Stephen
2019-Mar-26 10:49 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Hi everyone, I have two AD DCs that I am experimenting with, hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware, and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux. I have already had some success so far setting up a second AD DC, ad2, and joining this to my existing Active Directory domain SAMDOM. I have already verified that I can create new user accounts on both ad1 and ad2, and have confirmed that these are replicated on the other DC server as would be expected. So far so good! The next stage in setting up my secondary backup DC is ensuring SysVol replication across both DCs via rsync, to make sure Group Policy objects replicate correctly. As a preliminary step to achieving this, I am first attempting to manually synchronise the idmap.ldb files on both my DCs to unify the group and user IDs. This step is suggested in the official samba tutorial here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory (within the section 'Built-in User & Group ID Mappings'). I am currently achieving replication of idmap.ldb file suggested by the tutorial by executing the following bash script snippet below on my ad2 server: IDMAP_PATH=/var/lib/samba/private/idmap.ldb ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;" sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb sudo chown root /var/lib/samba/private/idmap.ldb sudo samba-tool ntacl sysvolreset As far as I can tell this is correctly replicating the steps in the described tutorial. To demonstrate that idmap.ldb is updated on ad2 I include the output of ls command below. Hopefully this demonstrates to everyone here that idmap.ldb has updated as expected. Please verify that the permissions are set correctly and that the date is changed to reflect the file modification. pi at ad2:~ $ ls -al /var/lib/samba/private total 10124 drwxr-xr-x 7 root root 4096 Mar 26 10:35 . drwxr-xr-x 8 root root 4096 Mar 26 10:09 .. -rw------- 1 root root 2069 Mar 25 16:43 dns_update_cache -rw-r--r-- 1 root root 3663 Mar 25 16:42 dns_update_list -rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb -rw------- 1 root pi 61440 Mar 26 09:57 idmap.ldb -rw-r--r-- 1 root root 99 Mar 25 16:42 krb5.conf srwxrwxrwx 1 root root 0 Mar 26 10:09 ldapi drwxr-x--- 2 root root 4096 Mar 26 10:09 ldap_priv drwx------ 2 root root 4096 Mar 26 10:34 msg.sock -r--r--r-- 1 root root 300 Mar 25 16:43 named.conf.update -rw------- 1 root root 696 Mar 26 10:09 netlogon_creds_cli.tdb -rw------- 1 root root 421888 Mar 25 16:42 passdb.tdb -rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb -rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb drwx------ 2 root root 4096 Mar 25 16:43 sam.ldb.d -rw------- 1 root root 696 Mar 26 10:08 schannel_store.tdb -rw------- 1 root root 1182 Mar 25 16:43 secrets.keytab -rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb -rw------- 1 root root 430080 Mar 25 16:43 secrets.tdb -rw------- 1 root root 1286144 Mar 25 16:42 share.ldb drwxr-xr-x 2 root root 4096 Mar 25 16:43 smbd.tmp -rw-r--r-- 1 root root 955 Mar 25 16:42 spn_update_list drwx------ 2 root root 4096 Mar 25 16:44 tls The problem I am having occurs when I attempt to perform the final sysvolreset step suggested in the tutorial and included in my script snippet previously. When I try this I get an unexpected error which I have no idea how to fix. pi at ad2:~ $ sudo samba-tool ntacl sysvolreset open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) Can anyone suggest a solution? I have included my smb.conf for ad2 below for additional scrutiny. pi at ad2:~ $ cat /etc/samba/smb.conf # Global parameters [global] netbios name = AD2 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8 server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Kind Regards Stephen Ellwood
Rowland Penny
2019-Mar-26 10:59 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
On Tue, 26 Mar 2019 10:49:38 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Hi everyone, I have two AD DCs that I am experimenting with, > hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware, > and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux. > I have already had some success so far setting up a second AD DC, > ad2, and joining this to my existing Active Directory domain SAMDOM. > I have already verified that I can create new user accounts on both > ad1 and ad2, and have confirmed that these are replicated on the > other DC server as would be expected. So far so good! > > The next stage in setting up my secondary backup DC is ensuring > SysVol replication across both DCs via rsync, to make sure Group > Policy objects replicate correctly. As a preliminary step to > achieving this, I am first attempting to manually synchronise the > idmap.ldb files on both my DCs to unify the group and user IDs. This > step is suggested in the official samba tutorial here: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > (within the section 'Built-in User & Group ID Mappings'). > > I am currently achieving replication of idmap.ldb file suggested by > the tutorial by executing the following bash script snippet below on > my ad2 server: > > IDMAP_PATH=/var/lib/samba/private/idmap.ldb > ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo > chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak > pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;" > sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb > sudo chown root /var/lib/samba/private/idmap.ldb > sudo samba-tool ntacl sysvolreset > > > > pi at ad2:~ $ sudo samba-tool ntacl sysvolreset > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined > error') File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, > in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > > Can anyone suggest a solution? I have included my smb.conf for ad2 > below for additional scrutiny. >I will ask you the same question that I asked someone a few days ago, have you synced Sysvol to the new DC ? Rowland
Stephen
2019-Mar-26 11:00 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Oops, I think my eyes glazed over. I am pretty sure that idmap.ldb should be owned by root and in group root. This is easily fixed, though pi at ad2:/var/lib/samba/private $ sudo chown root:root /var/lib/samba/private/idmap.ldb Another ls command then confirms the updated privileges. pi at ad2:/var/lib/samba/private $ ls -al total 10124 drwxr-xr-x 7 root root 4096 Mar 26 10:55 . drwxr-xr-x 8 root root 4096 Mar 26 10:09 .. -rw------- 1 root root 2069 Mar 25 16:43 dns_update_cache -rw-r--r-- 1 root root 3663 Mar 25 16:42 dns_update_list -rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb -rw------- 1 root root 61440 Mar 26 09:57 idmap.ldb -rw-r--r-- 1 root root 99 Mar 25 16:42 krb5.conf srwxrwxrwx 1 root root 0 Mar 26 10:09 ldapi drwxr-x--- 2 root root 4096 Mar 26 10:09 ldap_priv drwx------ 2 root root 4096 Mar 26 10:54 msg.sock -r--r--r-- 1 root root 300 Mar 25 16:43 named.conf.update -rw------- 1 root root 696 Mar 26 10:09 netlogon_creds_cli.tdb -rw------- 1 root root 421888 Mar 25 16:42 passdb.tdb -rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb -rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb drwx------ 2 root root 4096 Mar 25 16:43 sam.ldb.d -rw------- 1 root root 696 Mar 26 10:08 schannel_store.tdb -rw------- 1 root root 1182 Mar 25 16:43 secrets.keytab -rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb -rw------- 1 root root 430080 Mar 25 16:43 secrets.tdb -rw------- 1 root root 1286144 Mar 25 16:42 share.ldb drwxr-xr-x 2 root root 4096 Mar 25 16:43 smbd.tmp -rw-r--r-- 1 root root 955 Mar 25 16:42 spn_update_list drwx------ 2 root root 4096 Mar 25 16:44 tls Sadly even with this change, I still see the originally described issue, ie pi at ad2:/var/lib/samba/private $ sudo systemctl restart samba-ad-dc pi at ad2:/var/lib/samba/private $ sudo samba-tool ntacl sysvolreset open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) If anyone knows what might be causing this I would appreciate the heads-up. Thanks in Advance Stephen Ellwood
L.P.H. van Belle
2019-Mar-26 11:07 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Please run this on both your DC's, it answers Rowlands question. ls -al $(samba -b | grep STATEDIR | awk {' print $NF '})/sysvol Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: dinsdag 26 maart 2019 12:00 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem achieving manual > synchronisation of idmap.ldb and the associated User and > Group ID mappings between two Samba 4 AD DCs > > Oops, I think my eyes glazed over. I am pretty sure that idmap.ldb > should be owned by root and in group root. This is easily > fixed, though > > pi at ad2:/var/lib/samba/private $ sudo chown root:root > /var/lib/samba/private/idmap.ldb > > Another ls command then confirms the updated privileges. > > pi at ad2:/var/lib/samba/private $ ls -al > total 10124 > drwxr-xr-x 7 root root 4096 Mar 26 10:55 . > drwxr-xr-x 8 root root 4096 Mar 26 10:09 .. > -rw------- 1 root root 2069 Mar 25 16:43 dns_update_cache > -rw-r--r-- 1 root root 3663 Mar 25 16:42 dns_update_list > -rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb > -rw------- 1 root root 61440 Mar 26 09:57 idmap.ldb > -rw-r--r-- 1 root root 99 Mar 25 16:42 krb5.conf > srwxrwxrwx 1 root root 0 Mar 26 10:09 ldapi > drwxr-x--- 2 root root 4096 Mar 26 10:09 ldap_priv > drwx------ 2 root root 4096 Mar 26 10:54 msg.sock > -r--r--r-- 1 root root 300 Mar 25 16:43 named.conf.update > -rw------- 1 root root 696 Mar 26 10:09 netlogon_creds_cli.tdb > -rw------- 1 root root 421888 Mar 25 16:42 passdb.tdb > -rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb > -rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb > drwx------ 2 root root 4096 Mar 25 16:43 sam.ldb.d > -rw------- 1 root root 696 Mar 26 10:08 schannel_store.tdb > -rw------- 1 root root 1182 Mar 25 16:43 secrets.keytab > -rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb > -rw------- 1 root root 430080 Mar 25 16:43 secrets.tdb > -rw------- 1 root root 1286144 Mar 25 16:42 share.ldb > drwxr-xr-x 2 root root 4096 Mar 25 16:43 smbd.tmp > -rw-r--r-- 1 root root 955 Mar 25 16:42 spn_update_list > drwx------ 2 root root 4096 Mar 25 16:44 tls > > Sadly even with this change, I still see the originally > described issue, ie > > pi at ad2:/var/lib/samba/private $ sudo systemctl restart samba-ad-dc > pi at ad2:/var/lib/samba/private $ sudo samba-tool ntacl sysvolreset > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, > 'Undetermined error') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in > setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, > sd, service=service) > > If anyone knows what might be causing this I would appreciate > the heads-up. > > Thanks in Advance > Stephen Ellwood > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stephen
2019-Mar-26 11:07 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Hi Rowland! No, I haven't synced my SysVol yet. I was following the official tutorial here, https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory. This tutorial appears to suggest that idmap.ldb files should be synchronised first prior to setting up any rsync SysVol synchronisation. Thanks Stephen On 26/03/2019 10:59, Rowland Penny via samba wrote:> On Tue, 26 Mar 2019 10:49:38 +0000 > Stephen via samba <samba at lists.samba.org> wrote: > >> Hi everyone, I have two AD DCs that I am experimenting with, >> hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware, >> and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux. >> I have already had some success so far setting up a second AD DC, >> ad2, and joining this to my existing Active Directory domain SAMDOM. >> I have already verified that I can create new user accounts on both >> ad1 and ad2, and have confirmed that these are replicated on the >> other DC server as would be expected. So far so good! >> >> The next stage in setting up my secondary backup DC is ensuring >> SysVol replication across both DCs via rsync, to make sure Group >> Policy objects replicate correctly. As a preliminary step to >> achieving this, I am first attempting to manually synchronise the >> idmap.ldb files on both my DCs to unify the group and user IDs. This >> step is suggested in the official samba tutorial here: >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory >> (within the section 'Built-in User & Group ID Mappings'). >> >> I am currently achieving replication of idmap.ldb file suggested by >> the tutorial by executing the following bash script snippet below on >> my ad2 server: >> >> IDMAP_PATH=/var/lib/samba/private/idmap.ldb >> ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo >> chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak >> pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;" >> sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb >> sudo chown root /var/lib/samba/private/idmap.ldb >> sudo samba-tool ntacl sysvolreset >> >> >> >> pi at ad2:~ $ sudo samba-tool ntacl sysvolreset >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined >> error') File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 176, in _run return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> Can anyone suggest a solution? I have included my smb.conf for ad2 >> below for additional scrutiny. >> > I will ask you the same question that I asked someone a few days ago, > have you synced Sysvol to the new DC ? > > Rowland >
Stephen
2019-Mar-26 11:14 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Cheers Louis, i just ran the diagnostic snippet you sent me: pi at ad1:/var/lib/samba/private $ sudo ls -al $(samba -b | grep STATEDIR | awk {' print $NF '})/sysvol total 20 drwxrwx---+ 3 root 3000000 4096 Mar 25 16:36 . drwxr-xr-x 8 root root 4096 Mar 25 17:31 .. drwxrwx---+ 4 root 3000000 4096 Mar 25 16:36 samdom.example.com pi at ad2:/var/lib/samba/private $ sudo ls -al $(samba -b | grep STATEDIR | awk {' print $NF '})/sysvol total 20 drwxrwx---+ 3 root 3000000 4096 Mar 26 10:55 . drwxr-xr-x 8 root root 4096 Mar 26 10:55 .. drwxrwx---+ 3 root 3000000 4096 Mar 25 16:42 samdom.example.com Im guessing the empty folders here suggests that I have not synced SysVol? Cheers Stephen
Reasonably Related Threads
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs