Difference between revisions of "Samba4 Troubleshooting"
From Stadm
Jump to navigationJump to search| (11 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
[[Category:Samba4AD]] | [[Category:Samba4AD]] | ||
| + | =Troubleshooting= | ||
| + | |||
| + | ==Update Samba== | ||
| + | *When updating Samba you should only be doing a version change on one DC at a time. Then verify that the DC is working in the domain before upgrading other DCs, don't update more than one DC at a time, have proper backups! | ||
| + | *https://wiki.samba.org/index.php/Updating_Samba | ||
| + | *Stop service and make backup | ||
| + | systemctl stop samba | ||
| + | /usr/local/samba/bin/samba_backup | ||
| + | *Get samba, configure and install | ||
| + | wget http://www.samba.org/samba/ftp/stable/samba-4.3.3.tar.gz | ||
| + | tar -zxvf samba-4.3.3.tar.gz | ||
| + | cd ~/samba-4.3.3 | ||
| + | ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind | ||
| + | *Make sure configure completes successfully, be sure you have proper backups!!! | ||
| + | *Read the release notes to check compatibility. | ||
| + | make | ||
| + | make install | ||
| + | *start the samba service | ||
| + | systemctl start samba | ||
| + | *Go check the logs and verify the system came up correctly: | ||
| + | tail /usr/local/samba/var/$LOGNAME.log | ||
| + | *Test around and see that replication is still in sync. Check that other DCs logs for errors about upgraded DC or replication. | ||
| + | |||
| + | ==Checking Replication== | ||
*Check replication status | *Check replication status | ||
samba-tool drs showrepl | samba-tool drs showrepl | ||
| + | *Force a repl: | ||
| + | *https://wiki.samba.org/index.php/Samba-tool_drs_replicate | ||
| + | |||
| + | ==Force Removal of DC== | ||
| + | *If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain. | ||
| + | *If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto: | ||
| + | *https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles | ||
| + | *Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script: | ||
| + | *https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content | ||
| + | *Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object. | ||
| + | *Open up the DNS Manager and remove all entries for the failed DC. | ||
| + | *Never restore/reintroduce the failed DC back into the domain, it will cause replication issues. | ||
| + | *To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool: | ||
| + | *https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory | ||
| + | |||
| + | ==Demote a DC== | ||
| + | *https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC | ||
| + | |||
| + | ==Join a DC== | ||
| + | *https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory | ||
| + | |||
| + | ==Backup and Restore== | ||
| + | *https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC | ||
| + | |||
| + | ==Local Intranet Settings for Roaming Profiles== | ||
| + | *http://www.technipages.com/fix-we-cant-verify-who-created-this-file-error | ||
| + | *https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/ | ||
| + | |||
| + | ==LDB Search/Edit== | ||
| + | *ldb search example: | ||
| + | ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb | ||
| + | |||
| + | *weird error with tombstone lifetime | ||
| + | [2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit) | ||
| + | Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu! | ||
| + | : Object class violation | ||
| + | *use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate | ||
| + | ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***" | ||
| + | *https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime | ||
Latest revision as of 16:12, 5 February 2016
Contents
Troubleshooting
Update Samba
- When updating Samba you should only be doing a version change on one DC at a time. Then verify that the DC is working in the domain before upgrading other DCs, don't update more than one DC at a time, have proper backups!
- https://wiki.samba.org/index.php/Updating_Samba
- Stop service and make backup
systemctl stop samba /usr/local/samba/bin/samba_backup
- Get samba, configure and install
wget http://www.samba.org/samba/ftp/stable/samba-4.3.3.tar.gz tar -zxvf samba-4.3.3.tar.gz cd ~/samba-4.3.3 ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
- Make sure configure completes successfully, be sure you have proper backups!!!
- Read the release notes to check compatibility.
make make install
- start the samba service
systemctl start samba
- Go check the logs and verify the system came up correctly:
tail /usr/local/samba/var/$LOGNAME.log
- Test around and see that replication is still in sync. Check that other DCs logs for errors about upgraded DC or replication.
Checking Replication
- Check replication status
samba-tool drs showrepl
Force Removal of DC
- If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
- If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
- https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
- Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
- https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
- Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
- Open up the DNS Manager and remove all entries for the failed DC.
- Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
- To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
- https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory
Demote a DC
Join a DC
Backup and Restore
Local Intranet Settings for Roaming Profiles
- http://www.technipages.com/fix-we-cant-verify-who-created-this-file-error
- https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
LDB Search/Edit
- ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb
- weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit) Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu! : Object class violation
- use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
