Hello Rowland,
Apologies for delayed response.
1. Sanitised workgroup: It's a typo while sanitising.
2. Yes, we followed the procedure given the link you shared. We are
using rsync for synchronising the SysVol. We have been doing this for
many years and is working properly with existing 5 domain controllers
with same samba version 4.19.5.
3. We find this issue only in 3 new servers which we added off late. We
kept the samba version same - 4.19.5
Hope it gives you the clarity.
Best regards,
Raghav
On 05/03/25 9:24 pm, Rowland Penny via samba wrote:> On Wed, 5 Mar 2025 16:15:18 +0530
> Anantha Raghava via samba<samba at lists.samba.org> wrote:
>
>> Hello Team,
>>
>> We are currently running with 8 Samba-AD servers in our domain,
>> Initially we had 5, looking at the load and the DC - DR needs, we
>> added 3 more to have 4 Domain Controllers in DC and 4 Domain
>> Controllers in DR.
>>
>> Original 5 servers are having no issues and same version (4.19.5) is
>> working without any issues. However, the 3 new servers, we observe
>> that authentication or DNS queries or all other operations are
>> working fine, except the below issue:
>>
>> ?"Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: [2025/03/04
>> 13:46:42.911111,? 0]
>> ../../source3/smbd/smb2_service.c:120(chdir_current_service)
>> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: chdir_current_service:
>> vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission
>> denied. Current tok>
>> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: [2025/03/04
>> 13:46:42.914143,? 0]
>> ../../source3/smbd/smb2_service.c:120(chdir_current_service)
>> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: chdir_current_service:
>> vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission
>> denied. Current tok>"
>>
>> The folder idmap.ldb is copied from the server holding the PDC
>> Emulator FSMO role. The folder /usr/local/samba/var/locks/sysvol has
>> the same same permissions - root:3000000 and 770, as in all other
>> servers. On the host, selinux is disabled.
>>
>> smb.conf:
>>
>> # Global parameters [global] netbios name = dc6 realm = xxxxxxx.COM
>> server role = active directory domain controller workgroup = xxxxxxx
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dns, dnsupdate workgroup = xxxxxxxx
>> idmap_ldb:use rfc2307 = yes ldap server require strong auth = No
>> allow dns updates = nonsecure tls priority >>
NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 log level = 1 auth_audit:0
>> auth_json_audit:3 dsdb_json_audit:5 log file = /var/log/samba/dc6.log
>> max log size = 1000000000 [sysvol] path >>
/usr/local/samba/var/locks/sysvol read only = No [netlogon] path >>
/usr/local/samba/var/locks/sysvol/xxxxxxx.com/scripts read only >> NoAbove
error is filling up our logs rapidly. We look forward for
>> help & guidance from the community to fix this error. Thanks &
>> regards, Raghav
> After unpicking the above mess, I find that you have 'workgroup'
twice,
> now that might not be a problem (last one wins) except that they might
> be different, you have sanitised the workgroup name with 'x's and
the
> last workgroup has one more 'x', is this a typo or are they
different ?
>
> I know you have copied idmap.ldb, but did you follow the instructions
> from here:
>
> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>
> Rowland
>