samba - Jul 2019 - Samba4 - global catalog (GC) cannot be contacted using Windows 7 RSAT

Hi Samba Team,

Have recently followed Samba guide and successfully migrate from PDC to AD
and from BDC to join AD forest.
Need some advice here as I encountered global catalog (GC) cannot be
contacted issue when using RSAT.
This message pops up when I click "member of" tab while viewing user
properties although it will display correctly after I acknowledged the
error.
Another similar message related to GC will also pop up when I click to the
next step while creating new user account, whereby I am aware my newly
created user might encounter login issues.

After done some research and with reference to previous posts, i noticed it
has to do with port 3268/tcp and 3269/tcp to be enabled and available.
After tried various methods to verify but no avail.

Below are the outputs of commands:
Appreciate for the advice.

# ps axf | egrep "samba|smbd|winbindd"
15163 pts/1    S+     0:00                      \_ egrep samba|smbd|winbindd
 2571 ?        Ss     0:00 samba
 2572 ?        S      0:00  \_ samba
 2574 ?        S      0:00  |   \_ samba
 2576 ?        Ss     0:14  |       \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
 2596 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
 2597 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
 2598 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
 9886 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
15160 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
15161 ?        S      0:00  |           \_ /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
 2573 ?        S      0:35  \_ samba
 8972 ?        S      0:00  |   \_ samba
 8973 ?        S      0:00  |   \_ samba
 2575 ?        S      0:06  \_ samba
 2577 ?        S      0:00  \_ samba
 2578 ?        S      0:07  \_ samba
 9411 ?        S      0:00  |   \_ samba
 9412 ?        S      0:00  |   \_ samba
 2579 ?        S      0:02  \_ samba
 2580 ?        S      0:09  \_ samba
 2581 ?        S      0:05  \_ samba
 2582 ?        S      0:00  \_ samba
 2584 ?        S      0:00  |   \_ samba
 2586 ?        Ss     0:02  |       \_ /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
 2652 ?        S      0:00  |           \_ /usr/local/samba/sbin/winbindd
-D --option=server role check:inhibit=yes --foreground
 2653 ?        S      0:00  |           \_ /usr/local/samba/sbin/winbindd
-D --option=server role check:inhibit=yes --foreground
 2583 ?        S      0:00  \_ samba
 2585 ?        S      0:00  \_ samba
 2587 ?        S      0:00  \_ samba
 2588 ?        S      0:15  \_ samba

netstat -plaunt | egrep "ntp|bind|named|samba|?mbd"
tcp        0      0 0.0.0.0:53                  0.0.0.0:*
LISTEN      2588/samba
tcp        0      0 0.0.0.0:88                  0.0.0.0:*
LISTEN      2580/samba
tcp        0      0 0.0.0.0:445                 0.0.0.0:*
LISTEN      2576/smbd
tcp        0      0 0.0.0.0:49152               0.0.0.0:*
LISTEN      2573/samba
tcp        0      0 0.0.0.0:49153               0.0.0.0:*
LISTEN      2573/samba
tcp        0      0 0.0.0.0:49154               0.0.0.0:*
LISTEN      2573/samba
tcp        0      0 0.0.0.0:389                 0.0.0.0:*
LISTEN      2578/samba
tcp        0      0 0.0.0.0:135                 0.0.0.0:*
LISTEN      2573/samba
tcp        0      0 0.0.0.0:139                 0.0.0.0:*
LISTEN      2576/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*
LISTEN      976/rpcbind
tcp        0      0 0.0.0.0:464                 0.0.0.0:*
LISTEN      2580/samba
tcp        0      0 DC1_IP:49153           Other_IP:49182
ESTABLISHED 8972/samba
tcp        0      0 DC1_IP:49152           Other_IP:54906
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:389             Other_IP:63555
ESTABLISHED 9412/samba
tcp        0      0 DC1_IP:445             Other_IP:54486
ESTABLISHED 15410/smbd
tcp        0      0 DC1_IP:135             Other_IP:50476
 ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:135             Other_IP:61388
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:62660
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:65500
 ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:41854           DC2_IP:49152
ESTABLISHED 2581/samba
tcp        0      0 DC1_IP:49152           Other_IP:63554
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:60790
 ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           DC2_IP:49612
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:58881
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:445             Other_IP:61391
ESTABLISHED 15409/smbd
tcp        0      0 DC1_IP:49152           Other_IP:64459
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:63481
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:49174
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:50477
 ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:53405
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49153           Other_IP:49183
ESTABLISHED 8973/samba
tcp        0      0 DC1_IP:135             Other_IP:49180
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:389             Other_IP:63551
ESTABLISHED 9411/samba
tcp        0      0 DC1_IP:135             Other_IP:58880
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:135             Other_IP:49173
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:135             Other_IP:53404
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:445             Other_IP:49195
ESTABLISHED 9886/smbd
tcp        0      0 DC1_IP:135             Other_IP:54903
ESTABLISHED 2573/samba
tcp        0      0 DC1_IP:49152           Other_IP:63553
ESTABLISHED 2573/samba
tcp        0      0 :::53                       :::*
 LISTEN      2588/samba
tcp        0      0 :::88                       :::*
 LISTEN      2580/samba
tcp        0      0 :::636                      :::*
 LISTEN      2578/samba
tcp        0      0 :::445                      :::*
 LISTEN      2576/smbd
tcp        0      0 :::49152                    :::*
 LISTEN      2573/samba
tcp        0      0 :::49153                    :::*
 LISTEN      2573/samba
tcp        0      0 :::49154                    :::*
 LISTEN      2573/samba
tcp        0      0 :::3268                     :::*
 LISTEN      2578/samba
tcp        0      0 :::3269                     :::*
 LISTEN      2578/samba
tcp        0      0 :::389                      :::*
 LISTEN      2578/samba
tcp        0      0 :::135                      :::*
 LISTEN      2573/samba
tcp        0      0 :::139                      :::*
 LISTEN      2576/smbd
tcp        0      0 :::111                      :::*
 LISTEN      976/rpcbind
tcp        0      0 :::464                      :::*
 LISTEN      2580/samba
udp        0      0 0.0.0.0:53                  0.0.0.0:*
            2588/samba
udp        0      0 DC1_IP:464             0.0.0.0:*
        2580/samba
udp        0      0 0.0.0.0:464                 0.0.0.0:*
            2580/samba
udp        0      0 0.0.0.0:727                 0.0.0.0:*
            976/rpcbind
udp        0      0 DC1_IP:88              0.0.0.0:*
        2580/samba
udp        0      0 0.0.0.0:88                  0.0.0.0:*
            2580/samba
udp        0      0 0.0.0.0:111                 0.0.0.0:*
            976/rpcbind
udp        0      0 DC1_IP:123             0.0.0.0:*
        8210/./ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*
            8210/./ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*
            8210/./ntpd
udp        0      0 DC1_IP:389             0.0.0.0:*
        2579/samba
udp        0      0 0.0.0.0:389                 0.0.0.0:*
            2579/samba
udp        0      0 DC1_IP:137             0.0.0.0:*
        2575/samba
udp        0      0 Broadcast_IP:137           0.0.0.0:*
            2575/samba
udp        0      0 0.0.0.0:137                 0.0.0.0:*
            2575/samba
udp        0      0 DC1_IP:138             0.0.0.0:*
        2575/samba
udp        0      0 Broadcast_IP:138           0.0.0.0:*
            2575/samba
udp        0      0 0.0.0.0:138                 0.0.0.0:*
            2575/samba
udp        0      0 :::53                       :::*
             2588/samba
udp        0      0 :::464                      :::*
             2580/samba
udp        0      0 :::727                      :::*
             976/rpcbind
udp        0      0 :::88                       :::*
             2580/samba
udp        0      0 :::111                      :::*
             976/rpcbind
udp        0      0 IP_V6:123 :::*
 8210/./ntpd
udp        0      0 ::1:123                     :::*
             8210/./ntpd
udp        0      0 :::123                      :::*
             8210/./ntpd
udp        0      0 :::389                      :::*
             2579/samba

