ok, I've investigated the problem more closely. First of all, I didn't mention that I have 2 domain controllers: dc(initial) and bdc (backup). Rsync command /usr/bin/rsync -XAavz --delete-after dc:/usr/local/samba/var/locks/sysvol/* /usr/local/samba/var/locks/sysvol/ fires every 5 minutes on bdc. However, if I try to gpupdate from bdc I get the above error. Gpupdating from dc works fine. The strangest thing is that when I try reseting sysvol on bdc I get root at bdc:/lib/systemd/system# samba-tool ntacl sysvolreset Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[sysvol]" Module 'acl_xattr' loaded connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) Processing section "[netlogon]" Processing section "[sysvol]" connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol And more repeating lines about xattrs and idmap. I think, this is due to some misconfiguration on bdc. 2015-10-03 18:46 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 03/10/15 16:20, Krutskikh Ivan wrote: > >> Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error >> and misses something more severe later on. >> >> 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: >> >> > You need to look further, I don't think your DC is broken, I think > sysvolcheck is broken. Try raising the log level on the DC to 10 and see if > anything pops up in the logs, also check the logs on the connecting PCs, > this may be a windows error. > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 04/10/15 12:00, Krutskikh Ivan wrote:> ok, I've investigated the problem more closely. First of all, I didn't > mention that I have 2 domain controllers: dc(initial) and bdc (backup). > Rsync command > > /usr/bin/rsync -XAavz --delete-after dc:/usr/local/samba/var/locks/sysvol/* > /usr/local/samba/var/locks/sysvol/ > > fires every 5 minutes on bdc. > > However, if I try to gpupdate from bdc I get the above error. Gpupdating > from dc works fine. The strangest thing is that when I try reseting sysvol > on bdc I get > > root at bdc:/lib/systemd/system# samba-tool ntacl sysvolreset > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Module 'acl_xattr' loaded > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and > 'force unknown acl user = true' for service Unknown Service (snum == -1) > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and > 'force unknown acl user = true' for service Unknown Service (snum == -1) > Processing section "[netlogon]" > Processing section "[sysvol]" > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and > 'force unknown acl user = true' for service sysvol > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and > 'force unknown acl user = true' for service sysvol > > And more repeating lines about xattrs and idmap. I think, this is due to > some misconfiguration on bdc. > > 2015-10-03 18:46 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 03/10/15 16:20, Krutskikh Ivan wrote: >> >>> Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error >>> and misses something more severe later on. >>> >>> 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: >>> >>> >> You need to look further, I don't think your DC is broken, I think >> sysvolcheck is broken. Try raising the log level on the DC to 10 and see if >> anything pops up in the logs, also check the logs on the connecting PCs, >> this may be a windows error. >> >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Ok, first thing first, you do not have a DC and a BDC, you have two DCs. All DCs are equal apart from the FSMO roles. Next, the DCs are not equal if they are Samba Dcs :-) They should be, but they aren't because idmap.ldb is different on the two DCs. Have a look here: https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups Rowland
weird, I've just transfered the idmap.ldb file from dc to bdc and tried sysvolreset. The same issue once again 2015-10-04 14:20 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 04/10/15 12:00, Krutskikh Ivan wrote: > >> ok, I've investigated the problem more closely. First of all, I didn't >> mention that I have 2 domain controllers: dc(initial) and bdc (backup). >> Rsync command >> >> /usr/bin/rsync -XAavz --delete-after >> dc:/usr/local/samba/var/locks/sysvol/* >> /usr/local/samba/var/locks/sysvol/ >> >> fires every 5 minutes on bdc. >> >> However, if I try to gpupdate from bdc I get the above error. Gpupdating >> from dc works fine. The strangest thing is that when I try reseting sysvol >> on bdc I get >> >> root at bdc:/lib/systemd/system# samba-tool ntacl sysvolreset >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Module 'acl_xattr' loaded >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and >> 'force unknown acl user = true' for service Unknown Service (snum == -1) >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and >> 'force unknown acl user = true' for service Unknown Service (snum == -1) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and >> 'force unknown acl user = true' for service sysvol >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and >> 'force unknown acl user = true' for service sysvol >> >> And more repeating lines about xattrs and idmap. I think, this is due to >> some misconfiguration on bdc. >> >> 2015-10-03 18:46 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: >> >> On 03/10/15 16:20, Krutskikh Ivan wrote: >>> >>> Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error >>>> and misses something more severe later on. >>>> >>>> 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com >>>> >: >>>> >>>> >>>> You need to look further, I don't think your DC is broken, I think >>> sysvolcheck is broken. Try raising the log level on the DC to 10 and see >>> if >>> anything pops up in the logs, also check the logs on the connecting PCs, >>> this may be a windows error. >>> >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > Ok, first thing first, you do not have a DC and a BDC, you have two DCs. > All DCs are equal apart from the FSMO roles. > > Next, the DCs are not equal if they are Samba Dcs :-) > They should be, but they aren't because idmap.ldb is different on the two > DCs. > > Have a look here: > > https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >