Quantcast

Second DC won't start LDAP daemon

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Second DC won't start LDAP daemon

Samba - General mailing list
Hello.

I've got a network of FreeBSD servers which traditionally hosted a
classic domain.
I upgraded some months ago, removing the old PDC and BDC and migrating
to an AD DC controller in a jail.
This is working fine with Samba 4.4.13.

Now I'm trying to add a second DC, so I created a new jail on another
physical server and went on with the setup, following:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory



Replication works fine (i.e. kerberos ticket, user replication, etc...),
but the second DC won't answer LDAP queries; in fact it's not binding to
the LDAP port!
I.e. on the new DC:
> # samba-tool drs showrepl
> Failed to connect to ldap URL 'ldap://dc2.xxxxx.xxxxxxxx.xx' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
> Failed to connect to 'ldap://dc2.xxxxx.xxxxxxxxx.xx' with backend 'ldap': (null)
> ERROR(ldb): LDAP connection to dc2.xxxxx.xxxxxxxxx.xx failed - None

Obviously the same command works on the first DC.



Such a different behaviour puzzles me, as the host OSes are identical,
the two jails are identical, with the same package set built the same
way; the config files are identical too (with the obvious difference of
the IP on the "interfaces" line):

> global]
> log level=1
> netbios name = DC2
> realm = XXXXX.XXXXXXXX.XX
> workgroup = XXXXX
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>         dns forwarder=x.y.z.15
>         interfaces=re0 x.y.z.41/24
>         bind interfaces only=yes


I've waded through the logs, but was not able to sort this out.
I'm attacching a level 3 log in case anyone is willing to give me a hint.

TIA.

  bye
        av.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

log.samba (37K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Second DC won't start LDAP daemon

Samba - General mailing list
On 05/08/17 11:17, Andrea Venturoli wrote:

> Hello.
>
> I've got a network of FreeBSD servers which traditionally hosted a
> classic domain.
> I upgraded some months ago, removing the old PDC and BDC and migrating
> to an AD DC controller in a jail.
> This is working fine with Samba 4.4.13.
>
> Now I'm trying to add a second DC, so I created a new jail on another
> physical server and went on with the setup, following:
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 

After spending several hours trying to sort this out, I found that the
ldap task will work (and bind to port 389) if I put "tls enabled=no" in
the config file.

With "tls enabled=yes" (or nothing, since it's the default) I get:
"Child 24011 (ldap) terminated with signal 4"

I tried generating a self-signed certificate as per:
> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Unfortunately, the only effect is that "Attempting to autogenerate TLS
self-signed keys for https for hostname 'XXX.xxxxx.xxxxxxxx.xx'" changes
to "TLS autogeneration skipped - some TLS files already exist".
Then I get the same error as above.


Any suggestion?
TIA.

  bye
        av.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Second DC won't start LDAP daemon

Samba - General mailing list
On Mon, 2017-05-15 at 18:58 +0200, Andrea Venturoli via samba wrote:

> On 05/08/17 11:17, Andrea Venturoli wrote:
> > Hello.
> >
> > I've got a network of FreeBSD servers which traditionally hosted a
> > classic domain.
> > I upgraded some months ago, removing the old PDC and BDC and migrating
> > to an AD DC controller in a jail.
> > This is working fine with Samba 4.4.13.
> >
> > Now I'm trying to add a second DC, so I created a new jail on another
> > physical server and went on with the setup, following:
> > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
>
> After spending several hours trying to sort this out, I found that the
> ldap task will work (and bind to port 389) if I put "tls enabled=no" in
> the config file.
>
> With "tls enabled=yes" (or nothing, since it's the default) I get:
> "Child 24011 (ldap) terminated with signal 4"
>
> I tried generating a self-signed certificate as per:
> > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>
> Unfortunately, the only effect is that "Attempting to autogenerate TLS
> self-signed keys for https for hostname 'XXX.xxxxx.xxxxxxxx.xx'" changes
> to "TLS autogeneration skipped - some TLS files already exist".
> Then I get the same error as above.
>
>
> Any suggestion?
> TIA.

What is your platform, and what is signal 4 on your platform?  It is
SIGILL on x86_64 linux.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Second DC won't start LDAP daemon

Samba - General mailing list
On 05/17/17 21:14, Andrew Bartlett wrote:

> What is your platform

FreeBSD 10.3/amd64.



> and what is signal 4 on your platform?
> It is SIGILL on x86_64 linux.

I believe signals are more or less standard across all Unices... anyway
it's SIGILL on FreeBSD too.

Where does this lead?



  bye & Thanks
        av.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Second DC won't start LDAP daemon

Samba - General mailing list
On Thu, 2017-05-18 at 09:27 +0200, Andrea Venturoli via samba wrote:

> On 05/17/17 21:14, Andrew Bartlett wrote:
>
> > What is your platform
>
> FreeBSD 10.3/amd64.
>
>
>
> > and what is signal 4 on your platform?
> > It is SIGILL on x86_64 linux.
>
> I believe signals are more or less standard across all Unices... anyway
> it's SIGILL on FreeBSD too.
>
> Where does this lead?

I always thought SIGILL was for un-alligned memory access, which is
slow but permitted on x86.  I guess get it under a debugger - if you
start it with

 gdb --args samba -M single -i

That should catch it pretty fast.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Second DC won't start LDAP daemon

Samba - General mailing list
On 05/18/17 21:12, Andrew Bartlett wrote:

> I always thought SIGILL was for un-alligned memory access, which is
> slow but permitted on x86.  I guess get it under a debugger - if you
> start it with
>
>   gdb --args samba -M single -i
>
> That should catch it pretty fast.

Not so easy: I had to install a newer gdb, since the stock one on
FreeBSD is pretty useless on C++ code; then I had to compile Samba from
source (after getting a port tree on that box).
In the end I discovered it was a faulty gnutls package (possibly
compiled with optimizations which are not allowed on this CPU?).
I recompiled that too and everything is working now.
Sorry for the noise.

  bye & Thanks
        av.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...