Category Archives: troubleshooting

Samba AD issues are hard, hard, hard to fix

So it looks like I did something wrong at some point while setting up a domain and Samba4 is now broken for me.

Of course this had to happen after I spent time migrating my local account to the domain account. (No, it did not go as smoothly as the sources might lead you to believe.)

So I am understandably reluctant to reprovision the machine and go through that process again, breaking who-knows-what-else by breaking the NTFS ACLs formed since.

So yeah, I’ll use this post as an outlet for complaints about this breakage:

Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.752020,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753033,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 612, in <module>
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753757,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:     get_credentials(lp)
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.754374,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 118, in get_credentials
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755084,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:     creds.set_machine_account(lp)
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755797,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate: RuntimeError: (-1073741275, 'NT_STATUS_NOT_FOUND')

…uh, so the machine account is missing? What? How did that happen? Is it really missing?

# samba-tool user create COMMANDER$
ERROR(ldb): Failed to add user 'COMMANDER$':  - samldb: Account name (sAMAccountName) 'COMMANDER$' already in use!

Let’s try this, found on Samba’s wiki:

samba-tool dbcheck --fix --reset-well-known-acls

Hurray, an error has been fixed! But everything is still horribly broken.

Oh look! There’s a DC diagnostics tool shipping in Windows:

C:\Users\ivucica>dcdiag / /v

Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server
   Ldap search capability attribute search failed on server,
   return value = 52

Thanks, Microsoft, that’s helpful.

So I fiddled a bit and ended up with this:

C:\Users\ivucica>dcdiag /s:commander

Directory Server Diagnosis

Performing initial setup:
   Ldap search capability attribute search failed on server commander, return
   value = 81

C:\Users\ivucica>dcdiag /s:commander.ds.MYDOMAIN

Directory Server Diagnosis

Performing initial setup:
   Ldap search capability attribute search failed on server
   commander.ds.MYDOMAIN, return value = 81

No, passing /v did not help identifying either error 52 nor 81. But that 81 is mildly googlable. Wait, it’s mentioning LDAP… Is it even running?

Oh wait, Microsoft has another diagnostics tool (of course it does)

C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN force /gc
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Of course there is no such domain, why would there be, am I right? tcpdump revealed that UDP packets on 389 were being rejected (and nothing is listening there). And connections to localhost were failing. So let’s look at help for samba-tool dbcheck. Huh. Let’s try this:

samba-tool dbcheck --fix --reindex --scope=base

And breakage begone!

C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN /force /gc
           DC: \\commander.ds.MYDOMAIN
      Address: \\
     Dom Guid: b066b58f-6fa9-42d6-a45a-ABCDEFABCDEF
     Dom Name: ds.MYDOMAIN
  Forest Name: ds.MYDOMAIN
 Dc Site Name: DO-AMS1
The command completed successfully

Or not?

C:\Users\ivucica>dcdiag / /v

Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server
   Ldap search capability attribute search failed on server,
   return value = 52

Back to 52. And samba_dnsupdate is still broken, and the workstation cannot administrate the DC. Because, “The server is not operational.” Thanks, Samba, and thanks, Windows, for your immensely useful error messages.

Very, very discouraging and even a bit disturbing.

Error when applying group policies on a Samba 4 AD member

Today I ran into the following issue:

C:\WINDOWS\system32>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file 
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html 
from the command line to access information about Group Policy results.

The solution is simple:

samba-tool ntacl sysvolreset

Found in a mailing list post.

Mails appearing from d1stkfactory

If you have a Debian machine and emails appear to be coming from hostname @d1stkfactory, edit /etc/mailname and set this to your actual FQDN. Another instance where I found it locally is in /etc/exim4/update-exim4.conf.conf, which is almost certainly not read by my installation of Postfix (which does explicitly refer to /etc/mailname in one place).

This appeared on a machine running on DigitalOcean, so I presume “d” refers to DigitalOcean, and “factory” refers to their internal disk image building service. That’s just speculation though.

Ubuntu, touchscreen and dualscreen: HD Touchscreen on the left, laptop on the right

If you read about calibrating touchscreen with X11 and are capable of simple addition and division, you won’t have a problem building the transformation matrix and applying it. I won’t cover the same details on how to set the matrix using xinput set-prop since I just want to write down the resulting matrix and, perhaps, save people some time if they have a setup similar to mine.

To get the name of the device, open Terminal and punch in:


In the output I found that my “Acer T232HL”‘s input component is actually called “Advanced Silicon S.A CoolTouch(TM) System”. I can see all of its properties with:

xinput list-props Advanced Silicon S.A CoolTouch(TM) System

Since I’ve set up the screen to be on the left site, that means top-left corner of my touch area is simply offset by 0,0, and bottom-right is 1920,1080. Considering that the total width of the usable X area is 1920+1280, I get 1920/3600=0.6 as the c0 constant on the above link.

My usable area’s height is max(1080, 800) (the respective y component of the resolutions of the two displays). Considering that touch area’s height is also 1080, then the c2 component does not need to be scaled and should be exactly 1.

I also have absolutely no offsets, so c1 and c3 stay 0.


xinput set-prop "Advanced Silicon S.A CoolTouch(TM) System" --type=float "Coordinate Transformation Matrix" 0.6 0 0 0 1 0 0 0 1
# And if needed, to make the display configured as described above:
xrandr --output DP-0 --auto --left-of LVDS-0

From the times when I was trying to get Linux to run on iPaq H3800 devices using the kernel and distributions published at the now-defunct, I remember the “tslib” which included a touchscreen calibration tool. I wonder if that can and should be used to calibrate the modern multitouch displays.

Update (April 5th 2014): I just dug out package ‘xinput_calibrator’ by random googling, but have not tried it out yet.

Ubuntu 13.10 live CD: Blank screen with EFI

Ubuntu 13.10 fails to start X11 on a Macbook Pro with retina display, and it fails to start X11 on VirtualBox when EFI mode is turned on. Even the failover mode fails. This has been tried with 64-bit version of Ubuntu 13.10. Machines: a 2013 Macbook Pro; and a virtual VirtualBox 4.3.6 machine configured for Ubuntu (64-bit) OS, with EFI turned on.

Ubuntu’s failover configuration tries to use vesa module, which is not available when running under native EFI or UEFI mode.

Let’s fix this by using fbdev module.

  1. Hit ctrl+alt+f1 to switch to console.
  2. Type sudo -i to become root.
  3. Now let’s fix the relevant files:
    cd /etc/X11/
    sed 's/Driver.*"vesa"/Driver "fbdev"/' xorg.conf.failsafe > xorg.conf
  1. Restart X11 et al: service lightdm restart
  2. If necessary, switch to the VT dedicated to X11: hit ctrl+alt+f7

Note that the screen will stay blank for a while longer; give the system some time to proceed.

Good luck!


Few notes on UPC Ireland’s Technicolor TC7200

Update 2014/01/03: You are probably here for one reason: how to use SNMP to switch this router to bridge mode? As this is unsupported by UPC Ireland, let’s hope they don’t spoil the fun for us. (After posting the main body of the post, I actually got a proper DD-WRT friendly router and have started using this.) So here’s what you’re interested in.

To switch the device into pure modem, non-routing mode, you use:

snmpset -v2c -c public i 1

Additionally, concerning IPv6, at no later time have I observed receiving an IPv6 globally routable address, so I guess that was a lucky hiccup.

Based on this thread which I ran into here. These are just notes; if you can learn something from them, do so; but please be careful and fully aware that these are not instructions — merely notes for my own personal use in the future. I do not recommend you follow the notes; quite the opposite.

Despite (according to their reps on Twitter) telnet being unsupported by UPC, you can easily telnet and use username: webstar, password: webstar to log into the console. There isn’t much to do there, sadly. Apparently you may be able to use the set command to control SNMP settings.

Some configuration of hidden features can be done via SNMP. I highly advise you not to do that. This is unsupported by UPC, and you might be unable to restore settings to the previous state.

To switch the device into pure modem, non-routing mode, supposedly you use:

snmpset -v2c -c public i 1

This didn’t work for me immediately. It seems to work immediately after reboot. Also worth noting is the snmpwalk command:

snmpwalk -v2c -c public

Note that the value of “1” means “modem mode” (also known as “bridge mode”), while “2” means “ordinary NAT+routing mode”.

Be very careful. Turning on “modem mode” breaks Wi-Fi. You may need to bring up a separate access point for Wi-Fi. You may have trouble restoring the setting. PUBLISHING OF THESE NOTES DOES NOT CONSTITUTE ENDORSEMENT TO ACTUALLY USE THEM.

Also, I was unable to restore the setting to “2” using SNMP. Hard reset by holding the reset button for 30 seconds worked. Unless you use it strictly as a modem, with another device that performs NAT and IPv6 routing, it isn’t worth switching to NAT mode. So please don’t do this unless you’re fully prepared for breakage of service and possibly annoying UPC (since they obviously don’t want people to play with this).

It’s interesting that UPC does assign a public, fully routable IPv6 /64 prefix. Too bad that it’s not exposed to regular users locked behind a NAT who cannot get direct access to the public Internet, and who have been locked out of it by a firmware that is seemingly arbitrarily restricted compared to the one used in Netherlands. UPDATE: Two sources have told me that they did not receive an IPv6 prefix or address. As I am not keeping my device in bridge mode, and I do not advise readers to do so either (unless they have very good reasons), I cannot and won’t verify this. You can opt to leave a comment on your success, but I want to be clear that neither my text, nor any comments below, represent any advice on my part.

It’s also interesting that the setting seems to have survived a factory reset through the web interface. Factory reset through web interface has, however, restored WiFi functionality, and it seems that WiFi and LAN are getting separate IP addresses. Factory reset by holding the reset button for 30 seconds is the actual hard reset and cleans up the setting for “modem mode”.