samba - Jul 2018 - sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'

So there's no error on my side: I have no idmap lines in my smb.conf and 
since I can't add any I should live with the error/warning, right?

Is this error related to sysvolreset taking forever to run?
What about Louis/your script here 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh ?
I know it's safer but... is it also faster? :)

Thanks again
Claudio

---
# cat /etc/samba/smb.conf
[global]
   bind interfaces only = Yes
   interfaces = lo eth_lan
   netbios name = SRVSAMBA2
   realm = SAMDOM.LOCAL
   server role = active directory domain controller
   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
   workgroup = SAMDOM
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
   log level = 2 vfs:1
   log file = /var/log/samba/log.samba
   max log size = 10000

[netlogon]
   path = /var/lib/samba/sysvol/samdom.local/scripts
   read only = No

[sysvol]
   path = /var/lib/samba/sysvol
   read only = No
---

Il 23/07/2018 17:27, Rowland Penny via samba ha scritto:
> On Mon, 23 Jul 2018 17:17:07 +0200
> "Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:
>
>> I've added a "print" in file
>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just
before the
>> line raising the error to log the (missing) file causing the error.
>> I've found I had an orphaned GPO: it was shown in RSAT but
didn't
>> have any file in sysvol folder on both DCs.
>> Just removed it from AD (it was only a test GPO) and the error
>> disappeared.
>>
>> I've posted my smb.conf in a reply to Louis Van Belle, hope you can
>> see what's causing the lot of "idmap range not specified for
domain
>> '*'" lines.
>>
> That's easy, it is a bug introduced at 4.6.0 (I think that was the
> version). You cannot do anything to stop them on a DC. People were
> not setting 'idmap config' correctly, so the error message was
added.
> The only problem is, you cannot use the 'idmap config' lines on a
DC,
> so you get the error message every time smb.conf is checked.
>
> Rowland
>   
>

On Mon, 23 Jul 2018 17:40:18 +0200
"Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:
> So there's no error on my side: I have no idmap lines in my smb.conf
> and since I can't add any I should live with the error/warning, right?
> 
> Is this error related to sysvolreset taking forever to run?
> What about Louis/your script here 
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh ?
> I know it's safer but... is it also faster? :)
> 
> Thanks again
> Claudio
> 
> ---
> # cat /etc/samba/smb.conf
> [global]
>    bind interfaces only = Yes
>    interfaces = lo eth_lan
>    netbios name = SRVSAMBA2
>    realm = SAMDOM.LOCAL
>    server role = active directory domain controller
>    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>    workgroup = SAMDOM
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
>    log level = 2 vfs:1
>    log file = /var/log/samba/log.samba
>    max log size = 10000
> 
> [netlogon]
>    path = /var/lib/samba/sysvol/samdom.local/scripts
>    read only = No
> 
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
> ---
> 
You have a line missing:

 	idmap_ldb:use rfc2307  = yes

Not 100% sure if it will help, but it should be there.

Rowland

> You have a line missing:
>   	idmap_ldb:use rfc2307  = yes
>
> Not 100% sure if it will help, but it should be there.
>
> Rowland
My current AD comes from a Win2000 --> Win2008R2 upgraded domain; the 
(now) first Samba AD was added as secondary DC to the existing Windows 
domain, then promoted to primary once Windows server was demoted.
Finally a new secondary Samba DC was added to the domain.

AFAIK rfc2307 usage is optional; if not using it then idmap.ldb manual 
sync is needed...
Am I wrong?

Claudio