Harsh Kukreja
2017-Oct-27 14:28 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
Hi I have created a new DC on the Ubuntu 16.04 with the latest sernet samba 4.7.0 package. After joining to the PDC running 4.6.8 package I backed up the idmap.ldb file and copied to the new DC. When I run the samba-tool ntacl sysvolreset command on the new DC to replicate GID Mappings it fails with the below error: open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) Also on the PDC the INBOUND KCC is failing from the new DC: ==== INBOUND NEIGHBORS === CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na Default-First-Site-Name\IUMSVRPDC via RPC DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311 Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed, result 1225 (WERR_CONNECTION_REFUSED) 28 consecutive failure(s). Last success @ NTTIME(0) Here is the smb.conf from both the servers: *PDC* # Global parameters [global] workgroup = IUMNET realm = IUMNET.EDU.NA netbios name = IUMDCDP01 server role = active directory domain controller dns forwarder = 172.16.10.254 domain master = yes preferred master = yes server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap password server = 172.16.10.5 allow dns updates = nonsecure and secure # lanman auth = Yes # client lanman auth = Yes ntlm auth = yes client use spnego = no client ldap sasl wrapping = sign # ldap ssl ads = yes # ldap ssl = start tls ldap server require strong auth = no # wins server = iumnet.edu.na # wins support = Yes time server = Yes template shell = /bin/bash template homedir = /home/%U idmap config * : backend = tdb idmap config *:range = 50000-1000000 full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = connect disconnect *ADC new DC* # Global parameters [global] netbios name = IUMSVRPDC realm = IUMNET.EDU.NA workgroup = IUMNET server role = active directory domain controller dns forwarder = 172.16.10.254 server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap allow dns updates = nonsecure and secure ntlm auth = yes ldap server require strong auth = no time server = Yes template shell = /bin/bash template homedir = /home/%U idmap config * : backend = tdb idmap config *:range = 50000-1000000 full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = connect disconnect The purpose of creating new DC is to transfer FSMO roles from current PDC which is running on old Ubuntu 12.04 and shut it down. Please assist to resolve the problem. Thanks n Regards *Harsh Kukreja *Systems Administrator *International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja @ium.edu.na - Web: *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
Rowland Penny
2017-Oct-27 14:59 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
On Fri, 27 Oct 2017 16:28:40 +0200 Harsh Kukreja via samba <samba at lists.samba.org> wrote:> Hi > > I have created a new DC on the Ubuntu 16.04 with the latest sernet > samba 4.7.0 package. After joining to the PDC running 4.6.8 package I > backed up the idmap.ldb file and copied to the new DC. When I run the > samba-tool ntacl sysvolreset command on the new DC to replicate GID > Mappings it fails with the below error: > > open: error=2 (No such file or directory) ERROR(runtime): uncaught > exception - (-1073741823, '{Operation Failed} The requested operation > was unsuccessful.') File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, > in run lp, use_ntvfs=use_ntvfs) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) File > "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in > setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service)Have you any GPOs other than the default ones ?> > Also on the PDC the INBOUND KCC is failing from the new DC:You do not have a PDC, you have a DC.> ==== INBOUND NEIGHBORS ===> > CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na > Default-First-Site-Name\IUMSVRPDC via RPC > DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311 > Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed, > result 1225 (WERR_CONNECTION_REFUSED) > 28 consecutive failure(s). > Last success @ NTTIME(0) > Here is the smb.conf from both the servers: > > *PDC*Did I mention you do not have a PDC ? :-)> # Global parameters > [global] > workgroup = IUMNET > realm = IUMNET.EDU.NA > netbios name = IUMDCDP01 > server role = active directory domain controller > dns forwarder = 172.16.10.254 > domain master = yes > preferred master = yes > server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap > password server = 172.16.10.5 > allow dns updates = nonsecure and secure > # lanman auth = Yes > # client lanman auth = Yes > ntlm auth = yes > client use spnego = no > client ldap sasl wrapping = sign > # ldap ssl ads = yes > # ldap ssl = start tls > ldap server require strong auth = no > # wins server = iumnet.edu.na > # wins support = Yes > time server = Yes > template shell = /bin/bash > template homedir = /home/%U > idmap config * : backend = tdb > idmap config *:range = 50000-1000000 > full_audit:prefix = %u|%I|%m|%S > full_audit:failure = connect > full_audit:success = connect disconnect > > *ADC new DC* > # Global parameters > [global] > netbios name = IUMSVRPDC > realm = IUMNET.EDU.NA > workgroup = IUMNET > server role = active directory domain controller > dns forwarder = 172.16.10.254 > server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldapYou should remove the above line, you definitely do not need it.> allow dns updates = nonsecure and secure > ntlm auth = yes > ldap server require strong auth = no > time server = Yes > template shell = /bin/bash > template homedir = /home/%U > idmap config * : backend = tdb > idmap config *:range = 50000-1000000Remove the above two line, they have no place on a DC. Rowland
Kukreja H.Kukreja
2017-Oct-27 16:24 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
I do have GPO directories under sysvol which I have copied using rsync to the new DC and when I run samba-tool ntacl sysvolreset command is failing on the new DC. I am not sure what do I call the main DC thats why I use PDC. I have removed the unnecessary lines from smb.conf Please let me know what do I have to do now. I want to migrate the old DC running on Ubuntu 12.04 to the new DC on Ubuntu 16.04. Thanks Harsh Sent from my iPhone On 27 Oct 2017, at 5:06 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 27 Oct 2017 16:28:40 +0200 Harsh Kukreja via samba <samba at lists.samba.org> wrote: Hi I have created a new DC on the Ubuntu 16.04 with the latest sernet samba 4.7.0 package. After joining to the PDC running 4.6.8 package I backed up the idmap.ldb file and copied to the new DC. When I run the samba-tool ntacl sysvolreset command on the new DC to replicate GID Mappings it fails with the below error: open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) Have you any GPOs other than the default ones ? Also on the PDC the INBOUND KCC is failing from the new DC: You do not have a PDC, you have a DC. ==== INBOUND NEIGHBORS === CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na Default-First-Site-Name\IUMSVRPDC via RPC DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311 Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed, result 1225 (WERR_CONNECTION_REFUSED) 28 consecutive failure(s). Last success @ NTTIME(0) Here is the smb.conf from both the servers: *PDC* Did I mention you do not have a PDC ? :-) # Global parameters [global] workgroup = IUMNET realm = IUMNET.EDU.NA netbios name = IUMDCDP01 server role = active directory domain controller dns forwarder = 172.16.10.254 domain master = yes preferred master = yes server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap password server = 172.16.10.5 allow dns updates = nonsecure and secure # lanman auth = Yes # client lanman auth = Yes ntlm auth = yes client use spnego = no client ldap sasl wrapping = sign # ldap ssl ads = yes # ldap ssl = start tls ldap server require strong auth = no # wins server = iumnet.edu.na # wins support = Yes time server = Yes template shell = /bin/bash template homedir = /home/%U idmap config * : backend = tdb idmap config *:range = 50000-1000000 full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = connect disconnect *ADC new DC* # Global parameters [global] netbios name = IUMSVRPDC realm = IUMNET.EDU.NA workgroup = IUMNET server role = active directory domain controller dns forwarder = 172.16.10.254 server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap You should remove the above line, you definitely do not need it. allow dns updates = nonsecure and secure ntlm auth = yes ldap server require strong auth = no time server = Yes template shell = /bin/bash template homedir = /home/%U idmap config * : backend = tdb idmap config *:range = 50000-1000000 Remove the above two line, they have no place on a DC. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Oct-27 16:41 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
On Fri, 27 Oct 2017 18:24:50 +0200 "Kukreja H.Kukreja" <h.kukreja at ium.edu.na> wrote:> I do have GPO directories under sysvol which I have copied using > rsync to the new DC and when I run samba-tool ntacl sysvolreset > command is failing on the new DC.This usually happens when you have extra GPOs stored in Sysvol, they are also in AD, so the command thinks they exist, but cannot find them on disc, hence '(No such file or directory)' If you have correctly synced the contents of the 'sysvol' directory and idmap.ldb from the old DC to the new DC, then it should work.> > I am not sure what do I call the main DC thats why I use PDC.How about 'DC' ? All DCs are equal except for the FSMO roles and they can be shared out amongst several DCs, they do not all have to be on the same DC. Please do not call a DC a 'PDC', a PDC is something else entirely and calling an AD DC a PDC can lead to confusion ;-)> > I have removed the unnecessary lines from smb.conf > > Please let me know what do I have to do now. I want to migrate the > old DC running on Ubuntu 12.04 to the new DC on Ubuntu 16.04.Are you still getting the same error ? Rowland
Rowland Penny
2017-Oct-28 16:28 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
On Sat, 28 Oct 2017 16:50:34 +0200 Harsh Kukreja <h.kukreja at ium.edu.na> wrote:> Hi Rowland > > Thanks for your support. The problem with the new DC was the samba > service was not starting because the START_MODE_IN="ad" was not > changed in the /etc/default/samba/sernet-samba-ad also the samba-tool > ntacl sysvolreset is working after running rsync to copy the sysvol > folders. > > Now there is one more problem with the AD authentication on my > Firewall which is only working with the main DC but as soon I shut it > down then it fails to authenticate with the new DC. Here are the logs > from the Firewall: >Try reading this wikipage: https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage Rowland
Kukreja H.Kukreja
2017-Oct-28 17:01 UTC
[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
Hi Rowland Thanks for the link https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage It should fix the Firewall authentication problem. I like to find out if I can rename the Domain name of the DC when I move it to the new DC like currently it is IUMNET.EDU.NA <http://iumnet.edu.na/> but my GApps domain name is IUM.EDU.NA <http://ium.edu.na/> and I like to use the same on my new DC. Is it possible to change the name without joining all the computers again. Regards Harsh Sent from my iPhone On 28 Oct 2017, at 6:42 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Sat, 28 Oct 2017 16:50:34 +0200 Harsh Kukreja <h.kukreja at ium.edu.na> wrote: Hi Rowland Thanks for your support. The problem with the new DC was the samba service was not starting because the START_MODE_IN="ad" was not changed in the /etc/default/samba/sernet-samba-ad also the samba-tool ntacl sysvolreset is working after running rsync to copy the sysvol folders. Now there is one more problem with the AD authentication on my Firewall which is only working with the main DC but as soon I shut it down then it fails to authenticate with the new DC. Here are the logs from the Firewall: Try reading this wikipage: https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba