Dorlan Oxelgren
2016-Apr-21 16:20 UTC
[Samba] The RPC server is unavailable when clicking on RSAT tools
I'm running two Ubuntu 14.04 servers with Samba version 4.3.8-Ubuntu on
each. I haven't been able to access the tools since April 15, 2016. It is
setup as AD DC and all of the domain workstations CAN log in. Iv'e googled
the error msgs and tried many things and have come up empty. I'm at the
stage where I'm thinking of promoting dc2 and demoting dc1.
I've been down a number of paths. So, I've started looking at this from
the beginning of an regular install.
The authentication seems to be failing.
The kinit is fine
axon at DC1:~$ kinit administrator at AXON.LAN
Password for administrator at AXON.LAN:
axon at DC1:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at AXON.LAN
Valid starting Expires Service principal
16-04-21 09:54:14 16-04-21 19:54:14 krbtgt/AXON.LAN at AXON.LAN
renew until 16-04-22 09:54:10, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
But the cllent can't connect.
axon at DC1:~$ sudo smbclient //localhost/netlogon -U 'administrator'
Enter administrator's password:
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
Testing the dns works fine
axon at DC1:~$ host -t SRV _ldap._tcp.axon.lan
_ldap._tcp.axon.lan has SRV record 0 100 389 dc1.axon.lan.
_ldap._tcp.axon.lan has SRV record 0 100 389 dc2.axon.lan.
There is a replication error between dc1 dc2 that I discovered as well.
Here is the relevant part
DC=DomainDnsZones,DC=axon,DC=lan
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 42e35e3b-4537-4104-aeef-da62464c8b2e
Last attempt @ Thu Apr 21 10:06:02 2016 CST failed, result
58 (W ERR_BAD_NET_RESP)
44051 consecutive failure(s).
Last success @ Tue Dec 1 07:03:01 2015 CST
The smb.conf file is pretty standard
# Global parameters
[global]
workgroup = AXON
realm = AXON.LAN
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.172.250
idmap_ldb:use rfc2307 = yes
# Thanks to Lars for this fix, it stops the syslog
# being spammed by the lack of a CUPS server.
printing = CUPS
printcap name = /dev/null
[netlogon]
path = /var/lib/samba/sysvol/axon.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[profiles]
path = /var/lib/samba/profiles
read only = No
The log.smbd has errors but it is running.
[2016/04/18 14:14:31.352896, 0] ../source3/smbd/server.c:1324(main)
server role = 'active directory domain controller' not compatible with
running smbd standalone.
You should start 'samba' instead, and it will control starting smbd if
required
[2016/04/18 14:14:40.550618, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve
connections
The service is started from samba. sudo service samba restart. Or a
reboot.
log.samba has errors as well The timing is related to the doing a sync
between dc1 and dc2
[2016/04/21 10:10:01.644399, 0]
../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of
transaction: operations error at
../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
[2016/04/21 10:10:01.645781, 0]
../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Any help would be greatly appreciated. I'm all out of ideas at this stage.
Dorlan Oxelgren
2016-Apr-22 16:29 UTC
[Samba] The RPC server is unavailable when clicking on RSAT tools
So, I poked around and found a couple of threads that seemed to fix my
immediate problem. It looks like I had two issues. The first was a
security update to Ubuntu on Monday. That was fixed by adding the
following to the smb.conf file
ldap server require strong auth = no
client ldap sasl wrapping = plain
The second problem was the updated version of samba needed winbind
installed. So, I did that and now I have access to the windows
administration tools. Doing either one didn't fix my problem but doing
both did.
Phew!
On Thu, Apr 21, 2016 at 10:20 AM, Dorlan Oxelgren <maillist at
axonsoft.com>
wrote:
> I'm running two Ubuntu 14.04 servers with Samba version 4.3.8-Ubuntu
on
> each. I haven't been able to access the tools since April 15, 2016. It
is
> setup as AD DC and all of the domain workstations CAN log in. Iv'e
googled
> the error msgs and tried many things and have come up empty. I'm at
the
> stage where I'm thinking of promoting dc2 and demoting dc1.
>
> I've been down a number of paths. So, I've started looking at this
from
> the beginning of an regular install.
>
> The authentication seems to be failing.
>
> The kinit is fine
> axon at DC1:~$ kinit administrator at AXON.LAN
> Password for administrator at AXON.LAN:
> axon at DC1:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at AXON.LAN
>
> Valid starting Expires Service principal
> 16-04-21 09:54:14 16-04-21 19:54:14 krbtgt/AXON.LAN at AXON.LAN
> renew until 16-04-22 09:54:10, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
>
> But the cllent can't connect.
>
> axon at DC1:~$ sudo smbclient //localhost/netlogon -U
'administrator'
> Enter administrator's password:
> session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> Testing the dns works fine
>
> axon at DC1:~$ host -t SRV _ldap._tcp.axon.lan
> _ldap._tcp.axon.lan has SRV record 0 100 389 dc1.axon.lan.
> _ldap._tcp.axon.lan has SRV record 0 100 389 dc2.axon.lan.
>
> There is a replication error between dc1 dc2 that I discovered as well.
> Here is the relevant part
> DC=DomainDnsZones,DC=axon,DC=lan
> Default-First-Site-Name\DC1 via RPC
> DSA object GUID: 42e35e3b-4537-4104-aeef-da62464c8b2e
> Last attempt @ Thu Apr 21 10:06:02 2016 CST failed, result
> 58 (W ERR_BAD_NET_RESP)
> 44051 consecutive failure(s).
> Last success @ Tue Dec 1 07:03:01 2015 CST
>
>
> The smb.conf file is pretty standard
>
> # Global parameters
> [global]
> workgroup = AXON
> realm = AXON.LAN
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.172.250
> idmap_ldb:use rfc2307 = yes
>
> # Thanks to Lars for this fix, it stops the syslog
> # being spammed by the lack of a CUPS server.
> printing = CUPS
> printcap name = /dev/null
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/axon.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
>
> The log.smbd has errors but it is running.
>
> [2016/04/18 14:14:31.352896, 0] ../source3/smbd/server.c:1324(main)
> server role = 'active directory domain controller' not compatible
with
> running smbd standalone.
> You should start 'samba' instead, and it will control starting
smbd if
> required
> [2016/04/18 14:14:40.550618, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> STATUS=daemon 'smbd' finished starting up and ready to serve
connections
>
> The service is started from samba. sudo service samba restart. Or a
> reboot.
>
> log.samba has errors as well The timing is related to the doing a sync
> between dc1 and dc2
>
> [2016/04/21 10:10:01.644399, 0]
>
../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
> ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit
> of transaction: operations error at
> ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
> [2016/04/21 10:10:01.645781, 0]
>
../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger)
> Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
> Any help would be greatly appreciated. I'm all out of ideas at this
stage.
>
>
>
>
>