Tag Archives: Samba

Samba 4 + Windows 10 time synchronization issues

Leave a reply

Where does ListeningThread -- Recvd 52 of 48/68 bytes come from?

If you follow the instructions for setting up Samba 4 AD DC for time synchronization, ntpd (coming out of Debian’s ntp package at some version 4.2.8) should just work.1

I came to this discovery after giving up and discarding my /etc/ntp.conf. Suddenly, after restarting ntpd and running w32tm /resync, things just worked. It’s not the software that’s broken — it’s me that was crazy.

The packet was now 110 bytes in Wireshark (68 of which was data). This was a stark improvement over seeing a 94 byte packet (52 of which was data). C:\temp\ntpDebug.log 2 no longer contained this:

ListeningThread -- Recvd 52 of 48/68 bytes

Hoozah! Now I wanted to figure out what was causing ntpd to send 52b packets, and not either 48b or 68b packets.

Turns out that my restrict statements had unexpected side effects. For instance, Samba wiki-recommended config tries to unrestrict localhost using restrict 127.0.0.1. 3

But I wanted to do the same for IPv6 localhost, so I did restrict ::1. This seems to have greatly confused ntpd.

The way out?

restrict -4 127.0.0.1
restrict -6 ::1

Second mistake was restrict 10.10.10.0 mask 255.255.255.0. It didn’t specify that mssntp should be enabled. For good measure I threw in -4:

restrict -4 10.10.10.0 mask 255.255.255.0 mssntp

Given that Samba config doesn’t recommend any special allowlisting for my internal IP range, I’ll just remove this line completely; the default restriction from the wiki should cover everything clients need to do anyway:

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

Moral of the story? ntpd seems to be awfully sensitive to restrict statements. If w32time service complains or breaks in some way, be sure to remove the statements bit by bit, or make sure IPv4 and IPv6 statements don’t stomp over each other.

  1. Granted, I needed to modify the path to the socket to say /var/lib/samba/ntp_signd/ instead of /usr/local/samba/var/lib/ntp_signd/, but otherwise it just worked. 
  2. That file was created using w32tm /debug /enable /file:C:\temp\ntpDebug.log /size:102400 /entries:0-300 which I found somewhere online. 
  3. Apparently, passing no restrictions at all after the address simply means “unrestrict these peers”. 

Samba AD issues are hard, hard, hard to fix

Leave a reply

So it looks like I did something wrong at some point while setting up a domain and Samba4 is now broken for me.

Of course this had to happen after I spent time migrating my local account to the domain account. (No, it did not go as smoothly as the sources might lead you to believe.)

So I am understandably reluctant to reprovision the machine and go through that process again, breaking who-knows-what-else by breaking the NTFS ACLs formed since.

So yeah, I’ll use this post as an outlet for complaints about this breakage:

Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.752020,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753033,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 612, in <module>
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753757,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:     get_credentials(lp)
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.754374,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 118, in get_credentials
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755084,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate:     creds.set_machine_account(lp)
Mar  1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755797,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar  1 00:42:17 commander samba[12250]:   /usr/sbin/samba_dnsupdate: RuntimeError: (-1073741275, 'NT_STATUS_NOT_FOUND')

…uh, so the machine account is missing? What? How did that happen? Is it really missing?

# samba-tool user create COMMANDER$
New Password: #DUMMYPASSWORDHERE#
Retype Password: #DUMMYPASSWORDHERE#
ERROR(ldb): Failed to add user 'COMMANDER$':  - samldb: Account name (sAMAccountName) 'COMMANDER$' already in use!

Let’s try this, found on Samba’s wiki:

samba-tool dbcheck --fix --reset-well-known-acls

Hurray, an error has been fixed! But everything is still horribly broken.

Oh look! There’s a DC diagnostics tool shipping in Windows:

C:\Users\ivucica>dcdiag /s:ds.badc0de.net /v

Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server ds.badc0de.net.
   Ldap search capability attribute search failed on server ds.badc0de.net,
   return value = 52

Thanks, Microsoft, that’s helpful.

So I fiddled a bit and ended up with this:

C:\Users\ivucica>dcdiag /s:commander

Directory Server Diagnosis

Performing initial setup:
   Ldap search capability attribute search failed on server commander, return
   value = 81

C:\Users\ivucica>dcdiag /s:commander.ds.MYDOMAIN

Directory Server Diagnosis

Performing initial setup:
   Ldap search capability attribute search failed on server
   commander.ds.MYDOMAIN, return value = 81

No, passing /v did not help identifying either error 52 nor 81. But that 81 is mildly googlable. Wait, it’s mentioning LDAP… Is it even running?

Oh wait, Microsoft has another diagnostics tool (of course it does)

C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN force /gc
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Of course there is no such domain, why would there be, am I right? tcpdump revealed that UDP packets on 389 were being rejected (and nothing is listening there). And connections to localhost were failing. So let’s look at help for samba-tool dbcheck. Huh. Let’s try this:

samba-tool dbcheck --fix --reindex --scope=base

And breakage begone!

C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN /force /gc
           DC: \\commander.ds.MYDOMAIN
      Address: \\10.0.99.150
     Dom Guid: b066b58f-6fa9-42d6-a45a-ABCDEFABCDEF
     Dom Name: ds.MYDOMAIN
  Forest Name: ds.MYDOMAIN
 Dc Site Name: DO-AMS1
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
The command completed successfully

Or not?

C:\Users\ivucica>dcdiag /s:ds.badc0de.net /v

Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server ds.badc0de.net.
   Ldap search capability attribute search failed on server ds.badc0de.net,
   return value = 52

Back to 52. And samba_dnsupdate is still broken, and the workstation cannot administrate the DC. Because, “The server is not operational.” Thanks, Samba, and thanks, Windows, for your immensely useful error messages.

Very, very discouraging and even a bit disturbing.

Error when applying group policies on a Samba 4 AD member

3 Replies

Today I ran into the following issue:

C:\WINDOWS\system32>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file 
\\YOUR.DOMAIN\sysvol\YOUR.DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html 
from the command line to access information about Group Policy results.

The solution is simple:

samba-tool ntacl sysvolreset

Found in a mailing list post.