Am 25.09.2018 um 11:35 schrieb Rowland Penny via samba:> On Tue, 25 Sep 2018 11:18:03 +0200 > Daniel Jordan via samba <samba at lists.samba.org> wrote: > >> >> Am 24.09.2018 um 19:33 schrieb Andrew Bartlett via samba: >>> On Mon, 2018-09-24 at 13:51 +0200, Daniel Jordan via samba wrote: >>>> Hello list, >>>> >>>> I'm getting a weird error message regarding our file server when i >>>> run >>>> dbcheck on my >>>> dc01 running Samba v4.7.9. The error only occurs on dc01, dc02 is >>>> fine, >>>> the file server also >>>> works fine but I want to clean the database before doing the >>>> upgrade to >>>> version 4.9 >>>> >>>> dc01:~# samba-tool dbcheck --cross-ncs >>>> Checking 4503 objects >>>> SID S-1-5-21-3258148492-1502286889-3538134041-1601 for >>>> CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx conflicts with our current RID >>>> set >>>> in CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx >>>> Please use --fix to fix these errors >>>> Checked 4503 objects (1 errors) >>>> >>>> >>>> Has any of you seen a error like this before and knows if it's save >>>> to >>>> remove the entry? Don't want >>>> to remove the fileserver from my ad, as some of my users probably >>>> won't >>>> be ok with that ;) >>>> >>>> Thanks in advance! >>> I'm more interested in how you created that file server, because it >>> should be really hard to make Samba break this way, unless we got >>> the dbcheck rule wrong. >>> >>> As to what --fix does, it doesn't delete the file server, it just >>> advances the RID set to ensure you don't get a duplicate SID later >>> in the domain's life. >>> >>> Andrew Bartlett >>> -- >>> Andrew Bartlett http://samba.org/~abartlet/ >>> Authentication Developer, Samba Team http://samba.org >>> Samba Developer, Catalyst IT >>> http://catalyst.net.nz/services/samba >>> >>> >>> >>> >> Hello Andrew, >> >> thanks for your answer. >> >> We're using the sernet samba packages and beside this issue the >> installation is running very stable. >> After joining the file server > Yes, but how did you join the fileserver ? > Can we see your smb.conf from the fileserver ? > > Rowland > > >Here's the global config part fs01:~# net conf list [global] workgroup = xx realm = xx.xx.xx security = ADS winbind use default domain = yes winbind refresh tickets = yes idmap config * : range = 10000 - 19999 idmap config AD : backend = rid idmap config AD : range = 1000000 - 1999999 inherit acls = yes store dos attributes = yes vfs objects = acl_xattr interfaces = 192.168.x.x bind interfaces only = yes Daniel -- Mit freundlichen Grüßen Daniel Jordan IT-Administration GFD GmbH Flugplatz Hohn 24806 Hohn Tel.: + 49 (0) 4335 9202 58 Fax: + 49 (0) 4335 9202 15 d.jordan at gfd.de <mailto:d.jordan at gfd.de> www.gfd.de Sitz der Gesellschaft Hohn Handelsregister Kiel HRB 908 RD Geschäftsführung: Stefan Müller
On Tue, 25 Sep 2018 12:08:00 +0200 Daniel Jordan <d.jordan at gfd.de> wrote:> Am 25.09.2018 um 11:35 schrieb Rowland Penny via samba: > > On Tue, 25 Sep 2018 11:18:03 +0200 > > Daniel Jordan via samba <samba at lists.samba.org> wrote: > > > >> > >> Am 24.09.2018 um 19:33 schrieb Andrew Bartlett via samba: > >>> On Mon, 2018-09-24 at 13:51 +0200, Daniel Jordan via samba wrote: > >>>> Hello list, > >>>> > >>>> I'm getting a weird error message regarding our file server when > >>>> i run > >>>> dbcheck on my > >>>> dc01 running Samba v4.7.9. The error only occurs on dc01, dc02 is > >>>> fine, > >>>> the file server also > >>>> works fine but I want to clean the database before doing the > >>>> upgrade to > >>>> version 4.9 > >>>> > >>>> dc01:~# samba-tool dbcheck --cross-ncs > >>>> Checking 4503 objects > >>>> SID S-1-5-21-3258148492-1502286889-3538134041-1601 for > >>>> CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx conflicts with our current > >>>> RID set > >>>> in CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > >>>> Please use --fix to fix these errors > >>>> Checked 4503 objects (1 errors) > >>>> > >>>> > >>>> Has any of you seen a error like this before and knows if it's > >>>> save to > >>>> remove the entry? Don't want > >>>> to remove the fileserver from my ad, as some of my users probably > >>>> won't > >>>> be ok with that ;) > >>>> > >>>> Thanks in advance! > >>> I'm more interested in how you created that file server, because > >>> it should be really hard to make Samba break this way, unless we > >>> got the dbcheck rule wrong. > >>> > >>> As to what --fix does, it doesn't delete the file server, it just > >>> advances the RID set to ensure you don't get a duplicate SID later > >>> in the domain's life. > >>> > >>> Andrew Bartlett > >>> -- > >>> Andrew Bartlett http://samba.org/~abartlet/ > >>> Authentication Developer, Samba Team http://samba.org > >>> Samba Developer, Catalyst IT > >>> http://catalyst.net.nz/services/samba > >>> > >>> > >>> > >>> > >> Hello Andrew, > >> > >> thanks for your answer. > >> > >> We're using the sernet samba packages and beside this issue the > >> installation is running very stable. > >> After joining the file server > > Yes, but how did you join the fileserver ? > > Can we see your smb.conf from the fileserver ? > > > > Rowland > > > > > > > > Here's the global config part > > fs01:~# net conf list > [global] > workgroup = xx > realm = xx.xx.xx > security = ADS > winbind use default domain = yes > winbind refresh tickets = yes > idmap config * : range = 10000 - 19999 > idmap config AD : backend = rid > idmap config AD : range = 1000000 - 1999999 > inherit acls = yes > store dos attributes = yes > vfs objects = acl_xattr > interfaces = 192.168.x.x > bind interfaces only = yes > > > Daniel >There doesn't seem to be anything wrong there, I take it you joined with something like 'net ads join -U Administrator' ? Rowland
Am 25.09.2018 um 12:37 schrieb Rowland Penny via samba:> On Tue, 25 Sep 2018 12:08:00 +0200 > Daniel Jordan <d.jordan at gfd.de> wrote: > >> Am 25.09.2018 um 11:35 schrieb Rowland Penny via samba: >>> On Tue, 25 Sep 2018 11:18:03 +0200 >>> Daniel Jordan via samba <samba at lists.samba.org> wrote: >>> >>>> Am 24.09.2018 um 19:33 schrieb Andrew Bartlett via samba: >>>>> On Mon, 2018-09-24 at 13:51 +0200, Daniel Jordan via samba wrote: >>>>>> Hello list, >>>>>> >>>>>> I'm getting a weird error message regarding our file server when >>>>>> i run >>>>>> dbcheck on my >>>>>> dc01 running Samba v4.7.9. The error only occurs on dc01, dc02 is >>>>>> fine, >>>>>> the file server also >>>>>> works fine but I want to clean the database before doing the >>>>>> upgrade to >>>>>> version 4.9 >>>>>> >>>>>> dc01:~# samba-tool dbcheck --cross-ncs >>>>>> Checking 4503 objects >>>>>> SID S-1-5-21-3258148492-1502286889-3538134041-1601 for >>>>>> CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx conflicts with our current >>>>>> RID set >>>>>> in CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx >>>>>> Please use --fix to fix these errors >>>>>> Checked 4503 objects (1 errors) >>>>>> >>>>>> >>>>>> Has any of you seen a error like this before and knows if it's >>>>>> save to >>>>>> remove the entry? Don't want >>>>>> to remove the fileserver from my ad, as some of my users probably >>>>>> won't >>>>>> be ok with that ;) >>>>>> >>>>>> Thanks in advance! >>>>> I'm more interested in how you created that file server, because >>>>> it should be really hard to make Samba break this way, unless we >>>>> got the dbcheck rule wrong. >>>>> >>>>> As to what --fix does, it doesn't delete the file server, it just >>>>> advances the RID set to ensure you don't get a duplicate SID later >>>>> in the domain's life. >>>>> >>>>> Andrew Bartlett >>>>> -- >>>>> Andrew Bartlett http://samba.org/~abartlet/ >>>>> Authentication Developer, Samba Team http://samba.org >>>>> Samba Developer, Catalyst IT >>>>> http://catalyst.net.nz/services/samba >>>>> >>>>> >>>>> >>>>> >>>> Hello Andrew, >>>> >>>> thanks for your answer. >>>> >>>> We're using the sernet samba packages and beside this issue the >>>> installation is running very stable. >>>> After joining the file server >>> Yes, but how did you join the fileserver ? >>> Can we see your smb.conf from the fileserver ? >>> >>> Rowland >>> >>> >>> >> Here's the global config part >> >> fs01:~# net conf list >> [global] >> workgroup = xx >> realm = xx.xx.xx >> security = ADS >> winbind use default domain = yes >> winbind refresh tickets = yes >> idmap config * : range = 10000 - 19999 >> idmap config AD : backend = rid >> idmap config AD : range = 1000000 - 1999999 >> inherit acls = yes >> store dos attributes = yes >> vfs objects = acl_xattr >> interfaces = 192.168.x.x >> bind interfaces only = yes >> >> >> Daniel >> > There doesn't seem to be anything wrong there, I take it you joined > with something like 'net ads join -U Administrator' ? > > Rowland >Sorry, forgot that. I followed the guide in Stefan Kania's Samba 4 book and used the the "net ads join" command. Daniel -- Mit freundlichen Grüßen Daniel Jordan IT-Administration GFD GmbH Flugplatz Hohn 24806 Hohn Tel.: + 49 (0) 4335 9202 58 Fax: + 49 (0) 4335 9202 15 d.jordan at gfd.de <mailto:d.jordan at gfd.de> www.gfd.de Sitz der Gesellschaft Hohn Handelsregister Kiel HRB 908 RD Geschäftsführung: Stefan Müller