Sina Owolabi
2017-Nov-13 08:59 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
Hi List!
I am working my way through getting familiar with samba and I have two
domain controllers now with an additional samba file server.
The servers are CentOS 7.4.1708;
the domain controllers are built from source with samba-4.7.1;
and the file server, installed winbind, smb and nmb from CentOS repos.
My problem is after bringing up the second domain controller and
successfully joining it to the domain, as the wiki directs I tried to
run samba-tool ntacl sysvolreset and this fails.
[root at testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)
Please what am I doing wrong?
"Primary" DC config file:
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = TESTBOX
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/%m.log
log level = 3
tls enabled = yes
winbind enum groups = Yes
winbind enum users = Yes
template shell = /bin/bash
template homedir = /share/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
New DC config file:
# Global parameters
[global]
netbios name = TESTDC2
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
File server config file (thank you Roland!):
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.TESTING.COM
server string = Samba Server Version %v
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /share/%U
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
log file = /var/log/samba/log.%m
max log size = 50
username map = /etc/samba/user.map
[homes]
comment = Home Directories
browseable = no
read only = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
Rowland Penny
2017-Nov-13 09:43 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
On Mon, 13 Nov 2017 09:59:23 +0100 Sina Owolabi via samba <samba at lists.samba.org> wrote:> Hi List! > > I am working my way through getting familiar with samba and I have two > domain controllers now with an additional samba file server. > The servers are CentOS 7.4.1708; > the domain controllers are built from source with samba-4.7.1; > and the file server, installed winbind, smb and nmb from CentOS > repos. > > My problem is after bringing up the second domain controller and > successfully joining it to the domain, as the wiki directs I tried to > run samba-tool ntacl sysvolreset and this fails. > > [root at testdc2 private]# samba-tool ntacl sysvolreset > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} > The requested operation was unsuccessful.') > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", > line 239, in run lp, use_ntvfs=use_ntvfs) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, > skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py", > line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > > Please what am I doing wrong?Have you added any other GPO's to your first DC ? If so, you need to 'sync' them to the second DC.> > > "Primary" DC config file: > > # Global parameters > [global] > dns forwarder = 8.8.8.8 > netbios name = TESTBOX > realm = SAMDOM.TESTING.COM > server role = active directory domain controller > workgroup = SAMDOM > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/%m.log > log level = 3 > tls enabled = yes > winbind enum groups = Yes > winbind enum users = YesYou should remove the two lines above, you do not need them.> > template shell = /bin/bash > template homedir = /share/%U > > [netlogon] > path > = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read > only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > New DC config file: > # Global parameters > [global] > netbios name = TESTDC2 > realm = SAMDOM.TESTING.COM > server role = active directory domain controller > workgroup = SAMDOMYou need to add 'idmap_ldb:use rfc2307 = yes' Rowland
Sina Owolabi
2017-Nov-13 23:12 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
Hi Rowland
I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 yes'
line to the second DC, and
rebooted the servers, but the error does not go away.
First DC:
[global]
dns forwarder = 8.8.8.8
netbios name = TESTBOX
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/%m.log
log level = 3
tls enabled = yes
template shell = /bin/bash
template homedir = /share/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Second DC:
[global]
netbios name = TESTDC2
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
tls enabled = yes
template shell = /bin/bash
template homedir = /share/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[root at testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)
On Mon, Nov 13, 2017 at 10:43 AM, Rowland Penny <rpenny at samba.org>
wrote:> On Mon, 13 Nov 2017 09:59:23 +0100
> Sina Owolabi via samba <samba at lists.samba.org> wrote:
>
>> Hi List!
>>
>> I am working my way through getting familiar with samba and I have two
>> domain controllers now with an additional samba file server.
>> The servers are CentOS 7.4.1708;
>> the domain controllers are built from source with samba-4.7.1;
>> and the file server, installed winbind, smb and nmb from CentOS
>> repos.
>>
>> My problem is after bringing up the second domain controller and
>> successfully joining it to the domain, as the wiki directs I tried to
>> run samba-tool ntacl sysvolreset and this fails.
>>
>> [root at testdc2 private]# samba-tool ntacl sysvolreset
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
Failed}
>> The requested operation was unsuccessful.')
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run return self.run(*args, **kwargs)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 239, in run lp, use_ntvfs=use_ntvfs)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
>> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
>> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>> Please what am I doing wrong?
>
> Have you added any other GPO's to your first DC ?
> If so, you need to 'sync' them to the second DC.
>
>>
>>
>> "Primary" DC config file:
>>
>> # Global parameters
>> [global]
>> dns forwarder = 8.8.8.8
>> netbios name = TESTBOX
>> realm = SAMDOM.TESTING.COM
>> server role = active directory domain controller
>> workgroup = SAMDOM
>> idmap_ldb:use rfc2307 = yes
>> log file = /var/log/samba/%m.log
>> log level = 3
>> tls enabled = yes
>> winbind enum groups = Yes
>> winbind enum users = Yes
>
> You should remove the two lines above, you do not need them.
>
>>
>> template shell = /bin/bash
>> template homedir = /share/%U
>>
>> [netlogon]
>> path
>> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
>> only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> New DC config file:
>> # Global parameters
>> [global]
>> netbios name = TESTDC2
>> realm = SAMDOM.TESTING.COM
>> server role = active directory domain controller
>> workgroup = SAMDOM
>
> You need to add 'idmap_ldb:use rfc2307 = yes'
>
> Rowland
Reasonably Related Threads
- samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory)
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
- Erro samba-tool ntacl sysvolreset/sysvolcheck
- Problems with joining a second DC to AD
- Problems joining a Samba DC to an existing active directory