samba - May 2019 - Please help with Samba AD DC after restore from backup

On 26/05/2019 18:28, Viktor Trojanovic via samba wrote:
> Small update: I added "lo" to the interfaces in smb.conf, now
smbclient
> works also on localhost. But both the other problems remain as described
> for now.
>
> On Sun, 26 May 2019 at 19:17, Viktor Trojanovic <viktor at troja.ch>
wrote:
>
>> I just did a restore of a backed up Samba DC and as feared, I'm
running
>> into issues that have kept me for hours on this already.
>>
>> Everything seems fine at first sight. The daemon (samba-ad-dc, 4.10, on
>> Ubuntu Bionic) starts properly and without error messages in any log,
even
>> with increased level 3. Most of the typical testing and troubleshooting
>> commands give the correct output.
>>
>> Specifically, all the host commands mentioned in the wiki work, so
>> (internal) DNS seems to work fine. kinit and klist work, too, so I
guess
>> Kerberos is set up correctly. What doesn't seem to work fully,
however, is
>> the file server.
>>
>> I can run
>>
>> smbclient -L DC1 -U%
>>
>> just fine. But when I switch DC1 for localhost, I get an error message.
>>
>> Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
>>
>> I'm not sure if it matters, but no matter if I choose localhost or
DC1, it
>> also says "Unable to initialize messaging context". I
couldn't find a clear
>> reference as to what this means.
>>
>> What I further noticed is that I cannot seem to access "DC1"
from other
>> stations. I can ping the address 192.168.1.1, but running
"nslookup DC1"
>> gives an error
>>
>> ** server can't find dc1: SERVFAIL
>>
>> It seems to me as if most of the DC is working fine but one element is
>> screwed up. Hopefully someone can guide me in the right direction to
solve
>> this.
>>
>> /etc/samba/smb.conf
>> [global]
>> workgroup = SAMDOM
>> realm = SAMDOM.EXAMPLE.COM
>> netbios name = DC1
>> server role = active directory domain controller
>> dns forwarder = 8.8.8.8
>> idmap_ldb:use rfc2307 = yes
>> interfaces = eth0
>> bind interfaces only = Yes
>> tls enabled = no
>>          log level = 3
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/samdom.example.com/scripts
>> read only = No
>> acl_xattr:ignore system acls = yes
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> acl_xattr:ignore system acls = yes
>>
>> /etc/hosts
>> 127.0.0.1 localhost
>> 192.168.1.1 dc1.samdom.example.com dc1
>>
>> /etc/hostname
>> DC1
>>
>> /etc/resolv.conf
>> nameserver 192.168.1.1
>> search samdom.example.com
>>
>>
>>
Everything looks okay, just a few thoughts/comments

You get 'Unable to initialize messaging context' if you are not root 
when running smbclient.

Is the time on the DC correct ?

Why do you have 'tls enabled = no' ?

I know you have restored Samba from a backup, but what about the OS, is 
everything exactly the same as before you needed to restore ?

Have you checked if the dns server is actually running on port 53 and if 
something is, that it is the DC and not something else ?

