Achim Gottinger
2013-Jul-28 14:14 UTC
[Samba] Error running samba-tool dbtool --reset-well-known-acls
Hi, I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run debian wheezy and the add was created at the beginning of the year with an classic upgrade to version 4.0.0. Recent release notes do not provide information about required upgrade tasks. So i ran. samba-tool dbcheck --reset-well-known-acls. On the first DC it found a few errors about missong members in computer groups whom where fixable with samba-tool dbcheck --reset-well-known-acls --fix. On my second DC however one issue remains. >samba-tool dbcheck --reset-well-known-acls Checking 336 objects Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local Please use --fix to fix these errors Checked 336 objects (1 errors) >samba-tool dbcheck --reset-well-known-acls --fix Checking 336 objects Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local? [y/N/all/none] y Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!") Checked 336 objects (1 errors) This is the global section of my smb.conf on DC1. Only netbios name and dns forwarder are different on DC2. # Global parameters [global] workgroup = DOMAIN realm = domain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.200.200 idmap_ldb:use rfc2307 = yes log level = 1 strict allocate = yes acl:read=false template shell = /bin/bash wins support = Yes deadtime = 10 socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no map hidden = no I connected to both DC's with ADSI and checked rIDNextRID DC1: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247 CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0 DC2: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not defined (german Nicht Festgelegt) CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714 Unfortunately i was not able to change that attribute from undefined to 0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate suggestions. Thanks in advance achim~
Achim Gottinger
2013-Aug-02 16:08 UTC
[Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 28.07.2013 16:14, schrieb Achim Gottinger:> Hi, > > I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers > run debian wheezy and the add was created at the beginning of the year > with an classic upgrade to version 4.0.0. > Recent release notes do not provide information about required upgrade > tasks. So i ran. > samba-tool dbcheck --reset-well-known-acls. On the first DC it found a > few errors about missong members in computer groups whom where fixable > with samba-tool dbcheck --reset-well-known-acls --fix. > On my second DC however one issue remains. > > >samba-tool dbcheck --reset-well-known-acls > Checking 336 objects > Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local > Please use --fix to fix these errors > Checked 336 objects (1 errors) > > >samba-tool dbcheck --reset-well-known-acls --fix > Checking 336 objects > Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local? [y/N/all/none] y > Failed to fix attribute nTSecurityDescriptor : (65, > "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on > entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' > wasn't specified!") > Checked 336 objects (1 errors) > > > This is the global section of my smb.conf on DC1. Only netbios name > and dns forwarder are different on DC2. > > > # Global parameters > [global] > workgroup = DOMAIN > realm = domain.local > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.200.200 > idmap_ldb:use rfc2307 = yes > log level = 1 > strict allocate = yes > acl:read=false > template shell = /bin/bash > wins support = Yes > deadtime = 10 > socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 > TCP_KEEPINTVL=10 TCP_KEEPCNT=5 > ea support = yes > store dos attributes = yes > map readonly = no > map archive = no > map system = no > map hidden = no > > I connected to both DC's with ADSI and checked rIDNextRID > > DC1: > CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247 > CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0 > > DC2: > CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not > defined (german Nicht Festgelegt) > CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714 > > Unfortunately i was not able to change that attribute from undefined > to 0 on DC2. I want to avoid editing ldb files by guess so i'd > appreciate suggestions. > > Thanks in advance > achimHi again, So far this error does not seem to cause any trouble in the domain. DC1 is my rid Master. When I try to move the rid role to DC2 i get the follwoing error: samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Afterwards the role is assigned to DC2 in samba-tool fsmo show. I get the same error when i try to move the role back to DC1. Does anyone have an clue what is going wrong here? Thanks in advance, Achim
Andrew Bartlett
2013-Aug-05 04:52 UTC
[Samba] [PATCH] Allow dbcheck to fix Rid Set records
On Sun, 2013-07-28 at 16:14 +0200, Achim Gottinger wrote:> Hi, > > I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run > debian wheezy and the add was created at the beginning of the year with > an classic upgrade to version 4.0.0. > Recent release notes do not provide information about required upgrade > tasks. So i ran. > samba-tool dbcheck --reset-well-known-acls. On the first DC it found a > few errors about missong members in computer groups whom where fixable > with samba-tool dbcheck --reset-well-known-acls --fix. > On my second DC however one issue remains. > > >samba-tool dbcheck --reset-well-known-acls > Checking 336 objects > Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local > Please use --fix to fix these errors > Checked 336 objects (1 errors) > > >samba-tool dbcheck --reset-well-known-acls --fix > Checking 336 objects > Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local? [y/N/all/none] y > Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: > at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID > Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!") > Checked 336 objects (1 errors)The attached patch should resolve this issue. Let me know if it helps. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dsdb-Allow-dbcheck-to-modify-objects-missing-require.patch Type: text/x-patch Size: 1681 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20130805/3f4041d4/attachment.bin>