Sina Owolabi
2017-Nov-13 23:12 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
Hi Rowland
I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 yes'
line to the second DC, and
rebooted the servers, but the error does not go away.
First DC:
[global]
dns forwarder = 8.8.8.8
netbios name = TESTBOX
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/%m.log
log level = 3
tls enabled = yes
template shell = /bin/bash
template homedir = /share/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Second DC:
[global]
netbios name = TESTDC2
realm = SAMDOM.TESTING.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
tls enabled = yes
template shell = /bin/bash
template homedir = /share/%U
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[root at testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)
On Mon, Nov 13, 2017 at 10:43 AM, Rowland Penny <rpenny at samba.org>
wrote:> On Mon, 13 Nov 2017 09:59:23 +0100
> Sina Owolabi via samba <samba at lists.samba.org> wrote:
>
>> Hi List!
>>
>> I am working my way through getting familiar with samba and I have two
>> domain controllers now with an additional samba file server.
>> The servers are CentOS 7.4.1708;
>> the domain controllers are built from source with samba-4.7.1;
>> and the file server, installed winbind, smb and nmb from CentOS
>> repos.
>>
>> My problem is after bringing up the second domain controller and
>> successfully joining it to the domain, as the wiki directs I tried to
>> run samba-tool ntacl sysvolreset and this fails.
>>
>> [root at testdc2 private]# samba-tool ntacl sysvolreset
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
Failed}
>> The requested operation was unsuccessful.')
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run return self.run(*args, **kwargs)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 239, in run lp, use_ntvfs=use_ntvfs)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
>> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>> File
>>
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
>> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>> Please what am I doing wrong?
>
> Have you added any other GPO's to your first DC ?
> If so, you need to 'sync' them to the second DC.
>
>>
>>
>> "Primary" DC config file:
>>
>> # Global parameters
>> [global]
>> dns forwarder = 8.8.8.8
>> netbios name = TESTBOX
>> realm = SAMDOM.TESTING.COM
>> server role = active directory domain controller
>> workgroup = SAMDOM
>> idmap_ldb:use rfc2307 = yes
>> log file = /var/log/samba/%m.log
>> log level = 3
>> tls enabled = yes
>> winbind enum groups = Yes
>> winbind enum users = Yes
>
> You should remove the two lines above, you do not need them.
>
>>
>> template shell = /bin/bash
>> template homedir = /share/%U
>>
>> [netlogon]
>> path
>> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
>> only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> New DC config file:
>> # Global parameters
>> [global]
>> netbios name = TESTDC2
>> realm = SAMDOM.TESTING.COM
>> server role = active directory domain controller
>> workgroup = SAMDOM
>
> You need to add 'idmap_ldb:use rfc2307 = yes'
>
> Rowland
Rowland Penny
2017-Nov-14 09:44 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
On Tue, 14 Nov 2017 00:12:11 +0100 Sina Owolabi <notify.sina at gmail.com> wrote:> Hi Rowland > > I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 > yes' line to the second DC, and > rebooted the servers, but the error does not go away. >The error you are getting is usually caused by adding GPOs to the first DC and then NOT copying them to the second DC before running 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD to find where the GPOs are supposed to be, but if it cannot find any, it errors out. Rowland
Marco Gaiarin
2017-Nov-14 10:10 UTC
[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails
Mandi! Rowland Penny via samba In chel di` si favelave...> The error you are getting is usually caused by adding GPOs to the first > DC and then NOT copying them to the second DC before running > 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD > to find where the GPOs are supposed to be, but if it cannot find any, > it errors out.AFAI've understood well, yo have also to copy the idmap to the new DC to have perfectly matching xID: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)