Bob of Donelson Trophy
2016-Dec-04 15:43 UTC
[Samba] port 135 - NT_STATUS_CONNECTION_REFUSED
On 2016-12-04 09:11, Rowland Penny via samba wrote:> On Sun, 04 Dec 2016 08:01:09 -0600 > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > >> I have two DC's running Samba 4.5.0 and the "dtdc03" log.samba is >> showing the following: >> >> root at dtdc03:~# tail -f /usr/local/samba/var/log.samba >> [2016/12/01 10:14:39.167794, 0] >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) >> Failed to connect host 192.168.16.50 >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port 135 - >> NT_STATUS_CONNECTION_REFUSED. >> [2016/12/01 10:14:39.212551, 0] >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) >> Failed to connect host 192.168.16.50 on port 135 - >> NT_STATUS_CONNECTION_REFUSED >> [2016/12/01 10:14:39.212757, 0] >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) >> Failed to connect host 192.168.16.50 >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port 135 - >> NT_STATUS_CONNECTION_REFUSED. >> [2016/12/01 10:14:39.258017, 0] >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) >> Failed to connect host 192.168.16.50 on port 135 - >> NT_STATUS_CONNECTION_REFUSED >> [2016/12/01 10:14:39.258234, 0] >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) >> Failed to connect host 192.168.16.50 >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port 135 - >> NT_STATUS_CONNECTION_REFUSED. >> >> So, I found the "Verifying_and_Creating_a_DC_DNS_Record" page of the >> wiki and ran: >> >> root at dtdc03:~# ldbsearch -H /usr/local/samba/private/sam.ldb >> '(invocationId=*)' --cross-ncs objectguid >> # record 1 >> dn: CN=NTDS >> Settings,CN=DTDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt >> objectGUID: d3298cdc-aed1-48e6-b8fc-f3cdb80b1066 >> >> # record 2 >> dn: CN=NTDS >> Settings,CN=DTDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt >> objectGUID: aa03011a-94c2-4c52-bc60-6fd2f75d35e5 >> >> # returned 2 records >> # 2 entries >> # 0 referrals >> >> And then ran: >> >> root at dtdc03:~# host -t CNAME >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt. >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt is an alias for >> dtdc04.dtshrm.dt. >> >> The objectGUID string matches. How do I correct this log entry and >> resolve the "NT_STATUS_CONNECTION_REFUSED? > > OK, is your DC listening on port 135 ? > Run this on the DC: > > netstat -plnt | grep 135 > > It should return something like this: > > tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 2093/samba > tcp6 0 0 :::135 :::* LISTEN 2093/samba > > What is the 'server services' line in smb.conf ? > > RowlandHere is the output from "netstat -plnt | grep 135": root at dtdc03:~# netstat -plnt | grep 135 tcp 0 0 192.168.16.49:135 0.0.0.0:* LISTEN 1142/samba tcp 0 0 127.0.0.1:135 0.0.0.0:* LISTEN 1142/samba Here are both DC's smb.conf files: root at dtdc03:~# cat /etc/samba/smb.conf # Global parameters [global] netbios name = DTDC03 realm = DTSHRM.DT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DTDOM server role = active directory domain controller time server = yes ## log level = 5 interfaces = 127.0.0.1 192.168.16.49 bind interfaces only = yes allow dns updates = nonsecure and secure dns forwarder = 192.168.16.49 # Thanks to Lars for this fix, it stops the syslog # being spammed by the lack of a CUPS server. printing = CUPS printcap name = /dev/null [netlogon] path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No root at dtdc04:~# cat /etc/samba/smb.conf # Global parameters [global] netbios name = DTDC04 realm = DTSHRM.DT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DTDOM server role = active directory domain controller time server = yes ### log level = 5 interfaces = 127.0.0.1 192.168.16.50 bind interfaces only = yes allow dns updates = nonsecure and secure dns forwarder = 192.168.16.50 # Thanks to Lars for this fix, it stops the syslog # being spammed by the lack of a CUPS server. printing = CUPS printcap name = /dev/null [netlogon] path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Your thoughts? -- _______________________________ Bob Wooden of Donelson Trophy
