Sorry, I have omitted to post the config file.
# cat /usr/local/samba/etc/smb.conf
[global]
workgroup = myDomain
realm = myDomain.local
netbios name = DCLINUX
server role = active directory domain controller
dsdb:schema update allowed = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/rcs-rds.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
I have joined samba as a Domain Controller in a windows domain. Directory
replication has no problems, "samba-tool drs showrepl" shows
connections
with other DC. Just some time to time "samba-tool show repl" gives a
"NT_STATUS_IO_TIMEOUT". I don't know why.
# /usr/local/samba/bin/samba-tool drs options
Current DSA options: IS_GC
Replication of the Sysvol isn't implemented, so I manually mounted the
share.
Clients connections:
# /usr/local/samba/bin/net status sessions
PID Username Group Machine
-------------------------------------------------------------------
12440 3000351 3000023 ...198.200 (ipv4:..198.200:61735)
12415 3001838 users ...227.68 (ipv4:...227.68:2647)
12320 3000376 users ...197.38 (ipv4:...197.38:64120)
11746 3001173 3000023 ...14.46 (ipv4:...14.46:57925)
thanks!
On Wed, Mar 18, 2015 at 4:45 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 18/03/15 14:40, Adriana Moga wrote:
>
> Of course, the sysvol is located on a windows controller from the
> forest.
>
> mount -t cifs -o username=domain_admin_user
> //windowsDC.myDomain.local/SYSVOL /mnt/smb/sysvol
>
> and copied the files with -R --preserve to
> /usr/local/samba/var/locks/sysvol/
>
> Below logs are provided from /usr/local/samba/var/log.smbd file.
>
> regards,
>
> On Wed, Mar 18, 2015 at 3:36 PM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>> On 18/03/15 13:17, Adriana Moga wrote:
>>
>>> Hello,
>>>
>>> I have manually mounted the SYSVOL share, sync it with samba and
run
>>> samba-tool ntacl sysvolreset.
>>>
>>
>> What do you mean 'manually mounted the SYSVOL share' ? how did
you do
>> this ?
>>
>> But I'm not sure if all windows policies are acceptable by samba
because
>>> of
>>> errors logs:
>>>
>>> 2015/03/18 09:30:52.197934, 0]
>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>> Oplock break failed for file
>>>
>>>
myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>> -- replying anyway
>>>
>>> [2015/03/18 10:50:01.905964, 0]
>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>> Oplock break failed for file
>>>
>>>
myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows
>>> NT/SecEdit/GptTmpl.inf -- replying anyway
>>> STATUS=daemon 'smbd' finished starting up and ready to
serve
>>> connectionsOplock break failed for file
>>>
>>>
rcs-rds.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>> -- replying anyway
>>>
>>
>> What log is this from?
>>
>> Can you post your smb.conf
>>
>> Rowland
>>
>>
>>
>>> What troubles could give these errors?
>>>
>>> Samba version 4.1.15 - Debian 7.8 (3.2.0-4-amd64 #1 SMP Debian
3.2.65-1
>>> x86_64 GNU/Linux) is joined as a domain controller to an existing
windows
>>> domain.
>>> Windows domain controllers (2003 R2, 2012R2) own FSMO roles.
>>>
>>> smbstatus:
>>>
>>> Locked files:
>>> Pid Uid DenyMode Access R/W Oplock
>>> SharePath Name Time
>>>
>>>
--------------------------------------------------------------------------------------------------
>>> 9881 3001393 DENY_NONE 0x20089 RDONLY
EXCLUSIVE+BATCH
>>> /usr/local/samba/var/locks/sysvol
>>> myDomain/Policies/{8F6D6798-D5A0-4BED-9548-88E45918ADA0}/GPT.INI
Wed
>>> Mar
>>> 18 14:00:41 2015
>>>
>>> 4928 3001476 DENY_WRITE 0x120089 RDONLY NONE
>>> /usr/local/samba/var/locks/sysvol
>>>
>>>
myDomain/Policies/{7AAC2031-1B06-487B-9520-603666A7F00D}/User/Registry.pol
>>>
>>> Also, I don't know what is wrong with sysvolcheck.
>>>
>>> # /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>> ERROR(<type 'exceptions.TypeError'>): uncaught
exception - (2, 'No such
>>> file or directory')
>>> File
>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>> line
>>> 249, in run
>>> lp)
>>> File
>>>
>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1726, in checksysvolacl
>>> direct_db_access)
>>> File
>>>
>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1677, in check_gpos_acl
>>> domainsid, direct_db_access)
>>> File
>>>
>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1621, in check_dir_acl
>>> fsacl = getntacl(lp, path, direct_db_access=direct_db_access,
>>> service=SYSVOL_SERVICE)
>>> File
"/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>>> line
>>> 73, in getntacl
>>> xattr.XATTR_NTACL_NAME
>>>
>>>
>>> Thanks,
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
> This raises more questions than what it answers:
>
> Why are you doing this?
> Why do you expect it to work?
> Have you joined the samba4 machine to the domain as a secondary DC?
>
> And lastly (and for the second time of asking) can you post your smb.conf
> from the samba4 machine.
>
> Rowland
>
On 18/03/15 15:03, Adriana Moga wrote:> Sorry, I have omitted to post the config file. > > # cat /usr/local/samba/etc/smb.conf > [global] > workgroup = myDomain > realm = myDomain.local > netbios name = DCLINUX > server role = active directory domain controller > > dsdb:schema update allowed = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/rcs-rds.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > I have joined samba as a Domain Controller in a windows domain. > Directory replication has no problems, "samba-tool drs showrepl" shows > connections with other DC. Just some time to time "samba-tool show > repl" gives a "NT_STATUS_IO_TIMEOUT". I don't know why. > > # /usr/local/samba/bin/samba-tool drs options > Current DSA options: IS_GC > > Replication of the Sysvol isn't implemented, so I manually mounted the > share. > > Clients connections: > # /usr/local/samba/bin/net status sessions > PID Username Group Machine > ------------------------------------------------------------------- > 12440 3000351 3000023 ...198.200 (ipv4:..198.200:61735) > 12415 3001838 users ...227.68 (ipv4:...227.68:2647) > 12320 3000376 users ...197.38 (ipv4:...197.38:64120) > 11746 3001173 3000023 ...14.46 (ipv4:...14.46:57925) > > thanks! > > On Wed, Mar 18, 2015 at 4:45 PM, Rowland Penny > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: > > On 18/03/15 14:40, Adriana Moga wrote: >> Of course, the sysvol is located on a windows controller from the >> forest. >> >> mount -t cifs -o username=domain_admin_user >> //windowsDC.myDomain.local/SYSVOL /mnt/smb/sysvol >> >> and copied the files with -R --preserve to >> /usr/local/samba/var/locks/sysvol/ >> >> Below logs are provided from /usr/local/samba/var/log.smbd file. >> >> regards, >> >> On Wed, Mar 18, 2015 at 3:36 PM, Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 18/03/15 13:17, Adriana Moga wrote: >> >> Hello, >> >> I have manually mounted the SYSVOL share, sync it with >> samba and run >> samba-tool ntacl sysvolreset. >> >> >> What do you mean 'manually mounted the SYSVOL share' ? how >> did you do this ? >> >> But I'm not sure if all windows policies are acceptable >> by samba because of >> errors logs: >> >> 2015/03/18 09:30:52.197934, 0] >> ../source3/smbd/oplock.c:338(oplock_timeout_handler) >> Oplock break failed for file >> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol >> -- replying anyway >> >> [2015/03/18 10:50:01.905964, 0] >> ../source3/smbd/oplock.c:338(oplock_timeout_handler) >> Oplock break failed for file >> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows >> NT/SecEdit/GptTmpl.inf -- replying anyway >> STATUS=daemon 'smbd' finished starting up and ready to >> serve >> connectionsOplock break failed for file >> rcs-rds.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol >> -- replying anyway >> >> >> What log is this from? >> >> Can you post your smb.conf >> >> Rowland >> >> >> >> What troubles could give these errors? >> >> Samba version 4.1.15 - Debian 7.8 (3.2.0-4-amd64 #1 SMP >> Debian 3.2.65-1 >> x86_64 GNU/Linux) is joined as a domain controller to an >> existing windows >> domain. >> Windows domain controllers (2003 R2, 2012R2) own FSMO roles. >> >> smbstatus: >> >> Locked files: >> Pid Uid DenyMode Access R/W Oplock >> SharePath Name Time >> -------------------------------------------------------------------------------------------------- >> 9881 3001393 DENY_NONE 0x20089 RDONLY >> EXCLUSIVE+BATCH >> /usr/local/samba/var/locks/sysvol >> myDomain/Policies/{8F6D6798-D5A0-4BED-9548-88E45918ADA0}/GPT.INI >> Wed Mar >> 18 14:00:41 2015 >> >> 4928 3001476 DENY_WRITE 0x120089 RDONLY NONE >> /usr/local/samba/var/locks/sysvol >> myDomain/Policies/{7AAC2031-1B06-487B-9520-603666A7F00D}/User/Registry.pol >> >> Also, I don't know what is wrong with sysvolcheck. >> >> # /usr/local/samba/bin/samba-tool ntacl sysvolcheck >> ERROR(<type 'exceptions.TypeError'>): uncaught exception >> - (2, 'No such >> file or directory') >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >> line >> 249, in run >> lp) >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 1726, in checksysvolacl >> direct_db_access) >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 1677, in check_gpos_acl >> domainsid, direct_db_access) >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 1621, in check_dir_acl >> fsacl = getntacl(lp, path, >> direct_db_access=direct_db_access, >> service=SYSVOL_SERVICE) >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", >> line >> 73, in getntacl >> xattr.XATTR_NTACL_NAME >> >> >> Thanks, >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > This raises more questions than what it answers: > > Why are you doing this? > Why do you expect it to work? > Have you joined the samba4 machine to the domain as a secondary DC? > > And lastly (and for the second time of asking) can you post your > smb.conf from the samba4 machine. > > Rowland > >OK, I understand a bit better now, you are mounting sysvol from the windows server, copying it to the correct position and then trying to reset the ACLs with samba-tool, I am not sure this is going to work and as I don't have a windows server, I cannot try it. What I have found is this post on the samba mailing list: https://lists.samba.org/archive/samba/2013-April/173003.html The script shown is a bit basic, but should work, main problem as far as I can see, what if it doesn't work, you could loose everything in sysvol on the samba4 DC. If you are interested, I have re-written it with much more error checking and you are welcome to a copy, but note, I cannot test it and you will use it at your own risk. Rowland
Thanks Rowlan, maybe I will test the script in the lab. The samba server is in production already. What Andreas proposed, "oplocks = no" and "level2 oplocks = no", solved the problem. Many thanks! On Wed, Mar 18, 2015 at 6:29 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 18/03/15 15:03, Adriana Moga wrote: > > Sorry, I have omitted to post the config file. > > # cat /usr/local/samba/etc/smb.conf > [global] > workgroup = myDomain > realm = myDomain.local > netbios name = DCLINUX > server role = active directory domain controller > > dsdb:schema update allowed = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/rcs-rds.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > I have joined samba as a Domain Controller in a windows domain. Directory > replication has no problems, "samba-tool drs showrepl" shows connections > with other DC. Just some time to time "samba-tool show repl" gives a > "NT_STATUS_IO_TIMEOUT". I don't know why. > > # /usr/local/samba/bin/samba-tool drs options > Current DSA options: IS_GC > > Replication of the Sysvol isn't implemented, so I manually mounted the > share. > > Clients connections: > # /usr/local/samba/bin/net status sessions > PID Username Group Machine > ------------------------------------------------------------------- > 12440 3000351 3000023 ...198.200 (ipv4:..198.200:61735) > 12415 3001838 users ...227.68 (ipv4:...227.68:2647) > 12320 3000376 users ...197.38 (ipv4:...197.38:64120) > 11746 3001173 3000023 ...14.46 (ipv4:...14.46:57925) > > thanks! > > On Wed, Mar 18, 2015 at 4:45 PM, Rowland Penny < > rowlandpenny at googlemail.com> wrote: > >> On 18/03/15 14:40, Adriana Moga wrote: >> >> Of course, the sysvol is located on a windows controller from the >> forest. >> >> mount -t cifs -o username=domain_admin_user >> //windowsDC.myDomain.local/SYSVOL /mnt/smb/sysvol >> >> and copied the files with -R --preserve to >> /usr/local/samba/var/locks/sysvol/ >> >> Below logs are provided from /usr/local/samba/var/log.smbd file. >> >> regards, >> >> On Wed, Mar 18, 2015 at 3:36 PM, Rowland Penny < >> rowlandpenny at googlemail.com> wrote: >> >>> On 18/03/15 13:17, Adriana Moga wrote: >>> >>>> Hello, >>>> >>>> I have manually mounted the SYSVOL share, sync it with samba and run >>>> samba-tool ntacl sysvolreset. >>>> >>> >>> What do you mean 'manually mounted the SYSVOL share' ? how did you do >>> this ? >>> >>> But I'm not sure if all windows policies are acceptable by samba >>>> because of >>>> errors logs: >>>> >>>> 2015/03/18 09:30:52.197934, 0] >>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler) >>>> Oplock break failed for file >>>> >>>> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol >>>> -- replying anyway >>>> >>>> [2015/03/18 10:50:01.905964, 0] >>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler) >>>> Oplock break failed for file >>>> >>>> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows >>>> NT/SecEdit/GptTmpl.inf -- replying anyway >>>> STATUS=daemon 'smbd' finished starting up and ready to serve >>>> connectionsOplock break failed for file >>>> >>>> rcs-rds.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol >>>> -- replying anyway >>>> >>> >>> What log is this from? >>> >>> Can you post your smb.conf >>> >>> Rowland >>> >>> >>> >>>> What troubles could give these errors? >>>> >>>> Samba version 4.1.15 - Debian 7.8 (3.2.0-4-amd64 #1 SMP Debian 3.2.65-1 >>>> x86_64 GNU/Linux) is joined as a domain controller to an existing >>>> windows >>>> domain. >>>> Windows domain controllers (2003 R2, 2012R2) own FSMO roles. >>>> >>>> smbstatus: >>>> >>>> Locked files: >>>> Pid Uid DenyMode Access R/W Oplock >>>> SharePath Name Time >>>> >>>> -------------------------------------------------------------------------------------------------- >>>> 9881 3001393 DENY_NONE 0x20089 RDONLY >>>> EXCLUSIVE+BATCH >>>> /usr/local/samba/var/locks/sysvol >>>> myDomain/Policies/{8F6D6798-D5A0-4BED-9548-88E45918ADA0}/GPT.INI Wed >>>> Mar >>>> 18 14:00:41 2015 >>>> >>>> 4928 3001476 DENY_WRITE 0x120089 RDONLY NONE >>>> /usr/local/samba/var/locks/sysvol >>>> >>>> myDomain/Policies/{7AAC2031-1B06-487B-9520-603666A7F00D}/User/Registry.pol >>>> >>>> Also, I don't know what is wrong with sysvolcheck. >>>> >>>> # /usr/local/samba/bin/samba-tool ntacl sysvolcheck >>>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such >>>> file or directory') >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>> line 175, in _run >>>> return self.run(*args, **kwargs) >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>>> line >>>> 249, in run >>>> lp) >>>> File >>>> >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1726, in checksysvolacl >>>> direct_db_access) >>>> File >>>> >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1677, in check_gpos_acl >>>> domainsid, direct_db_access) >>>> File >>>> >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1621, in check_dir_acl >>>> fsacl = getntacl(lp, path, direct_db_access=direct_db_access, >>>> service=SYSVOL_SERVICE) >>>> File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", >>>> line >>>> 73, in getntacl >>>> xattr.XATTR_NTACL_NAME >>>> >>>> >>>> Thanks, >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> This raises more questions than what it answers: >> >> Why are you doing this? >> Why do you expect it to work? >> Have you joined the samba4 machine to the domain as a secondary DC? >> >> And lastly (and for the second time of asking) can you post your smb.conf >> from the samba4 machine. >> >> Rowland >> > > > OK, I understand a bit better now, you are mounting sysvol from the > windows server, copying it to the correct position and then trying to reset > the ACLs with samba-tool, I am not sure this is going to work and as I > don't have a windows server, I cannot try it. > > What I have found is this post on the samba mailing list: > https://lists.samba.org/archive/samba/2013-April/173003.html > > The script shown is a bit basic, but should work, main problem as far as I > can see, what if it doesn't work, you could loose everything in sysvol on > the samba4 DC. > > If you are interested, I have re-written it with much more error checking > and you are welcome to a copy, but note, I cannot test it and you will use > it at your own risk. > > Rowland >