Rowland

Hi Rowland,

On Sun, 26 May 2019 at 19:54, Rowland penny via samba <samba at
lists.samba.org>
wrote:
> On 26/05/2019 18:28, Viktor Trojanovic via samba wrote:
> > Small update: I added "lo" to the interfaces in smb.conf,
now smbclient
> > works also on localhost. But both the other problems remain as
described
> > for now.
> >
> > On Sun, 26 May 2019 at 19:17, Viktor Trojanovic <viktor at
troja.ch> wrote:
> >
> >> I just did a restore of a backed up Samba DC and as feared,
I'm running
> >> into issues that have kept me for hours on this already.
> >>
> >> Everything seems fine at first sight. The daemon (samba-ad-dc,
4.10, on
> >> Ubuntu Bionic) starts properly and without error messages in any
log,
> even
> >> with increased level 3. Most of the typical testing and
troubleshooting
> >> commands give the correct output.
> >>
> >> Specifically, all the host commands mentioned in the wiki work, so
> >> (internal) DNS seems to work fine. kinit and klist work, too, so I
guess
> >> Kerberos is set up correctly. What doesn't seem to work fully,
however,
> is
> >> the file server.
> >>
> >> I can run
> >>
> >> smbclient -L DC1 -U%
> >>
> >> just fine. But when I switch DC1 for localhost, I get an error
message.
> >>
> >> Connection to localhost failed (Error
NT_STATUS_CONNECTION_REFUSED)
> >>
> >> I'm not sure if it matters, but no matter if I choose
localhost or DC1,
> it
> >> also says "Unable to initialize messaging context". I
couldn't find a
> clear
> >> reference as to what this means.
> >>
> >> What I further noticed is that I cannot seem to access
"DC1" from other
> >> stations. I can ping the address 192.168.1.1, but running
"nslookup DC1"
> >> gives an error
> >>
> >> ** server can't find dc1: SERVFAIL
> >>
> >> It seems to me as if most of the DC is working fine but one
element is
> >> screwed up. Hopefully someone can guide me in the right direction
to
> solve
> >> this.
> >>
> >> /etc/samba/smb.conf
> >> [global]
> >> workgroup = SAMDOM
> >> realm = SAMDOM.EXAMPLE.COM
> >> netbios name = DC1
> >> server role = active directory domain controller
> >> dns forwarder = 8.8.8.8
> >> idmap_ldb:use rfc2307 = yes
> >> interfaces = eth0
> >> bind interfaces only = Yes
> >> tls enabled = no
> >>          log level = 3
> >>
> >> [netlogon]
> >> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >> read only = No
> >> acl_xattr:ignore system acls = yes
> >>
> >> [sysvol]
> >> path = /var/lib/samba/sysvol
> >> read only = No
> >> acl_xattr:ignore system acls = yes
> >>
> >> /etc/hosts
> >> 127.0.0.1 localhost
> >> 192.168.1.1 dc1.samdom.example.com dc1
> >>
> >> /etc/hostname
> >> DC1
> >>
> >> /etc/resolv.conf
> >> nameserver 192.168.1.1
> >> search samdom.example.com
> >>
> >>
> >>
> Everything looks okay, just a few thoughts/comments
>
> You get 'Unable to initialize messaging context' if you are not
root
> when running smbclient.
>
Ok, got it. Thanks.
>
> Is the time on the DC correct ?
>
Yes, it is. Still, I'm curious, does that really matter? After all, it's
the only DC.

> Why do you have 'tls enabled = no' ?
>
For no good reason, Google pointed me to it.

I know you have restored Samba from a backup, but what about the OS,
is
> everything exactly the same as before you needed to restore ?
>
>
No, it's a different OS, was Arch Linux, now it's Ubuntu. But the file
locations are the same on both systems.

> Have you checked if the dns server is actually running on port 53 and if
> something is, that it is the DC and not something else ?
>
I have, only Samba is running on 53.

I just did some more experiments, and things have gotten considerably
worse.

Basically, I decided to restore the backup once again from scratch, just
the Samba folder part, everything else remains as described above. Now, DNS
no longer works, I get an exit code 110 in the log.

task[dnsupdate][224]:   dnsupdate_nameupdate_done: Failed DNS update with
exit code 110

Before restoring the backup, I made a backup of the previous Samba folder
(just renamed it to Samba2). I thought, no matter what happens with the new
restore, I can always just revert to the situation I had before. But that
doesn't seem to be the case either, even after moving Samba2 back to Samba,
I get the same DNS errors as with the new restore.

Frankly, I don't understand this. Where else does Samba keep its files,
except for /etc/samba and /var/lib/samba?

It's like opening Pandora's box every time I do more than just an
incremental version update in Samba :)

Viktor

On 26/05/2019 19:23, Viktor Trojanovic wrote:
> Frankly, I don't understand this. Where else does Samba keep its 
> files, except for /etc/samba and /var/lib/samba?
There are other Samba files, but these are binaries, caches etc, for a 
full list of directories, run 'samba -b'
>
>
> It's like opening Pandora's box every time I do more than just an 
> incremental version update in Samba :)
>
To be honest, I find the best way to backup Samba is not to backup Samba ;-)

Just run normal updates and distro upgrades, have multiple DC's (even if 
you don't think you need more than one) and if you need to do something 
that needs more than this, join a new DC and then demote the old one.

In my opinion, a backup is the last option ;-)

Rowland