On Sun, 04 Dec 2016 09:43:25 -0600 Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:> On 2016-12-04 09:11, Rowland Penny via samba wrote: > > > On Sun, 04 Dec 2016 08:01:09 -0600 > > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > > > >> I have two DC's running Samba 4.5.0 and the "dtdc03" log.samba is > >> showing the following: > >> > >> root at dtdc03:~# tail -f /usr/local/samba/var/log.samba > >> [2016/12/01 10:14:39.167794, 0] > >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > >> Failed to connect host 192.168.16.50 > >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > >> 135 - NT_STATUS_CONNECTION_REFUSED. > >> [2016/12/01 10:14:39.212551, 0] > >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) > >> Failed to connect host 192.168.16.50 on port 135 - > >> NT_STATUS_CONNECTION_REFUSED > >> [2016/12/01 10:14:39.212757, 0] > >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > >> Failed to connect host 192.168.16.50 > >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > >> 135 - NT_STATUS_CONNECTION_REFUSED. > >> [2016/12/01 10:14:39.258017, 0] > >> ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) > >> Failed to connect host 192.168.16.50 on port 135 - > >> NT_STATUS_CONNECTION_REFUSED > >> [2016/12/01 10:14:39.258234, 0] > >> ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > >> Failed to connect host 192.168.16.50 > >> (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > >> 135 - NT_STATUS_CONNECTION_REFUSED. > >> > >> So, I found the "Verifying_and_Creating_a_DC_DNS_Record" page of > >> the wiki and ran: > >> > >> root at dtdc03:~# ldbsearch -H /usr/local/samba/private/sam.ldb > >> '(invocationId=*)' --cross-ncs objectguid > >> # record 1 > >> dn: CN=NTDS > >> Settings,CN=DTDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt > >> objectGUID: d3298cdc-aed1-48e6-b8fc-f3cdb80b1066 > >> > >> # record 2 > >> dn: CN=NTDS > >> Settings,CN=DTDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt > >> objectGUID: aa03011a-94c2-4c52-bc60-6fd2f75d35e5 > >> > >> # returned 2 records > >> # 2 entries > >> # 0 referrals > >> > >> And then ran: > >> > >> root at dtdc03:~# host -t CNAME > >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt. > >> aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt is an alias > >> for dtdc04.dtshrm.dt. > >> > >> The objectGUID string matches. How do I correct this log entry and > >> resolve the "NT_STATUS_CONNECTION_REFUSED? > > > > OK, is your DC listening on port 135 ? > > Run this on the DC: > > > > netstat -plnt | grep 135 > > > > It should return something like this: > > > > tcp 0 0 0.0.0.0:135 0.0.0.0:* > > LISTEN 2093/samba tcp6 0 > > 0 :::135 :::* LISTEN > > 2093/samba > > > > What is the 'server services' line in smb.conf ? > > > > Rowland > > Here is the output from "netstat -plnt | grep 135": > > root at dtdc03:~# netstat -plnt | grep 135 > tcp 0 0 192.168.16.49:135 0.0.0.0:* > LISTEN 1142/samba > tcp 0 0 127.0.0.1:135 0.0.0.0:* > LISTEN 1142/samba > > Here are both DC's smb.conf files: > > root at dtdc03:~# cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = DTDC03 > realm = DTSHRM.DT > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = DTDOM > server role = active directory domain controller > > time server = yes > > ## log level = 5 > > interfaces = 127.0.0.1 192.168.16.49 > bind interfaces only = yes > > allow dns updates = nonsecure and secure > dns forwarder = 192.168.16.49 > > # Thanks to Lars for this fix, it stops the syslog > # being spammed by the lack of a CUPS server. > printing = CUPS > printcap name = /dev/null > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > root at dtdc04:~# cat /etc/samba/smb.conf > # Global parameters > [global] > netbios name = DTDC04 > realm = DTSHRM.DT > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = DTDOM > server role = active directory domain controller > > time server = yes > > ### log level = 5 > > interfaces = 127.0.0.1 192.168.16.50 > bind interfaces only = yes > > allow dns updates = nonsecure and secure > dns forwarder = 192.168.16.50 > > # Thanks to Lars for this fix, it stops the syslog > # being spammed by the lack of a CUPS server. > printing = CUPS > printcap name = /dev/null > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > Your thoughts? >You seem to be using Bind9, so you don't need the 'dns forwarder' lines If you only have one network device installed in the DCs, I would also loose the 'interfaces' & 'bind interfaces only' lines I would add this line on each DC: idmap_ldb:use rfc2307 = yes Rowland
Bob of Donelson Trophy
2016-Dec-04 17:01 UTC
[Samba] port 135 - NT_STATUS_CONNECTION_REFUSED
On 2016-12-04 10:25, Rowland Penny via samba wrote:> On Sun, 04 Dec 2016 09:43:25 -0600 > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > > On 2016-12-04 09:11, Rowland Penny via samba wrote: > > On Sun, 04 Dec 2016 08:01:09 -0600 > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > > I have two DC's running Samba 4.5.0 and the "dtdc03" log.samba is > showing the following: > > root at dtdc03:~# tail -f /usr/local/samba/var/log.samba > [2016/12/01 10:14:39.167794, 0] > ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > Failed to connect host 192.168.16.50 > (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > 135 - NT_STATUS_CONNECTION_REFUSED. > [2016/12/01 10:14:39.212551, 0] > ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) > Failed to connect host 192.168.16.50 on port 135 - > NT_STATUS_CONNECTION_REFUSED > [2016/12/01 10:14:39.212757, 0] > ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > Failed to connect host 192.168.16.50 > (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > 135 - NT_STATUS_CONNECTION_REFUSED. > [2016/12/01 10:14:39.258017, 0] > ../source4/librpc/rpc/dcerpc_sock.c:63(continue_socket_connect) > Failed to connect host 192.168.16.50 on port 135 - > NT_STATUS_CONNECTION_REFUSED > [2016/12/01 10:14:39.258234, 0] > ../source4/librpc/rpc/dcerpc_sock.c:245(continue_ip_open_socket) > Failed to connect host 192.168.16.50 > (aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt) on port > 135 - NT_STATUS_CONNECTION_REFUSED. > > So, I found the "Verifying_and_Creating_a_DC_DNS_Record" page of > the wiki and ran: > > root at dtdc03:~# ldbsearch -H /usr/local/samba/private/sam.ldb > '(invocationId=*)' --cross-ncs objectguid > # record 1 > dn: CN=NTDS > Settings,CN=DTDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt > objectGUID: d3298cdc-aed1-48e6-b8fc-f3cdb80b1066 > > # record 2 > dn: CN=NTDS > Settings,CN=DTDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dtshrm,DC=dt > objectGUID: aa03011a-94c2-4c52-bc60-6fd2f75d35e5 > > # returned 2 records > # 2 entries > # 0 referrals > > And then ran: > > root at dtdc03:~# host -t CNAME > aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt. > aa03011a-94c2-4c52-bc60-6fd2f75d35e5._msdcs.dtshrm.dt is an alias > for dtdc04.dtshrm.dt. > > The objectGUID string matches. How do I correct this log entry and > resolve the "NT_STATUS_CONNECTION_REFUSED? > OK, is your DC listening on port 135 ? > Run this on the DC: > > netstat -plnt | grep 135 > > It should return something like this: > > tcp 0 0 0.0.0.0:135 0.0.0.0:* > LISTEN 2093/samba tcp6 0 > 0 :::135 :::* LISTEN > 2093/samba > > What is the 'server services' line in smb.conf ? > > RowlandHere is the output from "netstat -plnt | grep 135": root at dtdc03:~# netstat -plnt | grep 135 tcp 0 0 192.168.16.49:135 0.0.0.0:* LISTEN 1142/samba tcp 0 0 127.0.0.1:135 0.0.0.0:* LISTEN 1142/samba Here are both DC's smb.conf files: root at dtdc03:~# cat /etc/samba/smb.conf # Global parameters [global] netbios name = DTDC03 realm = DTSHRM.DT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DTDOM server role = active directory domain controller time server = yes ## log level = 5 interfaces = 127.0.0.1 192.168.16.49 bind interfaces only = yes allow dns updates = nonsecure and secure dns forwarder = 192.168.16.49 # Thanks to Lars for this fix, it stops the syslog # being spammed by the lack of a CUPS server. printing = CUPS printcap name = /dev/null [netlogon] path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No root at dtdc04:~# cat /etc/samba/smb.conf # Global parameters [global] netbios name = DTDC04 realm = DTSHRM.DT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DTDOM server role = active directory domain controller time server = yes ### log level = 5 interfaces = 127.0.0.1 192.168.16.50 bind interfaces only = yes allow dns updates = nonsecure and secure dns forwarder = 192.168.16.50 # Thanks to Lars for this fix, it stops the syslog # being spammed by the lack of a CUPS server. printing = CUPS printcap name = /dev/null [netlogon] path = /usr/local/samba/var/locks/sysvol/dtshrm.dt/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Your thoughts? You seem to be using Bind9, so you don't need the 'dns forwarder' lines If you only have one network device installed in the DCs, I would also loose the 'interfaces' & 'bind interfaces only' lines I would add this line on each DC: idmap_ldb:use rfc2307 = yes Rowland Thanks Rowland. Making those suggested adjustments has made both "log.samba" files say the same: root at dtdc03:~# tail -f /usr/local/samba/var/log.samba samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2016/12/04 10:43:52.125952, 0] ../lib/util/become_daemon.c:124(daemon_ready) samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. STATUS=daemon 'samba' finished starting up and ready to serve connections The "NT_STATUS_CONNECTION_REFUSED" reference are gone. In a previous post, I believe you suggested that this "setproctitle_init()" log complaint could be ignored. Once again, thanks for everyones help. -- _______________________________ Bob Wooden of Donelson Trophy