On 10/7/2015 7:31 AM, mourik jan c heupink wrote:> On 7-10-2015 13:18, mourik jan c heupink wrote: >> So my dc3 seems unsynced or so. >> >> So I am now checking to make sure that my rsync replication script >> works as it should. (I'm guesssing it does NOT) > > The rsync seems to be working as it should, so now I'm > guessing that idmap.ldb differs between dc2/4 and dc3. > Is there a way to check that? > > Is is safe to follow the instructions on the wiki page >> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups >> > for an already working DC? > > (as the page is about joining a brandnew dc...) > >From personal experience yes. Create a backup however in case things gowrong. -- -James
Hi all,> From personal experience yes. Create a backup however in case things go > wrong.I did the idmap.ldb swap, but unfortunately I still get access denied on DC3. smb.conf on dc3 is just like dc2/dc4, sysvol/netlogon shares defined exactly the same on all DCs:> [global] > workgroup = WRKGROUP > realm = samba.company.com > netbios name = DC3 > server role = active directory domain controller > > dns forwarder = 192.x.y.1 > allow dns updates = nonsecure > > log level = 3 > log file = /var/log/samba/samba.%U.%m.%I.log > > idmap_ldb:use rfc2307 = yes > > > [netlogon] > path = /var/lib/samba/sysvol/samba.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoI am not sure what to check or do next..?
On 7-10-2015 14:52, mourik jan c heupink wrote:> I am not sure what to check or do next..? >I checked filesystems, and there is a difference: dc3 = ext4 dc4/dc2 = xfs But ext4/xfs should both support acl and user_xattr Problem dc3 is mounted like:> /dev/vda3 on /var/lib/samba type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)I don't see the problem... But I DO get "access denied" on sysvol and netlogon on dc3. Tips, ideas, anyone?
Hai Mourik Jan, Here are some commands you can try On a "good" server, run : Getfacl -R /var/lib/samba/sysvol > sysvol.permissions-GOOD.acl On the bad server do the same Getfacl -R /var/lib/samba/sysvol > sysvol.permissions-BAD.acl Diff them and see whats the difference. And when sure its needed apply the "good" acl on the bad server. But make sure your sysvol folders and files are the same (synced) And restore command for the "bad" server. setfacl --restore= sysvol.permissions-GOOD.acl Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c > heupink > Verzonden: woensdag 7 oktober 2015 14:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] gpo failure > > Hi all, > > > From personal experience yes. Create a backup however in case things go > > wrong. > > I did the idmap.ldb swap, but unfortunately I still get access denied on > DC3. > > smb.conf on dc3 is just like dc2/dc4, sysvol/netlogon shares defined > exactly the same on all DCs: > > > [global] > > workgroup = WRKGROUP > > realm = samba.company.com > > netbios name = DC3 > > server role = active directory domain controller > > > > dns forwarder = 192.x.y.1 > > allow dns updates = nonsecure > > > > log level = 3 > > log file = /var/log/samba/samba.%U.%m.%I.log > > > > idmap_ldb:use rfc2307 = yes > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/samba.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > I am not sure what to check or do next..? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi Louis,> Diff them and see whats the difference.I see quite some differences, yes. This is interesting. T tried repairing them locally on the DC3 using the samba-tool ntacl sysvolreset and that worked immediately. I was under the impression that the rsync (setup according to the wiki) should take care of keeping the sysvols in sync?? And therefore I only ran "samba-tool ntacl sysvolreset" on our 'main' DC2, and rsync should distribute it to the other DCs. I guess I learned something MAJOR... But is this expected? MJ