samba - May 2015 - Problems with joining a second DC to AD

Hello,
?
I try to setup an AD-Domain with the help of Sernet-Samba packages. Currently
I'm using Scientific Linux (SL) 6.6 and Sernet-Samba 4.1.17 packages. I
tried the procedure two times with fresh minimal SL installations.
?
I could successfully install a AD-Domain-Controller.
Now I tried to add a second DC to this AD-Domain and followed carefully the
instructions at the samba wiki.
I could also join the second DC to my domain, but when I try to run
?
samba-tool ntacl sysvolreset
?
on the 2nd DC I get the following error messages:
?

open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
? File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
??? return self.run(*args, **kwargs)
? File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
line 218, in run
??? lp, use_ntvfs=use_ntvfs)
? File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1612, in setsysvolacl
??? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs,
passdb=s4_passdb)
? File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1505, in set_gpos_acl
??? use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
? File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 154,
in setntacl
??? smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
?
My smb.conf on DC1:
?

# Global parameters
[global]
??????? workgroup = EXAMPLE
??????? realm = EXAMPLE.LAN
??????? netbios name = DC1
??????? interfaces = lo, eth0
??????? bind interfaces only = Yes
??????? server role = active directory domain controller
??????? idmap_ldb:use rfc2307 = yes
[netlogon]
??????? path = /var/lib/samba/sysvol/pentracor.lan/scripts
??????? read only = No
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = No
?
smb.conf ond DC2:
?

# Global parameters
[global]
??????? workgroup = EXAMPLE
??????? realm = example.lan
??????? netbios name = DC2
??????? interfaces = lo, eth1
??????? bind interfaces only = Yes
??????? server role = active directory domain controller
[netlogon]
??????? path = /var/lib/samba/sysvol/example.lan/scripts
??????? read only = No
[sysvol
??????? path = /var/lib/samba/sysvol
??????? read only = No
?
I did turn off iptables and SELinux on both machines for testing purposes. The
folder /var/lib/samba/sysvol exists on DC2. On DC1 I can run the sysvolreset
command without any problems.
?
Hopefully someone has an idea what might be wrong here.
?
Regards
Stephan Mattecka

On 21/05/15 08:17, Stephan Mattecka wrote:
> Hello,
>   
> I try to setup an AD-Domain with the help of Sernet-Samba packages.
Currently I'm using Scientific Linux (SL) 6.6 and Sernet-Samba 4.1.17
packages. I tried the procedure two times with fresh minimal SL installations.
>   
> I could successfully install a AD-Domain-Controller.
> Now I tried to add a second DC to this AD-Domain and followed carefully the
instructions at the samba wiki.
> I could also join the second DC to my domain, but when I try to run
>   
> samba-tool ntacl sysvolreset
>   
> on the 2nd DC I get the following error messages:
>   
>
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
error')
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 218,
in run
>      lp, use_ntvfs=use_ntvfs)
>    File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1612, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
>    File
"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line
1505, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
>    File "/usr/lib64/python2.6/site-packages/samba/ntacls.py",
line 154, in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP
| security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
>   
> My smb.conf on DC1:
>   
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          realm = EXAMPLE.LAN
>          netbios name = DC1
>          interfaces = lo, eth0
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> [netlogon]
>          path = /var/lib/samba/sysvol/pentracor.lan/scripts
>          read only = No
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>   
> smb.conf ond DC2:
>   
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          realm = example.lan
>          netbios name = DC2
>          interfaces = lo, eth1
>          bind interfaces only = Yes
>          server role = active directory domain controller
> [netlogon]
>          path = /var/lib/samba/sysvol/example.lan/scripts
>          read only = No
> [sysvol
>          path = /var/lib/samba/sysvol
>          read only = No
>   
> I did turn off iptables and SELinux on both machines for testing purposes.
The folder /var/lib/samba/sysvol exists on DC2. On DC1 I can run the sysvolreset
command without any problems.
>   
> Hopefully someone has an idea what might be wrong here.
>   
> Regards
> Stephan Mattecka
it is probably the lack of this line in your second DC:

         idmap_ldb:use rfc2307 = yes

Why this line isn't added when you join a secondary DC I do not know.

Rowland

Hai, 

I hope, your domain is not .lan ( reserved name for mDNS ) 
can be used, but can give problemens. 

in smb.conf 
change : 
interfaces = lo, eth0 
to 
interfaces = lo, IP_of_eth0 

and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct. 
make sure you have in /etc/resolv.conf on DC2. 
search example.lan
nameserver IP_OF_DC1 



and try again. 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org] 
>Namens Stephan Mattecka
>Verzonden: donderdag 21 mei 2015 9:18
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD
>
>Hello,
>?
>I try to setup an AD-Domain with the help of Sernet-Samba 
>packages. Currently I'm using Scientific Linux (SL) 6.6 and 
>Sernet-Samba 4.1.17 packages. I tried the procedure two times 
>with fresh minimal SL installations.
>?
>I could successfully install a AD-Domain-Controller.
>Now I tried to add a second DC to this AD-Domain and followed 
>carefully the instructions at the samba wiki.
>I could also join the second DC to my domain, but when I try to run
>?
>samba-tool ntacl sysvolreset
>?
>on the 2nd DC I get the following error messages:
>?
>
>open: error=2 (No such file or directory)
>ERROR(runtime): uncaught exception - (-1073741823, 
>'Undetermined error')
>? File 
>"/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
>line 175, in _run
>??? return self.run(*args, **kwargs)
>? File 
>"/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", 
>line 218, in run
>??? lp, use_ntvfs=use_ntvfs)
>? File 
>"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>", line 1612, in setsysvolacl
>??? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, 
>samdb, lp, use_ntvfs, passdb=s4_passdb)
>? File 
>"/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>", line 1505, in set_gpos_acl
>??? use_ntvfs=use_ntvfs, skip_invalid_chown=True, 
>passdb=passdb, service=SYSVOL_SERVICE)
>? File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", 
>line 154, in setntacl
>??? smbd.set_nt_acl(file, security.SECINFO_OWNER | 
>security.SECINFO_GROUP | security.SECINFO_DACL | 
>security.SECINFO_SACL, sd, service=service)
>?
>My smb.conf on DC1:
>?
>
># Global parameters
>[global]
>??????? workgroup = EXAMPLE
>??????? realm = EXAMPLE.LAN
>??????? netbios name = DC1
>??????? interfaces = lo, eth0
>??????? bind interfaces only = Yes
>??????? server role = active directory domain controller
>??????? idmap_ldb:use rfc2307 = yes
>[netlogon]
>??????? path = /var/lib/samba/sysvol/pentracor.lan/scripts
>??????? read only = No
>[sysvol]
>??????? path = /var/lib/samba/sysvol
>??????? read only = No
>?
>smb.conf ond DC2:
>?
>
># Global parameters
>[global]
>??????? workgroup = EXAMPLE
>??????? realm = example.lan
>??????? netbios name = DC2
>??????? interfaces = lo, eth1
>??????? bind interfaces only = Yes
>??????? server role = active directory domain controller
>[netlogon]
>??????? path = /var/lib/samba/sysvol/example.lan/scripts
>??????? read only = No
>[sysvol
>??????? path = /var/lib/samba/sysvol
>??????? read only = No
>?
>I did turn off iptables and SELinux on both machines for 
>testing purposes. The folder /var/lib/samba/sysvol exists on 
>DC2. On DC1 I can run the sysvolreset command without any problems.
>?
>Hopefully someone has an idea what might be wrong here.
>?
>Regards
>Stephan Mattecka
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>