samba - Oct 2015 - Second DC doesn't recognize users/groups on getent

Yup, compiled it myself and did not change the path.
The query to the ldb returned the same thing on both DC1 and DC2.

DNS and /etc/hosts are also fine, DC1 dns points to DC2 and DC2 to DC1.
Everything seems to be completely fine...

I was looking into this issue because I was doing the sysvol replication
and noticed that the sysvol path had a '300000' as the group owner on
DC2,
where on DC1 30000 translates to 'BUILTIN\administrators'.

DC1:
drwxrwx---+ 3 root BUILTIN\administrators     31 Ago 24 08:01 sysvol

DC2:
drwxrwx---+ 3 root 3000000     31 Aug 24 08:02 sysvol

(SELinux is disabled btw)

Not sure if this is going to break anything or not.

@mathias,

I didn't forgot to join, otherwise the DC wouldn't work. The DC2 *seems*
to
be working just fine.
showrepl doesn't popup any error and is listed as a Domain Controller on
ADUC.


On Tue, Oct 13, 2015 at 11:10 AM, Sketch <smblist at rednsx.org> wrote:
> On Tue, 13 Oct 2015, Guilherme Boing wrote:
>
> I should also mention that Samba 4.3.0 was installed from tarball, I
>> compiled it myself.
>>
>> DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did
not
>> return any result on DC1.
>>
>> I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2
does
>> not.
>>
>
> If you compiled it yourself and didn't change the path, the default
path
> for the private dir is /usr/local/samba/private.  Most
> distributions/packagers use /var/lib/samba/private instead.
>
> The only other thing beyond what's already been suggested to check that
I
> can think of is to make sure /etc/hosts and /etc/resolv.conf are set up
> properly.  Make sure your hostname points to your DNS IP and not 127.0.0.1
> in /etc/hosts, and make sure /etc/resolv.conf points at your domain
> controllers' DNS.  DC2 should point to DC1 as it's first DNS server
(and
> vice versa, once DC2 is working properly).
>

Yep, I understood reading Sketch's mail, my bad, I replied to quickly doing
something else...

2015-10-13 16:27 GMT+02:00 Guilherme Boing <kolt+samba at frag.com.br>:
> Yup, compiled it myself and did not change the path.
> The query to the ldb returned the same thing on both DC1 and DC2.
>
> DNS and /etc/hosts are also fine, DC1 dns points to DC2 and DC2 to DC1.
> Everything seems to be completely fine...
>
> I was looking into this issue because I was doing the sysvol replication
> and noticed that the sysvol path had a '300000' as the group owner
on DC2,
> where on DC1 30000 translates to 'BUILTIN\administrators'.
>
> DC1:
> drwxrwx---+ 3 root BUILTIN\administrators     31 Ago 24 08:01 sysvol
>
> DC2:
> drwxrwx---+ 3 root 3000000     31 Aug 24 08:02 sysvol
>
> (SELinux is disabled btw)
>
> Not sure if this is going to break anything or not.
>
> @mathias,
>
> I didn't forgot to join, otherwise the DC wouldn't work. The DC2
*seems* to
> be working just fine.
> showrepl doesn't popup any error and is listed as a Domain Controller
on
> ADUC.
>
>
> On Tue, Oct 13, 2015 at 11:10 AM, Sketch <smblist at rednsx.org>
wrote:
>
> > On Tue, 13 Oct 2015, Guilherme Boing wrote:
> >
> > I should also mention that Samba 4.3.0 was installed from tarball, I
> >> compiled it myself.
> >>
> >> DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it
did
> not
> >> return any result on DC1.
> >>
> >> I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and
DC2
> does
> >> not.
> >>
> >
> > If you compiled it yourself and didn't change the path, the
default path
> > for the private dir is /usr/local/samba/private.  Most
> > distributions/packagers use /var/lib/samba/private instead.
> >
> > The only other thing beyond what's already been suggested to check
that I
> > can think of is to make sure /etc/hosts and /etc/resolv.conf are set
up
> > properly.  Make sure your hostname points to your DNS IP and not
> 127.0.0.1
> > in /etc/hosts, and make sure /etc/resolv.conf points at your domain
> > controllers' DNS.  DC2 should point to DC1 as it's first DNS
server (and
> > vice versa, once DC2 is working properly).
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 13/10/15 15:48, mathias dufresne wrote:
> Yep, I understood reading Sketch's mail, my bad, I replied to quickly
doing
> something else...
>
> 2015-10-13 16:27 GMT+02:00 Guilherme Boing <kolt+samba at
frag.com.br>:
>
>> Yup, compiled it myself and did not change the path.
>> The query to the ldb returned the same thing on both DC1 and DC2.
>>
>> DNS and /etc/hosts are also fine, DC1 dns points to DC2 and DC2 to DC1.
>> Everything seems to be completely fine...
>>
>> I was looking into this issue because I was doing the sysvol
replication
>> and noticed that the sysvol path had a '300000' as the group
owner on DC2,
>> where on DC1 30000 translates to 'BUILTIN\administrators'.
>>
>> DC1:
>> drwxrwx---+ 3 root BUILTIN\administrators     31 Ago 24 08:01 sysvol
>>
>> DC2:
>> drwxrwx---+ 3 root 3000000     31 Aug 24 08:02 sysvol
>>
>> (SELinux is disabled btw)
>>
>> Not sure if this is going to break anything or not.
>>
>> @mathias,
>>
>> I didn't forgot to join, otherwise the DC wouldn't work. The
DC2 *seems* to
>> be working just fine.
>> showrepl doesn't popup any error and is listed as a Domain
Controller on
>> ADUC.
>>
>>
>> On Tue, Oct 13, 2015 at 11:10 AM, Sketch <smblist at rednsx.org>
wrote:
>>
>>> On Tue, 13 Oct 2015, Guilherme Boing wrote:
>>>
>>> I should also mention that Samba 4.3.0 was installed from tarball,
I
>>>> compiled it myself.
>>>>
>>>> DC2 does not have the /var/lib/samba/private/sam.ldb file. Also
it did
>> not
>>>> return any result on DC1.
>>>>
>>>> I wonder why DC1 has the /var/lib/samba/private/sam.ldb file
and DC2
>> does
>>>> not.
>>>>
>>> If you compiled it yourself and didn't change the path, the
default path
>>> for the private dir is /usr/local/samba/private.  Most
>>> distributions/packagers use /var/lib/samba/private instead.
>>>
>>> The only other thing beyond what's already been suggested to
check that I
>>> can think of is to make sure /etc/hosts and /etc/resolv.conf are
set up
>>> properly.  Make sure your hostname points to your DNS IP and not
>> 127.0.0.1
>>> in /etc/hosts, and make sure /etc/resolv.conf points at your domain
>>> controllers' DNS.  DC2 should point to DC1 as it's first
DNS server (and
>>> vice versa, once DC2 is working properly).
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
OK, so you compiled samba yourself, this means that (unless you told 
configure otherwise) everything ends up in /usr/local/samba, that's why 
your path to sam.ldb is different to mine.

Anyway, if you have the same info in AD on both DCs (as you should) and 
you are getting different results on each DC, then this is very probably 
not going to be a Samba problem. You need to compare the setup on the 
DCs to see where, if anywhere, they differ.

Rowland

On Tue, 13 Oct 2015, Guilherme Boing wrote:
> I was looking into this issue because I was doing the sysvol replication
> and noticed that the sysvol path had a '300000' as the group owner
on DC2,
> where on DC1 30000 translates to 'BUILTIN\administrators'.
>
> DC1:
> drwxrwx---+ 3 root BUILTIN\administrators     31 Ago 24 08:01 sysvol
>
> DC2:
> drwxrwx---+ 3 root 3000000     31 Aug 24 08:02 sysvol
>
> (SELinux is disabled btw)
>
> Not sure if this is going to break anything or not.
I'm not sure if it will actually break anything, I believe it will just 
cause spurious warnings in group policy editor (this was the only ill 
effect I actually observed).  It's because the built-in group IDs are not 
synchronized between DCs.  The wiki describes how to manually copy them 
from one DC to any others to fix this problem:

https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups