On 25/02/15 21:38, Bob of Donelson Trophy wrote:> > > I had to go do something else and have returned. I discovered that I > hadn't gone back far enough. This complaint first appears here: > > ==========Enable bind gssapi and bind9_DLZ > ==============================> [....] Stopping domain name service...: bind9rndc: connect failed: > 127.0.0.1#953: connection refused > . ok > [ ok ] Starting domain name service...: bind9. > > Notice the "refused" appearance. As there is no firewall on this > machine, yet, port 953 is not blocked. > > This DC appears to operating correctly despite this. This may be a > 'bind9' issue? Or? >Hi Bob, That is a bug in Louis's script (sorry Louis, but it is ) If you look at line 294: service bind9 stop Then at line 449: service bind9 stop && service bind9 start There is nothing between those lines that starts Bind, so when the second line tries to stop bind9, there is is nothing to stop, so of course it gets refused :-) If you look a bit further, where resolv.conf gets set, there is this: cat << EOF > /etc/resolv.conf search ${SETDNSDOMAIN} domain ${SETDNSDOMAIN} nameserver ${SETIPDC1} EOF Now, if you use both 'search' & 'domain' in resolv.conf, which ever is second wins, as they are mutually exclusive (see 'man resolv.conf) Remove the domain line Have you tried running the line that failed manually ? echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator Rowland
Thanks Rowland. I have modified Louis' script slightly. My /etc/resolv.conf looks like: root at dc01:~# cat /etc/resolv.conf search dts***m.dt nameserver 192.168.1xx.x51 So, as you can see this is one little change I made because of what I have learned here through the mailing list. (Haven't shared this fact with Louis. Figured he was busy working on newer scripts so what would be the point.) I found one of your older posts where there was discussion that 127.0.0.1 needs to be included in the /etc/resolv.conf file but the reference was in a two DC situation. Where each DC is resolving against the other. I do not think that applies in my situation. I will try the line (that failed) manually and report back and look into the area of the script you mentioned. Good night. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-02-25 16:04, Rowland Penny wrote:> On 25/02/15 21:38, Bob of Donelson Trophy wrote: > >> I had to go do something else and have returned. I discovered that I hadn't gone back far enough. This complaint first appears here: ==========Enable bind gssapi and bind9_DLZ =============================== [....] Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused . ok [ ok ] Starting domain name service...: bind9. Notice the "refused" appearance. As there is no firewall on this machine, yet, port 953 is not blocked. This DC appears to operating correctly despite this. This may be a 'bind9' issue? Or? > > Hi Bob, That is a bug in Louis's script (sorry Louis, but it is ) > > If you look at line 294: > > service bind9 stop > > Then at line 449: > > service bind9 stop && service bind9 start > > There is nothing between those lines that starts Bind, so when the second line tries to stop bind9, there is is nothing to stop, so of course it gets refused :-) > > If you look a bit further, where resolv.conf gets set, there is this: > > cat << EOF > /etc/resolv.conf > search ${SETDNSDOMAIN} > domain ${SETDNSDOMAIN} > nameserver ${SETIPDC1} > EOF > > Now, if you use both 'search' & 'domain' in resolv.conf, which ever is second wins, as they are mutually exclusive (see 'man resolv.conf) > > Remove the domain line > > Have you tried running the line that failed manually ? > > echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator > > RowlandLinks: ------ [1] http://www.donelsontrophy.com
Bob of Donelson Trophy
2015-Feb-26 03:03 UTC
[Samba] SOLVED Re: NT_STATUS_CONNECTION_REFUSED
Rowland, It appears that you were "right on." I removed the "service bind9 stop &&" from line 449 (as bind9 was already stopped, why stop it again) and ran the script on my VM. All the "NT_STATUS_CONNECTION_REFUSED" warnings were gone. Thanks!! --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-02-25 16:04, Rowland Penny wrote:> On 25/02/15 21:38, Bob of Donelson Trophy wrote: > >> I had to go do something else and have returned. I discovered that I hadn't gone back far enough. This complaint first appears here: ==========Enable bind gssapi and bind9_DLZ =============================== [....] Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused . ok [ ok ] Starting domain name service...: bind9. Notice the "refused" appearance. As there is no firewall on this machine, yet, port 953 is not blocked. This DC appears to operating correctly despite this. This may be a 'bind9' issue? Or? > > Hi Bob, That is a bug in Louis's script (sorry Louis, but it is ) > > If you look at line 294: > > service bind9 stop > > Then at line 449: > > service bind9 stop && service bind9 start > > There is nothing between those lines that starts Bind, so when the second line tries to stop bind9, there is is nothing to stop, so of course it gets refused :-) > > If you look a bit further, where resolv.conf gets set, there is this: > > cat << EOF > /etc/resolv.conf > search ${SETDNSDOMAIN} > domain ${SETDNSDOMAIN} > nameserver ${SETIPDC1} > EOF > > Now, if you use both 'search' & 'domain' in resolv.conf, which ever is second wins, as they are mutually exclusive (see 'man resolv.conf) > > Remove the domain line > > Have you tried running the line that failed manually ? > > echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator > > RowlandLinks: ------ [1] http://www.donelsontrophy.com
