Stephan Mattecka
2015-May-26 09:42 UTC
[Samba] [SAMBA] Problems with joining a second DC to AD
Gesendet:?Donnerstag, 21. Mai 2015 um 19:06 Uhr Von:?"Rowland Penny" <rowlandpenny at googlemail.com> An:?samba at lists.samba.org Betreff:?Re: [Samba] [SAMBA] Problems with joining a second DC to AD On 21/05/15 17:41, Stephan Mattecka wrote:> Hi Rowland and Louis, > > I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages. > > I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life. > > Regards > Stephan > > > > > Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr > Von: "L.P.H. van Belle" <belle at bazuin.nl> > An: "samba at lists.samba.org" <samba at lists.samba.org> > Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD > Hai, > > I hope, your domain is not .lan ( reserved name for mDNS ) > can be used, but can give problemens. > > in smb.conf > change : > interfaces = lo, eth0 > to > interfaces = lo, IP_of_eth0 > > and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct. > make sure you have in /etc/resolv.conf on DC2. > search example.lan > nameserver IP_OF_DC1 > > > > and try again. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org] >> Namens Stephan Mattecka >> Verzonden: donderdag 21 mei 2015 9:18 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD >> >> Hello, >> >> I try to setup an AD-Domain with the help of Sernet-Samba >> packages. Currently I'm using Scientific Linux (SL) 6.6 and >> Sernet-Samba 4.1.17 packages. I tried the procedure two times >> with fresh minimal SL installations. >> >> I could successfully install a AD-Domain-Controller. >> Now I tried to add a second DC to this AD-Domain and followed >> carefully the instructions at the samba wiki. >> I could also join the second DC to my domain, but when I try to run >> >> samba-tool ntacl sysvolreset >> >> on the 2nd DC I get the following error messages: >> >> >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, >> 'Undetermined error') >> File >> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", >> line 218, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py >> ", line 1612, in setsysvolacl >> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, >> samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py >> ", line 1505, in set_gpos_acl >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", >> line 154, in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> My smb.conf on DC1: >> >> >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = EXAMPLE.LAN >> netbios name = DC1 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> [netlogon] >> path = /var/lib/samba/sysvol/pentracor.lan/scripts >> read only = No >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> smb.conf ond DC2: >> >> >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = example.lan >> netbios name = DC2 >> interfaces = lo, eth1 >> bind interfaces only = Yes >> server role = active directory domain controller >> [netlogon] >> path = /var/lib/samba/sysvol/example.lan/scripts >> read only = No >> [sysvol >> path = /var/lib/samba/sysvol >> read only = No >> >> I did turn off iptables and SELinux on both machines for >> testing purposes. The folder /var/lib/samba/sysvol exists on >> DC2. On DC1 I can run the sysvolreset command without any problems. >> >> Hopefully someone has an idea what might be wrong here. >> >> Regards >> Stephan Mattecka >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]>OK, try commenting out the interfaces lines, restart samba on both >machines and see how you go on.>I do not know if you are trying in anyway to sync sysvol between the 2 >DCs, if you are this could give you a problem, as idmap.ldb is different >between the DCs, the workaround is to copy idmap.ldb from the first DC >to the second and run sysvolreset, but this is where we came in :-D > >Can you post the command you used to provision the first DC and the >command you used to join the second DC to the first. > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]Hello Rowland, I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2. I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5): INFO: Current debug levels: all: 5 Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes schema_fsmo_init: we are master[no] updates allowed[no] schema_fsmo_init: we are master[no] updates allowed[no] lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = EXAMPLE doing parameter realm = example.lan doing parameter netbios name = DC2 doing parameter server role = active directory domain controller doing parameter log level = 5 INFO: Current debug levels: all: 5 doing parameter idmap_ldb:use rfc2307 = yes Processing section "[netlogon]" doing parameter path = /var/lib/samba/sysvol/example.lan/scripts doing parameter read only = No Processing section "[sysvol]" doing parameter path = /var/lib/samba/sysvol doing parameter read only = No pm_process() returned Yes Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend wbc_sam Successfully added passdb backend 'wbc_sam' Attempting to register passdb backend samba_dsdb Successfully added passdb backend 'samba_dsdb' Attempting to register passdb backend samba4 Successfully added passdb backend 'samba4' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend IPA_ldapsam Successfully added passdb backend 'IPA_ldapsam' Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb) Found pdb backend samba_dsdb ldb_wrap open of idmap.ldb pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands: samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1) samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2) I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2. My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1. Regards Stephan
Rowland Penny
2015-May-26 11:31 UTC
[Samba] [SAMBA] Problems with joining a second DC to AD
On 26/05/15 10:42, Stephan Mattecka wrote:> Gesendet: Donnerstag, 21. Mai 2015 um 19:06 Uhr > Von: "Rowland Penny" <rowlandpenny at googlemail.com> > An: samba at lists.samba.org > Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD > On 21/05/15 17:41, Stephan Mattecka wrote: >> Hi Rowland and Louis, >> >> I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages. >> >> I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life. >> >> Regards >> Stephan >> >> >> >> >> Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr >> Von: "L.P.H. van Belle" <belle at bazuin.nl> >> An: "samba at lists.samba.org" <samba at lists.samba.org> >> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD >> Hai, >> >> I hope, your domain is not .lan ( reserved name for mDNS ) >> can be used, but can give problemens. >> >> in smb.conf >> change : >> interfaces = lo, eth0 >> to >> interfaces = lo, IP_of_eth0 >> >> and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct. >> make sure you have in /etc/resolv.conf on DC2. >> search example.lan >> nameserver IP_OF_DC1 >> >> >> >> and try again. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org] >>> Namens Stephan Mattecka >>> Verzonden: donderdag 21 mei 2015 9:18 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD >>> >>> Hello, >>> >>> I try to setup an AD-Domain with the help of Sernet-Samba >>> packages. Currently I'm using Scientific Linux (SL) 6.6 and >>> Sernet-Samba 4.1.17 packages. I tried the procedure two times >>> with fresh minimal SL installations. >>> >>> I could successfully install a AD-Domain-Controller. >>> Now I tried to add a second DC to this AD-Domain and followed >>> carefully the instructions at the samba wiki. >>> I could also join the second DC to my domain, but when I try to run >>> >>> samba-tool ntacl sysvolreset >>> >>> on the 2nd DC I get the following error messages: >>> >>> >>> open: error=2 (No such file or directory) >>> ERROR(runtime): uncaught exception - (-1073741823, >>> 'Undetermined error') >>> File >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>> line 175, in _run >>> return self.run(*args, **kwargs) >>> File >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", >>> line 218, in run >>> lp, use_ntvfs=use_ntvfs) >>> File >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py >>> ", line 1612, in setsysvolacl >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, >>> samdb, lp, use_ntvfs, passdb=s4_passdb) >>> File >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py >>> ", line 1505, in set_gpos_acl >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, >>> passdb=passdb, service=SYSVOL_SERVICE) >>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", >>> line 154, in setntacl >>> smbd.set_nt_acl(file, security.SECINFO_OWNER | >>> security.SECINFO_GROUP | security.SECINFO_DACL | >>> security.SECINFO_SACL, sd, service=service) >>> >>> My smb.conf on DC1: >>> >>> >>> # Global parameters >>> [global] >>> workgroup = EXAMPLE >>> realm = EXAMPLE.LAN >>> netbios name = DC1 >>> interfaces = lo, eth0 >>> bind interfaces only = Yes >>> server role = active directory domain controller >>> idmap_ldb:use rfc2307 = yes >>> [netlogon] >>> path = /var/lib/samba/sysvol/pentracor.lan/scripts >>> read only = No >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> smb.conf ond DC2: >>> >>> >>> # Global parameters >>> [global] >>> workgroup = EXAMPLE >>> realm = example.lan >>> netbios name = DC2 >>> interfaces = lo, eth1 >>> bind interfaces only = Yes >>> server role = active directory domain controller >>> [netlogon] >>> path = /var/lib/samba/sysvol/example.lan/scripts >>> read only = No >>> [sysvol >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> I did turn off iptables and SELinux on both machines for >>> testing purposes. The folder /var/lib/samba/sysvol exists on >>> DC2. On DC1 I can run the sysvolreset command without any problems. >>> >>> Hopefully someone has an idea what might be wrong here. >>> >>> Regards >>> Stephan Mattecka >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]] >> OK, try commenting out the interfaces lines, restart samba on both >> machines and see how you go on. >> I do not know if you are trying in anyway to sync sysvol between the 2 >> DCs, if you are this could give you a problem, as idmap.ldb is different >> between the DCs, the workaround is to copy idmap.ldb from the first DC >> to the second and run sysvolreset, but this is where we came in :-D >> >> Can you post the command you used to provision the first DC and the >> command you used to join the second DC to the first. >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba] > Hello Rowland, > > I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2. > I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5): > > INFO: Current debug levels: > all: 5 > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > schema_fsmo_init: we are master[no] updates allowed[no] > schema_fsmo_init: we are master[no] updates allowed[no] > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = EXAMPLE > doing parameter realm = example.lan > doing parameter netbios name = DC2 > doing parameter server role = active directory domain controller > doing parameter log level = 5 > INFO: Current debug levels: > all: 5 > doing parameter idmap_ldb:use rfc2307 = yes > Processing section "[netlogon]" > doing parameter path = /var/lib/samba/sysvol/example.lan/scripts > doing parameter read only = No > Processing section "[sysvol]" > doing parameter path = /var/lib/samba/sysvol > doing parameter read only = No > pm_process() returned Yes > Attempting to register passdb backend smbpasswd > Successfully added passdb backend 'smbpasswd' > Attempting to register passdb backend tdbsam > Successfully added passdb backend 'tdbsam' > Attempting to register passdb backend wbc_sam > Successfully added passdb backend 'wbc_sam' > Attempting to register passdb backend samba_dsdb > Successfully added passdb backend 'samba_dsdb' > Attempting to register passdb backend samba4 > Successfully added passdb backend 'samba4' > Attempting to register passdb backend ldapsam > Successfully added passdb backend 'ldapsam' > Attempting to register passdb backend NDS_ldapsam > Successfully added passdb backend 'NDS_ldapsam' > Attempting to register passdb backend IPA_ldapsam > Successfully added passdb backend 'IPA_ldapsam' > Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb) > Found pdb backend samba_dsdb > ldb_wrap open of idmap.ldb > pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run > lp) > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl > direct_db_access) > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl > fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl > xattr.XATTR_NTACL_NAME) > > For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands: > > samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1) > > samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2) > > I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2. > My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1. > > Regards > StephanStrange, it seems to be saying that you do not have sysvol directory. What does 'ls -la /var/lib/samba/sysvol/' show ? and 'getfacl /var/lib/samba/sysvol' Rowland
Stephan Mattecka
2015-May-26 11:51 UTC
[Samba] [SAMBA] Problems with joining a second DC to AD
> Gesendet: Dienstag, 26. Mai 2015 um 13:31 Uhr > Von: "Rowland Penny" <rowlandpenny at googlemail.com> > An: "Stephan Mattecka" <ste-fun_s at gmx.de> > Cc: samba at lists.samba.org > Betreff: Re: Aw: Re: [Samba] [SAMBA] Problems with joining a second DC to AD > > On 26/05/15 10:42, Stephan Mattecka wrote: > > Gesendet: Donnerstag, 21. Mai 2015 um 19:06 Uhr > > Von: "Rowland Penny" <rowlandpenny at googlemail.com> > > An: samba at lists.samba.org > > Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD > > On 21/05/15 17:41, Stephan Mattecka wrote: > >> Hi Rowland and Louis, > >> > >> I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages. > >> > >> I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life. > >> > >> Regards > >> Stephan > >> > >> > >> > >> > >> Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr > >> Von: "L.P.H. van Belle" <belle at bazuin.nl> > >> An: "samba at lists.samba.org" <samba at lists.samba.org> > >> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD > >> Hai, > >> > >> I hope, your domain is not .lan ( reserved name for mDNS ) > >> can be used, but can give problemens. > >> > >> in smb.conf > >> change : > >> interfaces = lo, eth0 > >> to > >> interfaces = lo, IP_of_eth0 > >> > >> and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct. > >> make sure you have in /etc/resolv.conf on DC2. > >> search example.lan > >> nameserver IP_OF_DC1 > >> > >> > >> > >> and try again. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org] > >>> Namens Stephan Mattecka > >>> Verzonden: donderdag 21 mei 2015 9:18 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD > >>> > >>> Hello, > >>> > >>> I try to setup an AD-Domain with the help of Sernet-Samba > >>> packages. Currently I'm using Scientific Linux (SL) 6.6 and > >>> Sernet-Samba 4.1.17 packages. I tried the procedure two times > >>> with fresh minimal SL installations. > >>> > >>> I could successfully install a AD-Domain-Controller. > >>> Now I tried to add a second DC to this AD-Domain and followed > >>> carefully the instructions at the samba wiki. > >>> I could also join the second DC to my domain, but when I try to run > >>> > >>> samba-tool ntacl sysvolreset > >>> > >>> on the 2nd DC I get the following error messages: > >>> > >>> > >>> open: error=2 (No such file or directory) > >>> ERROR(runtime): uncaught exception - (-1073741823, > >>> 'Undetermined error') > >>> File > >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", > >>> line 175, in _run > >>> return self.run(*args, **kwargs) > >>> File > >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", > >>> line 218, in run > >>> lp, use_ntvfs=use_ntvfs) > >>> File > >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py > >>> ", line 1612, in setsysvolacl > >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, > >>> samdb, lp, use_ntvfs, passdb=s4_passdb) > >>> File > >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py > >>> ", line 1505, in set_gpos_acl > >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, > >>> passdb=passdb, service=SYSVOL_SERVICE) > >>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", > >>> line 154, in setntacl > >>> smbd.set_nt_acl(file, security.SECINFO_OWNER | > >>> security.SECINFO_GROUP | security.SECINFO_DACL | > >>> security.SECINFO_SACL, sd, service=service) > >>> > >>> My smb.conf on DC1: > >>> > >>> > >>> # Global parameters > >>> [global] > >>> workgroup = EXAMPLE > >>> realm = EXAMPLE.LAN > >>> netbios name = DC1 > >>> interfaces = lo, eth0 > >>> bind interfaces only = Yes > >>> server role = active directory domain controller > >>> idmap_ldb:use rfc2307 = yes > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/pentracor.lan/scripts > >>> read only = No > >>> [sysvol] > >>> path = /var/lib/samba/sysvol > >>> read only = No > >>> > >>> smb.conf ond DC2: > >>> > >>> > >>> # Global parameters > >>> [global] > >>> workgroup = EXAMPLE > >>> realm = example.lan > >>> netbios name = DC2 > >>> interfaces = lo, eth1 > >>> bind interfaces only = Yes > >>> server role = active directory domain controller > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/example.lan/scripts > >>> read only = No > >>> [sysvol > >>> path = /var/lib/samba/sysvol > >>> read only = No > >>> > >>> I did turn off iptables and SELinux on both machines for > >>> testing purposes. The folder /var/lib/samba/sysvol exists on > >>> DC2. On DC1 I can run the sysvolreset command without any problems. > >>> > >>> Hopefully someone has an idea what might be wrong here. > >>> > >>> Regards > >>> Stephan Mattecka > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]] > >> OK, try commenting out the interfaces lines, restart samba on both > >> machines and see how you go on. > >> I do not know if you are trying in anyway to sync sysvol between the 2 > >> DCs, if you are this could give you a problem, as idmap.ldb is different > >> between the DCs, the workaround is to copy idmap.ldb from the first DC > >> to the second and run sysvolreset, but this is where we came in :-D > >> > >> Can you post the command you used to provision the first DC and the > >> command you used to join the second DC to the first. > >> > >> Rowland > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba] > > Hello Rowland, > > > > I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2. > > I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5): > > > > INFO: Current debug levels: > > all: 5 > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > pm_process() returned Yes > > schema_fsmo_init: we are master[no] updates allowed[no] > > schema_fsmo_init: we are master[no] updates allowed[no] > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > > Processing section "[global]" > > doing parameter workgroup = EXAMPLE > > doing parameter realm = example.lan > > doing parameter netbios name = DC2 > > doing parameter server role = active directory domain controller > > doing parameter log level = 5 > > INFO: Current debug levels: > > all: 5 > > doing parameter idmap_ldb:use rfc2307 = yes > > Processing section "[netlogon]" > > doing parameter path = /var/lib/samba/sysvol/example.lan/scripts > > doing parameter read only = No > > Processing section "[sysvol]" > > doing parameter path = /var/lib/samba/sysvol > > doing parameter read only = No > > pm_process() returned Yes > > Attempting to register passdb backend smbpasswd > > Successfully added passdb backend 'smbpasswd' > > Attempting to register passdb backend tdbsam > > Successfully added passdb backend 'tdbsam' > > Attempting to register passdb backend wbc_sam > > Successfully added passdb backend 'wbc_sam' > > Attempting to register passdb backend samba_dsdb > > Successfully added passdb backend 'samba_dsdb' > > Attempting to register passdb backend samba4 > > Successfully added passdb backend 'samba4' > > Attempting to register passdb backend ldapsam > > Successfully added passdb backend 'ldapsam' > > Attempting to register passdb backend NDS_ldapsam > > Successfully added passdb backend 'NDS_ldapsam' > > Attempting to register passdb backend IPA_ldapsam > > Successfully added passdb backend 'IPA_ldapsam' > > Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb) > > Found pdb backend samba_dsdb > > ldb_wrap open of idmap.ldb > > pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init > > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') > > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run > > lp) > > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl > > direct_db_access) > > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl > > domainsid, direct_db_access) > > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl > > fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > > File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl > > xattr.XATTR_NTACL_NAME) > > > > For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands: > > > > samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1) > > > > samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2) > > > > I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2. > > My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1. > > > > Regards > > Stephan > > Strange, it seems to be saying that you do not have sysvol directory. > > What does 'ls -la /var/lib/samba/sysvol/' show ? > > and 'getfacl /var/lib/samba/sysvol' > > Rowland > >[root at dc2 ~]# ls -alh /var/lib/samba/sysvol/ total 20K drwxrwx---+ 3 root 3000000 4.0K May 26 10:37 . drwxr-xr-x. 10 root root 4.0K May 20 15:28 .. drwxrwx---+ 4 root 3000000 4.0K May 21 14:51 example.lan [root at dc2 ~]# getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- I did even try copy the Policies folder from DC1 to DC2 because I thought this might be the missing folder, but this also does not help. Stephan