On Mon, 22 Aug 2016 11:02:14 +0200
Damir Dezeljin via samba <samba at lists.samba.org> wrote:
> Hello.
>
> We're running Samba 4.3.9 AD on two Ubuntu 16.04 LTS machines. I'm
> managing AD users and DNS from Windows 10 joined to the domain, by
> using ADUC.
>
> Last week I noticed the following error when starting ADUC as
> Administrator of the AD domain:
> ----
> Naming information cannot be located because:
> The RPC server is unavailable.
> Contact your system administrator to verify that your domain is
> properly configured and is currently online
> ----
>
> I did an Internet search and corrective actions I found - i.e.
> 1. kinit Administrator
> 2. made sure the smb.conf on both machines are correct
> 3. checked resolv.conf
> 3. samba_dnsupdate (on both machines)
> 4. synced the /var/lib/samba/sysvol/ between both machines (rsync)
> 5. samba-tool ntacl sysvolcheck
>
> But the error still persist.
>
>
> Here is my smb.conf (it is same on both computers):
> ----
> [global]
> workgroup = MYORG
> realm = MYORG.SI
> netbios name = SRV01
> wins support = yes
> server role = active directory domain controller
> tls enabled = yes
> tls cafile = tls/MyorgCA.crt
> tls certfile = tls/srv01.myorg.si.crt
> tls keyfile = tls/srv01.myorg.si.key
> tls dh params file = tls/dcdhparams.pem
>
> dns forwarder = 8.8.8.8
> allow dns updates = nonsecure
> idmap_ldb:use rfc2307 = yes
> time server = yes
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> idmap config MYORG:backend = ad
> idmap config MYORG:schema_mode = rfc2307
> idmap config MYORG:range = 20001-29999
>
> [netlogon]
> path = /var/lib/samba/sysvol/myorg.si/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> ----
>
> Please note also the last couple of errors from this output:
> ----
> # service samba-ad-dc status
> ● samba-ad-dc.service - LSB: start Samba daemons for the AD DC
> Loaded: loaded (/etc/init.d/samba-ad-dc; bad; vendor preset:
> enabled) Active: active (running) since Fri 2016-08-19 16:43:03 CEST;
> 2 days ago Docs: man:systemd-sysv-generator(8)
> Process: 2365 ExecStart=/etc/init.d/samba-ad-dc start (code=exited,
> status=0/SUCCESS)
> Tasks: 23
> Memory: 249.4M
> CPU: 7min 21.875s
> CGroup: /system.slice/samba-ad-dc.service
> ├─2772 /usr/sbin/samba -D
> ├─2789 /usr/sbin/samba -D
> ├─2790 /usr/sbin/samba -D
> ├─2791 /usr/sbin/samba -D
> ├─2792 /usr/sbin/samba -D
> ├─2793 /usr/sbin/samba -D
> ├─2794 /usr/sbin/samba -D
> ├─2795 /usr/sbin/samba -D
> ├─2796 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─2797 /usr/sbin/samba -D
> ├─2798 /usr/sbin/samba -D
> ├─2799 /usr/sbin/samba -D
> ├─2800 /usr/sbin/samba -D
> ├─2801 /usr/sbin/samba -D
> ├─2802 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ├─2803 /usr/sbin/samba -D
> ├─2808 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─2812 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ├─2848 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─3096 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─7105 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─7256 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> └─7445 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>
> Aug 21 12:03:15 IDM samba[2801]: /usr/sbin/samba_dnsupdate: ; TSIG
> error with server: tsig verify failure
> Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.008220, 0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> Aug 21 12:03:16 IDM samba[2801]: /usr/sbin/samba_dnsupdate: ; TSIG
> error with server: tsig verify failure
> Aug 21 12:03:16 IDM samba[2801]: [2016/08/21 12:03:16.020913, 0]
> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
> Aug 21 12:03:16 IDM
> samba[2801]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS
> update - NT_STATUS_SHARING_VIOLATION Aug 21 16:33:14 IDM samba[2801]:
> [2016/08/21 16:33:14.118190,
> 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) Aug 21
> 16:33:14 IDM samba[2801]: /usr/sbin/samba_dnsupdate: ; TSIG error
> with server: tsig verify failure Aug 21 16:33:14 IDM samba[2801]:
> [2016/08/21 16:33:14.129562,
> 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
> Aug 21 16:33:14 IDM
> samba[2801]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS
> update - NT_STATUS_ACCESS_DENIED Aug 22 09:06:12 IDM samba[2790]:
> [2016/08/22 09:06:12.381991,
> 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1086(dnsserver_query_zone)
> ----
>
> And here is the internal DNS update tool that shows there are no DNS
> updates needed (same output is generated on both hosts):
> ----
> # samba_dnsupdate --verbose | tail -1
> No DNS updates needed
> ----
>
>
> I would appreciate any hint and/or help.
>
> Kind regards,
> Damir Dezeljin
I think this may have the same problem as this bugreport:
https://bugzilla.samba.org/show_bug.cgi?id=11351
Rowland