aha ... ;-) netstat --numeric-hosts --numeric-ports --programs -u -t -l i didnt see samba running.. ;-)>I removed the "service bind9 stop &&" from line 449 (as bind9 was >already stopped, why stop it again) and ran the script on my >VM. All the "NT_STATUS_CONNECTION_REFUSED" warnings were gone.but.. the NT_STATUS_CONNECTION_REFUSED is a samba message not bind, and does not involve any thing with bind, stopping it 2 x times does not do anything.. The service bind9 stop && service bind9 start was the problem yes, I should have put these on 2 lines and dont use the && this wil be changed in the new version and improved. Im stopping bind there 2 times yes, this is because i noticed that a few times bind wasnt stopped correctly, and stopping it 2 times worked. But good to know you nailed it. ;-) Greetz, Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: donderdag 26 februari 2015 4:03 >Aan: samba at lists.samba.org >Onderwerp: [Samba] SOLVED Re: NT_STATUS_CONNECTION_REFUSED > > > >Rowland, > >It appears that you were "right on." > >I removed the "service bind9 stop &&" from line 449 (as bind9 was >already stopped, why stop it again) and ran the script on my >VM. All the >"NT_STATUS_CONNECTION_REFUSED" warnings were gone. > >Thanks!! > >--- > >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [1] > >"Everyone deserves an award!!" > >On 2015-02-25 16:04, Rowland Penny wrote: > >> On 25/02/15 21:38, Bob of Donelson Trophy wrote: >> >>> I had to go do something else and have returned. I >discovered that I hadn't gone back far enough. This complaint >first appears here: ==========Enable bind gssapi and bind9_DLZ >=============================== [....] Stopping domain name >service...: bind9rndc: connect failed: 127.0.0.1#953: >connection refused . ok [ ok ] Starting domain name >service...: bind9. Notice the "refused" appearance. As there >is no firewall on this machine, yet, port 953 is not blocked. >This DC appears to operating correctly despite this. This may >be a 'bind9' issue? Or? >> >> Hi Bob, That is a bug in Louis's script (sorry Louis, but it is ) >> >> If you look at line 294: >> >> service bind9 stop >> >> Then at line 449: >> >> service bind9 stop && service bind9 start >> >> There is nothing between those lines that starts Bind, so >when the second line tries to stop bind9, there is is nothing >to stop, so of course it gets refused :-) >> >> If you look a bit further, where resolv.conf gets set, there is this: >> >> cat << EOF > /etc/resolv.conf >> search ${SETDNSDOMAIN} >> domain ${SETDNSDOMAIN} >> nameserver ${SETIPDC1} >> EOF >> >> Now, if you use both 'search' & 'domain' in resolv.conf, >which ever is second wins, as they are mutually exclusive (see >'man resolv.conf) >> >> Remove the domain line >> >> Have you tried running the line that failed manually ? >> >> echo ${SETNTPASSWD}| net rpc rights grant >${SETNTDOM}\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator >> >> Rowland > > >Links: >------ >[1] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 26/02/15 08:15, L.P.H. van Belle wrote:> aha ... > > ;-) > > netstat --numeric-hosts --numeric-ports --programs -u -t -l > i didnt see samba running.. ;-) > > >> I removed the "service bind9 stop &&" from line 449 (as bind9 was >> already stopped, why stop it again) and ran the script on my >> VM. All the "NT_STATUS_CONNECTION_REFUSED" warnings were gone. > but.. the NT_STATUS_CONNECTION_REFUSED is a samba message not bind, > and does not involve any thing with bind, stopping it 2 x times does not do anything.. > > The service bind9 stop && service bind9 start was the problem yes, > I should have put these on 2 lines and dont use the && > this wil be changed in the new version and improved.Ah, but the '&&' means that bind9 would only get started if the command on the left finished without an error and as it errored out because there was nothing to stop.......> > Im stopping bind there 2 times yes, this is because i noticed that > a few times bind wasnt stopped correctly, and stopping it 2 times worked.If there is a potential problem, you should check for it and if required, do something, what about: BINDTEST=$(ps ax | grep [n]amed) if [ -n "${BINDTEST}" ]; then # Bind9 is still running service bind9 stop sleep 2 service bind9 start else # Bind9 is not running service bind9 start fi Rowland> But good to know you nailed it. > > > ;-) > > Greetz, > > Louis > > >