global noprefixroute ens18
inet6 fe80::3b1d:5481:53e6:72c6/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.0.1.250 ka-h9-dc01.ds.example.com ka-h9-dc01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search ds.example.com
nameserver 10.88.80.88
nameserver 10.0.1.250
-----------
Kerberos SRV _kerberos._tcp.ds.example.com record(s) verified ok, sample output:
Server: 10.88.80.88
Address: 10.88.80.88#53
_kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-dc02.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 ka-h9-dc01.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 es-dc01.ds.example.com.
_kerberos._tcp.ds.example.com service = 0 100 88 vmdc-azure-01.ds.example.com.
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = DS.EXAMPLE.COM
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
log level = 1 auth_audit:3
netbios name = KA-H9-DC01
realm = DS.EXAMPLE.COM
server role = active directory domain controller
workgroup = EXAMPLE
dns forwarder = 10.0.1.100 10.0.1.110
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = tls/ka-h9-dc01.key
tls certfile = tls/ka-h9-dc01.crt
tls cafile = tls/ds-ca.pem
[netlogon]
path = /var/lib/samba/sysvol/ds.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
This DC is not being used as a fileserver
BIND_DLZ not detected in smb.conf
-----------
Time on the DC with PDC Emulator role is: 2022-06-21T13:43:32
Time on this computer is: 2022-06-21T13:43:32
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.2.53-10 amd64 access control list - utilities
ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended
attributes
ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.18.3-6+deb11u1 all internationalization support for MIT
Kerberos
ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT
Kerberos
ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries
- krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries -
Support library
ii libnss-winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba nameservice
integration plugins
ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Windows domain
authentication integration plugin
ii libsmbclient:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 shared library for
communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba winbind client
library
ii python3-samba 2:4.15.7+dfsg-0.1bullseye1 amd64 Python 3 bindings for Samba
ii samba 2:4.15.7+dfsg-0.1bullseye1 amd64 SMB/CIFS file, print, and login server
for Unix
ii samba-common 2:4.15.7+dfsg-0.1bullseye1 all common files used by both the
Samba server and client
ii samba-common-bin 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba common files used by
both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba Directory
Services Database
ii samba-libs:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7+dfsg-0.1bullseye1 amd64 Samba Virtual
FileSystem plugins
ii smbclient 2:4.15.7+dfsg-0.1bullseye1 amd64 command-line SMB/CIFS clients for
Unix
ii winbind 2:4.15.7+dfsg-0.1bullseye1 amd64 service to resolve user and group
information from Windows NT servers
-----------
The only change I can remember was that I gave ka-h9-dc01FSMO-role for some
minutes when I tried to upgrade from 2008R2 to 2012 functionality.
Regards, Alexander
> On Monday, Jun 20, 2022 at 2:36 PM, Alexander Harm || ApfelQ
<alexander.harm at apfelq.com (mailto:alexander.harm at apfelq.com)>
wrote:
> Hi, we have Samba (4.15.7-Debian) running on Debian as our domain
controller. In the last weeks we suffer from frequent failures of the
samba-ad-dc.service which is also not restarted automatically by systemd. Manual
restart works 100%.
>
> The logs show the following entries:
>
> [2022/06/19 12:55:34.464069, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user
[CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022
12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK] workstation
[KA-H9-DC01] rem[2022/06/19 12:18:33.218787, 1]
../../librpc/ndr/ndr.c:630(_ndr_pull_error)
> [2022/06/19 12:36:31.346007, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:49:52.376820, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:49:56.569063, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:52:05.973201, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:54:21.548309, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> [2022/06/19 12:54:52.559657, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> dnsupdate_nameupdate_done: Failed DNS update with exit code 110
> [2022/06/19 12:54:52.625303, 0]
../../source4/dsdb/dns/dns_update.c:108(dnsupdate_spnupdate_done)
> ../../source4/dsdb/dns/dns_update.c:108: Failed SPN update - with error
code 110
> [2022/06/19 12:55:34.464069, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user
[CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022
12:55:34.423131 CEST] with [Plaintext] status [NT_STATUS_OK] workstation
[KA-H9-DC01] remote host [ipv4:10.0.1.250:34546] became [CRAZE]\[ka.h9.dc01]
[S-1-5-21-1451753080-565542361-3466525082-1204]. local host
[ipv4:10.0.1.250:389]
> [2022/06/19 12:55:41.861689, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user
[CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022
12:55:41.838245 CEST] with [Plaintext] status [NT_STATUS_OK] workstation
[KA-H9-DC01] remote host [ipv4:10.0.1.250:60036] became [CRAZE]\[ka.h9.dc01]
[S-1-5-21-1451753080-565542361-3466525082-1204]. local host
[ipv4:10.0.1.250:389]
> [2022/06/19 12:55:50.963672, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [LDAP,simple bind/TLS] user
[CRAZE]\[cn=ka.h9.dc01,cn=users,dc=ds,dc=craze,dc=toys] at [Sun, 19 Jun 2022
12:55:50.926453 CEST] with [Plaintext] status [NT_STATUS_OK] workstation
[KA-H9-DC01] remote host [ipv4:10.0.1.250:60038] became [CRAZE]\[ka.h9.dc01]
[S-1-5-21-1451753080-565542361-3466525082-1204]. local host
[ipv4:10.0.1.250:389]
> [2022/06/19 12:56:20.945016, 0]
../../source4/dsdb/kcc/kcc_periodic.c:790(samba_kcc_done)
> ../../source4/dsdb/kcc/kcc_periodic.c:790: Failed samba_kcc -
NT_STATUS_IO_TIMEOUT
> [2022/06/19 12:56:49.827883, 0]
../../source4/samba/process_prefork.c:538(prefork_child_pipe_handler)
> prefork_child_pipe_handler: Parent 995, Child 1010 terminated with signal 9
> [2022/06/19 12:56:50.029270, 0]
../../source4/samba/process_prefork.c:481(prefork_restart)
> prefork_restart: Restarting [rpc] pre-fork worker(0)
> [2022/06/20 11:32:52.524375, 0]
../../source4/samba/server.c:626(binary_smbd_main)
> samba version 4.15.7-Debian started.
> Copyright Andrew Tridgell and the Samba Team 1992-2021
>
>
> Does anyone have an idea why samba terminates and why it is not restarted?
>
> Greetings, Alexander
>
>
>