Adam Tauno Williams
2014-Aug-12 14:02 UTC
[Samba] Sysvol "incorrect parameter" on some new DC's
I have a site with a working Samba4 AD domain with a single DC. It works. I've added three new DCs to the domain [using the SerNet packages for 4.0.21]. The intention is to then demote the old, original Samba4 DC. But problems exist for netlogon/sysvol. One of the new DCs - the second one added - works, clients can access netlogon & sysvol. However the other two DCs have ACL errors on their sysvol & netlogon volumes. ~> smbclient -U XXXXX -W XXXXXX \\\\DC4.example.com\\netlogon Enter XXXXXX password: Domain=[BACKBONE] OS=[Unix] Server=[Samba 4.0.21-SerNet-RedHat-7.el6] smb: \> ls NT_STATUS_INVALID_ACL listing \* Windows 7 clients see a "The parameter is incorrect" message. All three servers have sysvol contents that were rsync'd from the original DC in the same manner. On a DC where the sysvol does *not* work, the ntacl check seems to complete without errors. [root at HOST ~]# samba-tool ntacl sysvolreset Please note that POSIX permissions have NOT been changed, only the stored NT ACL [root at HOST ~]# samba-tool ntacl sysvolcheck -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Adam Tauno Williams
2014-Aug-12 14:51 UTC
[Samba] Sysvol "incorrect parameter" on some new DC's
On Tue, 2014-08-12 at 10:02 -0400, Adam Tauno Williams wrote:> I have a site with a working Samba4 AD domain with a single DC. It > works. > I've added three new DCs to the domain [using the SerNet packages for > 4.0.21]. The intention is to then demote the old, original Samba4 DC. > But problems exist for netlogon/sysvol. One of the new DCs - the second > one added - works, clients can access netlogon & sysvol. > However the other two DCs have ACL errors on their sysvol & netlogon > volumes. > ~> smbclient -U XXXXX -W XXXXXX \\\\DC4.example.com\\netlogon > Enter XXXXXX password: > Domain=[BACKBONE] OS=[Unix] Server=[Samba 4.0.21-SerNet-RedHat-7.el6] > smb: \> ls > NT_STATUS_INVALID_ACL listing \* > Windows 7 clients see a "The parameter is incorrect" message. > All three servers have sysvol contents that were rsync'd from the > original DC in the same manner. > On a DC where the sysvol does *not* work, the ntacl check seems to > complete without errors. > [root at HOST ~]# samba-tool ntacl sysvolreset > Please note that POSIX permissions have NOT been changed, only the > stored NT ACLSo if I do a sysvolreset immediately following the rsync now the client appears to be able to connect - but I have to that reset every time sysvol is updated. -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA