Achim Gottinger
2013-Jul-28 14:14 UTC
[Samba] Error running samba-tool dbtool --reset-well-known-acls
Hi,
I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run
debian wheezy and the add was created at the beginning of the year with
an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
few errors about missong members in computer groups whom where fixable
with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.
>samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)
>samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs:
at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID
Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't
specified!")
Checked 336 objects (1 errors)
This is the global section of my smb.conf on DC1. Only netbios name and
dns forwarder are different on DC2.
# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
I connected to both DC's with ADSI and checked rIDNextRID
DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0
DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714
Unfortunately i was not able to change that attribute from undefined to
0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate
suggestions.
Thanks in advance
achim~
Achim Gottinger
2013-Aug-02 16:08 UTC
[Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 28.07.2013 16:14, schrieb Achim Gottinger:> Hi, > > I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers > run debian wheezy and the add was created at the beginning of the year > with an classic upgrade to version 4.0.0. > Recent release notes do not provide information about required upgrade > tasks. So i ran. > samba-tool dbcheck --reset-well-known-acls. On the first DC it found a > few errors about missong members in computer groups whom where fixable > with samba-tool dbcheck --reset-well-known-acls --fix. > On my second DC however one issue remains. > > >samba-tool dbcheck --reset-well-known-acls > Checking 336 objects > Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local > Please use --fix to fix these errors > Checked 336 objects (1 errors) > > >samba-tool dbcheck --reset-well-known-acls --fix > Checking 336 objects > Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local? [y/N/all/none] y > Failed to fix attribute nTSecurityDescriptor : (65, > "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on > entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' > wasn't specified!") > Checked 336 objects (1 errors) > > > This is the global section of my smb.conf on DC1. Only netbios name > and dns forwarder are different on DC2. > > > # Global parameters > [global] > workgroup = DOMAIN > realm = domain.local > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.200.200 > idmap_ldb:use rfc2307 = yes > log level = 1 > strict allocate = yes > acl:read=false > template shell = /bin/bash > wins support = Yes > deadtime = 10 > socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 > TCP_KEEPINTVL=10 TCP_KEEPCNT=5 > ea support = yes > store dos attributes = yes > map readonly = no > map archive = no > map system = no > map hidden = no > > I connected to both DC's with ADSI and checked rIDNextRID > > DC1: > CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247 > CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0 > > DC2: > CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not > defined (german Nicht Festgelegt) > CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714 > > Unfortunately i was not able to change that attribute from undefined > to 0 on DC2. I want to avoid editing ldb files by guess so i'd > appreciate suggestions. > > Thanks in advance > achimHi again, So far this error does not seem to cause any trouble in the domain. DC1 is my rid Master. When I try to move the rid role to DC2 i get the follwoing error: samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Afterwards the role is assigned to DC2 in samba-tool fsmo show. I get the same error when i try to move the role back to DC1. Does anyone have an clue what is going wrong here? Thanks in advance, Achim
Andrew Bartlett
2013-Aug-05 04:52 UTC
[Samba] [PATCH] Allow dbcheck to fix Rid Set records
On Sun, 2013-07-28 at 16:14 +0200, Achim Gottinger wrote:> Hi, > > I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run > debian wheezy and the add was created at the beginning of the year with > an classic upgrade to version 4.0.0. > Recent release notes do not provide information about required upgrade > tasks. So i ran. > samba-tool dbcheck --reset-well-known-acls. On the first DC it found a > few errors about missong members in computer groups whom where fixable > with samba-tool dbcheck --reset-well-known-acls --fix. > On my second DC however one issue remains. > > >samba-tool dbcheck --reset-well-known-acls > Checking 336 objects > Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local > Please use --fix to fix these errors > Checked 336 objects (1 errors) > > >samba-tool dbcheck --reset-well-known-acls --fix > Checking 336 objects > Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain > Controllers,DC=domain,DC=local? [y/N/all/none] y > Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: > at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID > Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!") > Checked 336 objects (1 errors)The attached patch should resolve this issue. Let me know if it helps. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dsdb-Allow-dbcheck-to-modify-objects-missing-require.patch Type: text/x-patch Size: 1681 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20130805/3f4041d4/attachment.bin>