Hi, I joined a new samba-4.7 DC to our AD, replicated everything over, then turned off the old DCs, seized fsmo roles, and added two extra 4.7 DCs. Everything above succeeded without warnings, and everything seems to be running very well finally, except for the sysvolcheck / sysvolreset. We're on xfs, and the File System Support checks on the samba wiki page all pass, although at the time of the domain join, I had not yet installed acl / xattr / attr. Not sure if these are required at join time, but anyway, no warning was given during the join. I added those packages later, after discovering that "getfacl /var/lib/samba/sysvol" displayed no extended ACLs at all. Next I tried samba-tool ntacl sysvolcheck:> lpcfg_load: refreshing parameters from /etc/samba/smb.conf > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > ldb_wrap open of idmap.ldb > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run > lp) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl > direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1659, in check_gpos_acl > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl > xattr.XATTR_NTACL_NAME)Thinking I had to perhaps do sysvolreset first, but:> lpcfg_load: refreshing parameters from /etc/samba/smb.conf > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > ldb_wrap open of idmap.ldb > lp_load_ex: refreshing parameters > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) > lp_load_ex: refreshing parameters > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > ldb_wrap open of idmap.ldb > ldb_wrap open of idmap.ldb > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > unpack_nt_owners: owner sid mapped to uid 0 > unpack_nt_owners: group sid mapped to gid 3000000 > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > unpack_nt_owners: owner sid mapped to uid 0 > unpack_nt_owners: group sid mapped to gid 3000000 > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > unpack_nt_owners: owner sid mapped to uid 0 > unpack_nt_owners: group sid mapped to gid 3000000 > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > Initialising custom vfs hooks from [dfs_samba4] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run > lp, use_ntvfs=use_ntvfs) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) > open: error=2 (No such file or directory)The idmap.ldb was NOT copied from the old DCs, but I kept the new default one instead, since all three DCs are new, this would be ok..? This happens on all three new DCs, debian stretch, very basic smb.conf as generated by the samba-tool domain join:> # Global parameters > [global] > netbios name = DC6 > realm = SAMBA.COMPANY.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = WRKGRP > server role = active directory domain controller > > log level = 3 > > [netlogon] > path = /var/lib/samba/sysvol/samba.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoCould anyone tell me where to look for the problem, here? MJ
Run this check up: https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh And to just run it as test. Also change line 202 204 214 215. just put a # in front of it. So you make sure nothing is applied with this test. Run it on both servers and compair the output file default-rights-sysvol.acl If you have differences, a diff of the 2 files should show it to you. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: donderdag 26 oktober 2017 11:38 > Aan: samba at lists.samba.org > Onderwerp: [Samba] sysvolcheck on fresh samba 4.7 DCs > > Hi, > > I joined a new samba-4.7 DC to our AD, replicated everything > over, then > turned off the old DCs, seized fsmo roles, and added two > extra 4.7 DCs. > > Everything above succeeded without warnings, and everything > seems to be > running very well finally, except for the sysvolcheck / sysvolreset. > > We're on xfs, and the File System Support checks on the samba > wiki page > all pass, although at the time of the domain join, I had not yet > installed acl / xattr / attr. Not sure if these are required at join > time, but anyway, no warning was given during the join. > > I added those packages later, after discovering that "getfacl > /var/lib/samba/sysvol" displayed no extended ACLs at all. > > Next I tried samba-tool ntacl sysvolcheck: > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > ERROR(<type 'exceptions.TypeError'>): uncaught exception - > (2, 'No such file or directory') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > > return self.run(*args, **kwargs) > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 270, in run > > lp) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1723, in checksysvolacl > > direct_db_access) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1659, in check_gpos_acl > > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 81, in getntacl > > xattr.XATTR_NTACL_NAME) > > Thinking I had to perhaps do sysvolreset first, but: > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > lp_load_ex: refreshing parameters > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > load_module_absolute_path: Module > '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service Unknown Service (snum == -1) > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service Unknown Service (snum == -1) > > lp_load_ex: refreshing parameters > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > ldb_wrap open of idmap.ldb > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos > filemode = true' and 'force unknown acl user = true' for > service sysvol > > ERROR(runtime): uncaught exception - (-1073741823, > '{Operation Failed} The requested operation was unsuccessful.') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > > return self.run(*args, **kwargs) > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > > lp, use_ntvfs=use_ntvfs) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1609, in setsysvolacl > > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, > samdb, lp, use_ntvfs, passdb=s4_passdb) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1502, in set_gpos_acl > > use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in setntacl > > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > > open: error=2 (No such file or directory) > > The idmap.ldb was NOT copied from the old DCs, but I kept the new > default one instead, since all three DCs are new, this would be ok..? > > This happens on all three new DCs, debian stretch, very basic > smb.conf > as generated by the samba-tool domain join: > > > # Global parameters > > [global] > > netbios name = DC6 > > realm = SAMBA.COMPANY.COM > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = WRKGRP > > server role = active directory domain controller > > > > log level = 3 > > > > [netlogon] > > path = /var/lib/samba/sysvol/samba.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > Could anyone tell me where to look for the problem, here? > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 2017-10-26 at 11:38 +0200, mj via samba wrote:> Hi, > > I joined a new samba-4.7 DC to our AD, replicated everything over, then > turned off the old DCs, seized fsmo roles, and added two extra 4.7 DCs. > > Everything above succeeded without warnings, and everything seems to be > running very well finally, except for the sysvolcheck / sysvolreset. > > We're on xfs, and the File System Support checks on the samba wiki page > all pass, although at the time of the domain join, I had not yet > installed acl / xattr / attr. Not sure if these are required at join > time, but anyway, no warning was given during the join.Yes, that is required at build and run time.> I added those packages later, after discovering that "getfacl > /var/lib/samba/sysvol" displayed no extended ACLs at all. > > Next I tried samba-tool ntacl sysvolcheck: > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run > > lp) > > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl > > direct_db_access) > > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1659, in check_gpos_acl > > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl > > xattr.XATTR_NTACL_NAME) > > Thinking I had to perhaps do sysvolreset first, but: > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > lp_load_ex: refreshing parameters > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) > > lp_load_ex: refreshing parameters > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > ldb_wrap open of idmap.ldb > > ldb_wrap open of idmap.ldb > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > > unpack_nt_owners: owner sid mapped to uid 0 > > unpack_nt_owners: group sid mapped to gid 3000000 > > Initialising default vfs hooks > > Initialising custom vfs hooks from [/[Default VFS]/] > > Initialising custom vfs hooks from [acl_xattr] > > Initialising custom vfs hooks from [dfs_samba4] > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol > > ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run > > lp, use_ntvfs=use_ntvfs) > > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl > > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl > > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl > > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) > > open: error=2 (No such file or directory) > > The idmap.ldb was NOT copied from the old DCs, but I kept the new > default one instead, since all three DCs are new, this would be ok..?That should be fine.> This happens on all three new DCs, debian stretch, very basic smb.conf > as generated by the samba-tool domain join: > > > # Global parameters > > [global] > > netbios name = DC6 > > realm = SAMBA.COMPANY.COM > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = WRKGRP > > server role = active directory domain controller > > > > log level = 3 > > > > [netlogon] > > path = /var/lib/samba/sysvol/samba.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > Could anyone tell me where to look for the problem, here?I don't see any reference to TDB-based xattrs being used, but I suspect things are not happy here. Check the build got extended attribute support (I'm pretty sure it whines at you however) and re-join. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Thu, 26 Oct 2017 11:38:19 +0200 mj via samba <samba at lists.samba.org> wrote:> Hi, > > I joined a new samba-4.7 DC to our AD, replicated everything over, > then turned off the old DCs, seized fsmo roles, and added two extra > 4.7 DCs. > > Everything above succeeded without warnings, and everything seems to > be running very well finally, except for the sysvolcheck / > sysvolreset. > > We're on xfs, and the File System Support checks on the samba wiki > page all pass, although at the time of the domain join, I had not yet > installed acl / xattr / attr. Not sure if these are required at join > time, but anyway, no warning was given during the join. > > The idmap.ldb was NOT copied from the old DCs, but I kept the new > default one instead, since all three DCs are new, this would be ok..?Well it wouldn't give you the problem you are having, but you should sync idmap.ldb from the first DC to the others.> > This happens on all three new DCs, debian stretch,Have you compared the contents of /var/lib/samba/sysvol on the first DC with the others ? (hint, hint) After you have checked, you might find this wikipage useful: https://wiki.samba.org/index.php/SysVol_replication_%28DFS-R%29 Rowland
Hi Andrew and Louis, Found the issue: after rsync-ing the sysvol from our old decommissioned DCs, the sysvolreset/sysvolcheck DO work out. I tried to keep the things simple first, by NOT immediately importing our old sysvol contents, but first check with a default sysvol... I thought that the sysvolreset would just reset whatever is located under samba/sysvol, but I guess that it reads the directories from the database. Once the on-disk directories matched the sam database contents, things worked fine. Sorry... :-| MJ