# host -t SRV _ldap._tcp.gc._msdcs.sandom.example.com.
_ldap._tcp.gc._msdcs.sandom.example.com has SRV record 0 100 3268
dc1.sandom.example.com.
_ldap._tcp.gc._msdcs.sandom.example.com has SRV record 0 100 3268
dc2.sandom.example.com.

# host -t SRV _gc._tcp.sandom.example.com.
_gc._tcp.sandom.example.com has SRV record 0 100 3268 dc1.sandom.example.com
.
_gc._tcp.sandom.example.com has SRV record 0 100 3268 dc2.sandom.example.com
.

My DC smb.conf as below:
# Global parameters
[global]
        netbios name = DC1
        realm = SANDOM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = SANDOM
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        template shell = /bin/bash
        template homedir = /home/%U
        dns forwarder = FORWARDER_IP
        ntlm auth = yes

Thanks and Regards
AC

On 19/07/2019 11:13, Alfonso Conner via samba wrote:
> Hi Samba Team,
>
> Have recently followed Samba guide and successfully migrate from PDC to AD
> and from BDC to join AD forest.
> Need some advice here as I encountered global catalog (GC) cannot be
> contacted issue when using RSAT.
> This message pops up when I click "member of" tab while viewing
user
> properties although it will display correctly after I acknowledged the
> error.
> Another similar message related to GC will also pop up when I click to the
> next step while creating new user account, whereby I am aware my newly
> created user might encounter login issues.
>
> After done some research and with reference to previous posts, i noticed it
> has to do with port 3268/tcp and 3269/tcp to be enabled and available.
> After tried various methods to verify but no avail.
>
What OS is the DC running on ?

What version of Samba ?

Things like this used to happen, but they do not occur for myself using 
Win10 against Samba 4.9.6 on Devuan 2 (aka Debian 9)

Rowland

Hi Rowland,

Currently using Samba 4.8.5
2 x DCs running on CentOS 6.10 (Final)
Configured 1 DC via classic upgrade, and the latter DC join AD forest.
Would it be alright if I were to redo the classic upgrade?
Hope to hear from you soon.

Thanks and Regards


On Fri, Jul 19, 2019 at 7:06 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 19/07/2019 11:13, Alfonso Conner via samba wrote:
> > Hi Samba Team,
> >
> > Have recently followed Samba guide and successfully migrate from PDC
to
> AD
> > and from BDC to join AD forest.
> > Need some advice here as I encountered global catalog (GC) cannot be
> > contacted issue when using RSAT.
> > This message pops up when I click "member of" tab while
viewing user
> > properties although it will display correctly after I acknowledged the
> > error.
> > Another similar message related to GC will also pop up when I click to
> the
> > next step while creating new user account, whereby I am aware my newly
> > created user might encounter login issues.
> >
> > After done some research and with reference to previous posts, i
noticed
> it
> > has to do with port 3268/tcp and 3269/tcp to be enabled and available.
> > After tried various methods to verify but no avail.
> >
> What OS is the DC running on ?
>
> What version of Samba ?
>
> Things like this used to happen, but they do not occur for myself using
> Win10 against Samba 4.9.6 on Devuan 2 (aka Debian 9)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>