samba - Oct 2017 - Joined a second DC, some glitches...

I've setup my second DC, following the samba wiki, without major
trouble.

Only three notes:

a) i've followed the suggestion to move idmap.ldb from the first DC to
 the second (Rowland! Clap me! I've not sayed 'primary' and
'secondary'! ;-).

After that, as suggested by the wiki, i've done a 'samba-tool ntacl
sysvolreset' but:

 root at vdcpp1:~# samba-tool ntacl sysvolreset
 open: error=2 (No such file or directory)
 ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs,
passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

gogling around seems that even root cannot handle wrong ACLs (and they
are wrong, because i've just changed the xID).

I've simply copied (via rsync) the sysvol from the first DC and after
that 'samba-tool ntacl sysvolreset' worked as expected.

I supposed this have to be added to the wiki...


b) after configuring the second DC, and on the second DC only, i'm getting
on logs:

 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.069206,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.090246,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.111456,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.133550,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.153213,  0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 26

but i've not enabled DDNS! Or at least i've not configured it both on
first and on second DC... Why?


c) why, on the first DC, /etc/samba/smb.conf created by 'samba-tool domain
provision' have:
	idmap_ldb:use rfc2307 = yes

while the second, created with 'samba-tool domain join' have not?
I've
to add it?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 26 Oct 2017 12:41:11 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> I've setup my second DC, following the samba wiki, without major
> trouble.
> 
> Only three notes:
> 
> a) i've followed the suggestion to move idmap.ldb from the first DC to
>  the second (Rowland! Clap me! I've not sayed 'primary' and
> 'secondary'! ;-).
> 
> After that, as suggested by the wiki, i've done a 'samba-tool ntacl
> sysvolreset' but:
> 
>  root at vdcpp1:~# samba-tool ntacl sysvolreset
>  open: error=2 (No such file or directory)
>  ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239,
> in run lp, use_ntvfs=use_ntvfs) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 
> gogling around seems that even root cannot handle wrong ACLs (and they
> are wrong, because i've just changed the xID).
> 
> I've simply copied (via rsync) the sysvol from the first DC and after
> that 'samba-tool ntacl sysvolreset' worked as expected.
> 
> I supposed this have to be added to the wiki...
> 
> 
> b) after configuring the second DC, and on the second DC only, i'm
> getting on logs:
> 
>  Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.069206,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.090246,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.111456,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.133550,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.153213,
> 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Oct 26 11:15:22 vdcpp1
> samba[1257]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS
> update - with error code 26
> 
> but i've not enabled DDNS! Or at least i've not configured it both
on
> first and on second DC... Why?
If you look carefully, it is '/usr/sbin/samba_dnsupdate' that is
logging and this is run at samba startup and then regularly.

if you run 'samba_dnsupdate --help' and amongst the output is
'--use-samba-tool', you can add 'dns update command
= /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool' to smb.conf
on the DC, this should fix this problem.
> 
> 
> c) why, on the first DC, /etc/samba/smb.conf created by 'samba-tool
> domain provision' have:
> 	idmap_ldb:use rfc2307 = yes
> 
> while the second, created with 'samba-tool domain join' have not?
I've
> to add it?
Good question, when you join a new DC, there doesn't seem to be a good
way to find out if the line is required, so it isn't added, so you need
to add it manually.

Rowland

On 10/26/2017 01:18 PM, Rowland Penny via samba wrote:
> Good question, when you join a new DC, there doesn't seem to be a good
> way to find out if the line is required, so it isn't added, so you need
> to add it manually.
wow I missed this too! Could this also be added to the relevant page?

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

MJ

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> If you look carefully, it is '/usr/sbin/samba_dnsupdate' that is
> logging and this is run at samba startup and then regularly.
No, i've missed that. Sorry.

> if you run 'samba_dnsupdate --help' and amongst the output is
> '--use-samba-tool', you can add 'dns update command
> = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool' to smb.conf
> on the DC, this should fix this problem.
Ok. Done. Error desappear.

But why on the first DC it is not meeded?! It is because there's some
sort of ''master'' DNS, and so the first DC use by default RPC
to the
local ''master''?

I'm curious... ;-)

> Good question
Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)