samba - Oct 2017 - ADC 4.7.0 KCC replication failing with PDC 4.6.8

Hi

I have created a new DC on the Ubuntu 16.04 with the latest sernet samba
4.7.0 package. After joining to the PDC running 4.6.8 package I backed up
the idmap.ldb file and copied to the new DC. When I run the samba-tool
ntacl sysvolreset command on the new DC to replicate GID Mappings it fails
with the below error:

open: error=2 (No such file or directory) ERROR(runtime): uncaught
exception - (-1073741823, '{Operation Failed} The requested operation was
unsuccessful.') File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176,
in
_run return self.run(*args, **kwargs) File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in
run
lp, use_ntvfs=use_ntvfs) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1609,
in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb,
lp, use_ntvfs, passdb=s4_passdb) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1502,
in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
passdb=passdb, service=SYSVOL_SERVICE) File
"/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Also on the PDC the INBOUND KCC is failing from the new DC:
==== INBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMSVRPDC via RPC
                DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed, result
1225 (WERR_CONNECTION_REFUSED)
                28 consecutive failure(s).
                Last success @ NTTIME(0)
Here is the smb.conf from both the servers:

*PDC*
# Global parameters
[global]
        workgroup = IUMNET
        realm = IUMNET.EDU.NA
        netbios name = IUMDCDP01
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        domain master = yes
        preferred master = yes
        server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        password server = 172.16.10.5
        allow dns updates = nonsecure and secure
#       lanman auth = Yes
#       client lanman auth = Yes
        ntlm auth = yes
        client use spnego = no
        client ldap sasl wrapping = sign
#       ldap ssl ads = yes
#       ldap ssl = start tls
        ldap server require strong auth = no
#       wins server = iumnet.edu.na
#       wins support = Yes
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
        idmap config * : backend = tdb
        idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect

*ADC new DC*
# Global parameters
[global]
        netbios name = IUMSVRPDC
        realm = IUMNET.EDU.NA
        workgroup = IUMNET
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        allow dns updates = nonsecure and secure
        ntlm auth = yes
        ldap server require strong auth = no
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
        idmap config * : backend = tdb
        idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect

The purpose of creating new DC is to transfer FSMO roles from current PDC
which is running on old Ubuntu 12.04 and shut it down. Please assist to
resolve the problem.

Thanks n Regards

*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA

On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:
> Hi
> 
> I have created a new DC on the Ubuntu 16.04 with the latest sernet
> samba 4.7.0 package. After joining to the PDC running 4.6.8 package I
> backed up the idmap.ldb file and copied to the new DC. When I run the
> samba-tool ntacl sysvolreset command on the new DC to replicate GID
> Mappings it fails with the below error:
> 
> open: error=2 (No such file or directory) ERROR(runtime): uncaught
> exception - (-1073741823, '{Operation Failed} The requested operation
> was unsuccessful.') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239,
> in run lp, use_ntvfs=use_ntvfs) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
Have you any GPOs other than the default ones ?
 
> 
> Also on the PDC the INBOUND KCC is failing from the new DC:
You do not have a PDC, you have a DC.
> ==== INBOUND NEIGHBORS ===> 
> CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,
> result 1225 (WERR_CONNECTION_REFUSED)
>                 28 consecutive failure(s).
>                 Last success @ NTTIME(0)
> Here is the smb.conf from both the servers:
> 
> *PDC*
Did I mention you do not have a PDC ? :-)
> # Global parameters
> [global]
>         workgroup = IUMNET
>         realm = IUMNET.EDU.NA
>         netbios name = IUMDCDP01
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
>         domain master = yes
>         preferred master = yes
>         server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>         password server = 172.16.10.5
>         allow dns updates = nonsecure and secure
> #       lanman auth = Yes
> #       client lanman auth = Yes
>         ntlm auth = yes
>         client use spnego = no
>         client ldap sasl wrapping = sign
> #       ldap ssl ads = yes
> #       ldap ssl = start tls
>         ldap server require strong auth = no
> #       wins server = iumnet.edu.na
> #       wins support = Yes
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         idmap config * : backend = tdb
>         idmap config *:range = 50000-1000000
>         full_audit:prefix = %u|%I|%m|%S
>         full_audit:failure = connect
>         full_audit:success = connect disconnect
> 
> *ADC new DC*
> # Global parameters
> [global]
>         netbios name = IUMSVRPDC
>         realm = IUMNET.EDU.NA
>         workgroup = IUMNET
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
>         server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
You should remove the above line, you definitely do not need it.
>         allow dns updates = nonsecure and secure
>         ntlm auth = yes
>         ldap server require strong auth = no
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         idmap config * : backend = tdb
>         idmap config *:range = 50000-1000000
Remove the above two line, they have no place on a DC.

Rowland

I do have GPO directories under sysvol which I have copied using rsync to
the new DC and when I run samba-tool ntacl sysvolreset command is failing
on the new DC.

I am not sure what do I call the main DC thats why I use PDC.

I have removed the unnecessary lines from smb.conf

Please let me know what do I have to do now. I want to migrate the old DC
running on Ubuntu 12.04 to the new DC on Ubuntu 16.04.


Thanks

Harsh
Sent from my iPhone

On 27 Oct 2017, at 5:06 PM, Rowland Penny via samba <samba at
lists.samba.org>
wrote:

On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:

Hi


I have created a new DC on the Ubuntu 16.04 with the latest sernet

samba 4.7.0 package. After joining to the PDC running 4.6.8 package I

backed up the idmap.ldb file and copied to the new DC. When I run the

samba-tool ntacl sysvolreset command on the new DC to replicate GID

Mappings it fails with the below error:


open: error=2 (No such file or directory) ERROR(runtime): uncaught

exception - (-1073741823, '{Operation Failed} The requested operation

was unsuccessful.') File

"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line

176, in _run return self.run(*args, **kwargs) File

"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,

in run lp, use_ntvfs=use_ntvfs) File

"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line

1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,

domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File

"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line

1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,

passdb=passdb, service=SYSVOL_SERVICE) File

"/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in

setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |

security.SECINFO_GROUP | security.SECINFO_DACL |

security.SECINFO_SACL, sd, service=service)


Have you any GPOs other than the default ones ?


Also on the PDC the INBOUND KCC is failing from the new DC:


You do not have a PDC, you have a DC.

==== INBOUND NEIGHBORS ===

CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na

       Default-First-Site-Name\IUMSVRPDC via RPC

               DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311

               Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,

result 1225 (WERR_CONNECTION_REFUSED)

               28 consecutive failure(s).

               Last success @ NTTIME(0)

Here is the smb.conf from both the servers:


*PDC*


Did I mention you do not have a PDC ? :-)

# Global parameters

[global]

       workgroup = IUMNET

       realm = IUMNET.EDU.NA

       netbios name = IUMDCDP01

       server role = active directory domain controller

       dns forwarder = 172.16.10.254

       domain master = yes

       preferred master = yes

       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap

       password server = 172.16.10.5

       allow dns updates = nonsecure and secure

#       lanman auth = Yes

#       client lanman auth = Yes

       ntlm auth = yes

       client use spnego = no

       client ldap sasl wrapping = sign

#       ldap ssl ads = yes

#       ldap ssl = start tls

       ldap server require strong auth = no

#       wins server = iumnet.edu.na

#       wins support = Yes

       time server = Yes

       template shell = /bin/bash

       template homedir = /home/%U

       idmap config * : backend = tdb

       idmap config *:range = 50000-1000000

       full_audit:prefix = %u|%I|%m|%S

       full_audit:failure = connect

       full_audit:success = connect disconnect


*ADC new DC*

# Global parameters

[global]

       netbios name = IUMSVRPDC

       realm = IUMNET.EDU.NA

       workgroup = IUMNET

       server role = active directory domain controller

       dns forwarder = 172.16.10.254

       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap


You should remove the above line, you definitely do not need it.

       allow dns updates = nonsecure and secure

       ntlm auth = yes

       ldap server require strong auth = no

       time server = Yes

       template shell = /bin/bash

       template homedir = /home/%U

       idmap config * : backend = tdb

       idmap config *:range = 50000-1000000


Remove the above two line, they have no place on a DC.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 27 Oct 2017 18:24:50 +0200
"Kukreja H.Kukreja" <h.kukreja at ium.edu.na> wrote:
> I do have GPO directories under sysvol which I have copied using
> rsync to the new DC and when I run samba-tool ntacl sysvolreset
> command is failing on the new DC.
This usually happens when you have extra GPOs stored in Sysvol, they
are also in AD, so the command thinks they exist, but cannot find them
on disc, hence '(No such file or directory)'

If you have correctly synced the contents of the 'sysvol' directory and
idmap.ldb from the old DC to the new DC, then it should work.
> 
> I am not sure what do I call the main DC thats why I use PDC.
How about 'DC' ?
All DCs are equal except for the FSMO roles and they can be shared out
amongst several DCs, they do not all have to be on the same DC.
Please do not call a DC a 'PDC', a PDC is something else entirely and
calling an AD DC a PDC can lead to confusion ;-)
> 
> I have removed the unnecessary lines from smb.conf
> 
> Please let me know what do I have to do now. I want to migrate the
> old DC running on Ubuntu 12.04 to the new DC on Ubuntu 16.04.
Are you still getting the same error ?

Rowland

On Sat, 28 Oct 2017 16:50:34 +0200
Harsh Kukreja <h.kukreja at ium.edu.na> wrote:
> Hi Rowland
> 
> Thanks for your support. The problem with the new DC was the samba
> service was not starting because the START_MODE_IN="ad" was not
> changed in the /etc/default/samba/sernet-samba-ad also the samba-tool
> ntacl sysvolreset is working after running rsync to copy the sysvol
> folders.
> 
> Now there is one more problem with the AD authentication on my
> Firewall which is only working with the main DC but as soon I shut it
> down then it fails to authenticate with the new DC. Here are the logs
> from the Firewall:
> 
Try reading this wikipage:

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

Rowland

Hi Rowland

Thanks for the link https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
It should fix the Firewall authentication problem.

I like to find out if I can rename the Domain name of the DC when I move it
to the new DC like currently it is IUMNET.EDU.NA <http://iumnet.edu.na/>
but
my GApps domain name is IUM.EDU.NA <http://ium.edu.na/> and I like to use
the same on my new DC. Is it possible to change the name without joining
all the computers again.

Regards

Harsh

Sent from my iPhone

On 28 Oct 2017, at 6:42 PM, Rowland Penny via samba <samba at
lists.samba.org>
wrote:

On Sat, 28 Oct 2017 16:50:34 +0200
Harsh Kukreja <h.kukreja at ium.edu.na> wrote:

Hi Rowland


Thanks for your support. The problem with the new DC was the samba

service was not starting because the START_MODE_IN="ad" was not

changed in the /etc/default/samba/sernet-samba-ad also the samba-tool

ntacl sysvolreset is working after running rsync to copy the sysvol

folders.


Now there is one more problem with the AD authentication on my

Firewall which is only working with the main DC but as soon I shut it

down then it fails to authenticate with the new DC. Here are the logs

from the Firewall:



Try reading this wikipage:

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba