samba - Mar 2017 - Problems with replication and dns

Hello,
Thanks for accepting me on the list, I hope to learn and contribute
according to my knowledge.

My main dc is samba 4.4.5 on centos 7.
I am installing a secondary dc with samba 4.7 And had the following problems:
main dc:
samba-tool ntacl sysvolreset:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py"
, line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1618, in setsysvolacl    set_gpos_acl(sysvol, dnsdomain,
domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1523, in set_gpos_acl    passdb=passdb)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1486, in set_dir_acl    setntacl(lp, path, acl, domsid,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=service)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl    smbd.set_nt_acl(file, security.SECINFO_OWNER
| security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

This error appears on both servers after copying the sysvol directory
¿How could  repair the sysvol?
When trying to replicate the dns with bind, i get errors from zones
that apparently were poorly replicated from windows server.
Trying to delete them with samba tool I get errors that indicate dns
is not available.
How can i delete records directly from the samba database?

Best regards,

Santiago.















-- 
Santiago Londoño Mejía
Analista de Infraestructura
t. (574) 605 25 23 ext. 1232
m. (57) 3148332567
Medellín | Carrera 50  C #10 Sur  80
Bogotá | Medellín | Cali
www.pragma.com.co

-- 


Este mensaje es confidencial. Puede contener información privilegiada que
pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados
y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su
destinatario. Si obtiene este mensaje por error, equivocación u omisión, por
favor bórrelo y avise al remitente.

Está prohibida su retención, grabación, utilización o divulgación con cualquier
propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no
asume ninguna responsabilidad por eventuales daños generados por el recibo y uso
de este material, siendo responsabilidad del destinatario verificar con sus
propios medios la existencia de virus u otros defectos.

Las opiniones, conclusiones y otra información contenida en este correo no
relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como
personales y de ninguna manera son avaladas por la Compañía.

On Tue, 14 Mar 2017 14:48:17 -0500
Santiago Londoño Mejía via samba <samba at lists.samba.org> wrote:
> Hello,
> Thanks for accepting me on the list, I hope to learn and contribute
> according to my knowledge.
> 
> My main dc is samba 4.4.5 on centos 7.
> I am installing a secondary dc with samba 4.7 And had the following
> problems: main dc:
> samba-tool ntacl sysvolreset:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
OK, your policies are in AD and stored in sysvol and I think a policy
is being searched for in sysvol and not being found.
> 
> This error appears on both servers after copying the sysvol directory
How did you copy sysvol ?
> ¿How could  repair the sysvol?
You could set up a new domain in a vm and then copy the missing (if
any) default policies.
> When trying to replicate the dns with bind, i get errors from zones
> that apparently were poorly replicated from windows server.
You are going to have to give us more info here, how is bind set up for
instance.
> Trying to delete them with samba tool I get errors that indicate dns
> is not available.
How are you trying to delete them.
> How can i delete records directly from the samba database?
Do not even try this.

Can you also post your smb.conf files

Rowland
> 
> Best regards,
> 
> Santiago.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

Here we go again, I think it would be easier extracting teeth without
anaesthetic ;-)
> I copied the sysvol using rsync
How did you run rsync, what actual command did you use ??
> Another sysadmin has configured bind without using the integration
> with samba, this is the problem.
That is not what I asked and it sounds like Bind has been setup
incorrectly, it should be integrated with Samba, I suggest you post
your Bind conf files.
> I can not use the mmc plugin to manage the dns,  must do it directly
> in the bind configuration files.
You should be able to to use the mmc, probably got something to do with
your Bind setup.
> How could repair the dns database to use integration with bind?
I do not know, mostly because I do not know how you have set up Bind.

Can you please post your smb.conf 

Rowland

Hello,

Sorry for the few details.

rsync:

rsync -h -a -v /usr/local/samba/var/locks/sysvol/pragma.com.co/
root at server2:/usr/local/samba/var/locks/sysvol/pragma.com.co/

first dc smb.conf:
[global]
    tls verify peer = no_check
    ldap server require strong auth = no
	netbios name = NEPTUNO
	realm = PRAGMA.COM.CO
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
	workgroup = PRAGMA
	server role = active directory domain controller
#	interfaces = en160 en160:0 lo
	wins support = Yes
	name resolve order = wins lmhosts hosts bcast

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/pragma.com.co/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

#[Users]
#	directory_mode: parameter = 0700
#	read only = no
#	path = /Users

named.conf:

options {
//	tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab†;
	listen-on port 53 { 127.0.0.1; any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; any; };
	allow-update { localhost; any; };

	/*
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	   recursion.
	 - If your recursive DNS server has a public IP address, you MUST
enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
//	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
	forwarders {
                8.8.8.8;
                8.8.4.4;
        };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};
zone "pragma.com.co" {
	type master;
	file "dynamic/pragma.com.co";
};



include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
//include "/usr/local/samba/private/named.conf";



Best regards,

Santiago.



Thank you very much for your help


2017-03-14 16:19 GMT-05:00, Rowland Penny via samba <samba at
lists.samba.org>:
>
>
> Here we go again, I think it would be easier extracting teeth without
> anaesthetic ;-)
>
>> I copied the sysvol using rsync
>
> How did you run rsync, what actual command did you use ??
>
>> Another sysadmin has configured bind without using the integration
>> with samba, this is the problem.
>
> That is not what I asked and it sounds like Bind has been setup
> incorrectly, it should be integrated with Samba, I suggest you post
> your Bind conf files.
>
>> I can not use the mmc plugin to manage the dns,  must do it directly
>> in the bind configuration files.
>
> You should be able to to use the mmc, probably got something to do with
> your Bind setup.
>
>> How could repair the dns database to use integration with bind?
>
> I do not know, mostly because I do not know how you have set up Bind.
>
> Can you please post your smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Santiago Londoño Mejía
Analista de Infraestructura
t. (574) 605 25 23 ext. 1232
m. (57) 3148332567
Medellín | Carrera 50  C #10 Sur  80
Bogotá | Medellín | Cali
www.pragma.com.co

-- 


Este mensaje es confidencial. Puede contener información privilegiada que
pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados
y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su
destinatario. Si obtiene este mensaje por error, equivocación u omisión, por
favor bórrelo y avise al remitente.

Está prohibida su retención, grabación, utilización o divulgación con cualquier
propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no
asume ninguna responsabilidad por eventuales daños generados por el recibo y uso
de este material, siendo responsabilidad del destinatario verificar con sus
propios medios la existencia de virus u otros defectos.

Las opiniones, conclusiones y otra información contenida en este correo no
relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como
personales y de ninguna manera son avaladas por la Compañía.