On 22/07/2019 16:12, Adam Weremczuk via samba wrote:> Following deeper analysis I have found some permission differences in > sysvol policies files, e.g: > > WORKING: > > # file: > samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI > # owner: 3000000 > # group: Domain\040Users > user::rwx > group::--- > group:Domain\040Users:--- > group:3000000:rwx > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000008:rwx > group:3000010:r-x > mask::rwx > other::--- > > RESTORED: > > # file: > samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI > # owner: 3000000 > # group: Domain\040Users > user::rwx > group::rwx > other::--- > > Would it be enough to justify the error below and cause a complete DNS > failure?I wouldn't have thought so.> > Adam > > > On 22/07/19 15:28, Adam Weremczuk via samba wrote: >> Hi Rowland, >> >> I've decided to roll back samba on DC1 to the state from a couple of >> weeks ago, before I started all this mess... >> >> Since the email subject change :) >> >> Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside. >> >> Restored samba folder from backup, started sernet-samba-ad but bind9 >> fails to start: >> >> Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS >> Jul 22 14:39:39 dc1 named[27846]: sizing zone task pool based on 5 zones >> Jul 22 14:39:39 dc1 named[27846]: Loading 'AD DNS Zone' using driver >> dlopen >> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to >> /var/lib/samba/private/dns/sam.ldbDoes /var/lib/samba/private/dns/sam.ldb exist, or is it (like mine now) /var/lib/samba/bind-dns/dns/sam.ldb ? Rowland
On 22/07/19 16:54, Rowland penny via samba wrote:> On 22/07/2019 16:12, Adam Weremczuk via samba wrote: >> Following deeper analysis I have found some permission differences in >> sysvol policies files. >> >> Would it be enough to justify the error below and cause a complete >> DNS failure? > I wouldn't have thought so.It's not just policy files, it's everything under sysvol inclusive, 98 directories and 25 files it total. I don't have any better ideas but to try to manually re-craft permissions on restored samba folder to match the original.>> >>> >>> Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic >>> DNS >>> Jul 22 14:39:39 dc1 named[27846]: sizing zone task pool based on 5 >>> zones >>> Jul 22 14:39:39 dc1 named[27846]: Loading 'AD DNS Zone' using driver >>> dlopen >>> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to >>> /var/lib/samba/private/dns/sam.ldb > > Does /var/lib/samba/private/dns/sam.ldb exist, or is it (like mine > now) /var/lib/samba/bind-dns/dns/sam.ldb ? > > RowlandOn mine /var/lib/samba/bind-dns doesn't exist. I have 2 copies of sam.ldb: dc1:/var/lib# stat samba/private/dns/sam.ldb ? File: `samba/private/dns/sam.ldb' ? Size: 3018752?? ??? Blocks: 5896?????? IO Block: 4096?? regular file Device: fe02h/65026d??? Inode: 1714945???? Links: 1 Access: (0660/-rw-rw----)? Uid: (??? 0/??? root)?? Gid: (? 107/ bind) Access: 2019-07-22 14:45:36.885766349 +0100 Modify: 2013-08-10 21:43:05.729185228 +0100 Change: 2019-07-22 14:45:21.725526719 +0100 ?Birth: - dc1:/var/lib# stat samba/private/sam.ldb ? File: `samba/private/sam.ldb' ? Size: 4251648?? ??? Blocks: 8304?????? IO Block: 4096?? regular file Device: fe02h/65026d??? Inode: 1714969???? Links: 1 Access: (0600/-rw-------)? Uid: (??? 0/??? root)?? Gid: (??? 0/ root) Access: 2019-07-22 14:45:43.565871938 +0100 Modify: 2013-08-10 21:43:06.017189683 +0100 Change: 2019-07-22 14:45:21.829528365 +0100 ?Birth: - Needless to say my main concern now is lack of a working restore / disaster recovery mechanism :(
> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to > /var/lib/samba/private/dns/sam.ldbThe good news is I believe I've found the problem: RUNNING: # file: samba/private # owner: root # group: root user::rwx group::r-x group:bind:r-x mask::r-x other::--- RESTORE: # file: samba/private # owner: root # group: root user::rwx group::r-x other::--- The bad news is everything under sysvol has the same problem. So I have over a hundred of permissions discrepancies to manually reconcile before I can attempt another roll back :( And, moving forward, I need to modify Bacula backup parameters.