Dirk Laurenz
2020-May-04 21:18 UTC
[Samba] Access Denied to Netlogon Share on secondary DC
Hello Andrew, i use the rsync script from the wiki.... crontabl -l */5 * * * * rsync -XAavz --delete-after --password-file=/etc/samba/rsync-sysvol.secret rsync://sysvol-replication at dc01.samba.laurenz.ws/SysVol /var/lib/samba/sysvol/ -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Andrew Bartlett via samba Gesendet: Montag, 4. Mai 2020 23:10 An: Dirk Laurenz <samba at laurenz.ws>; samba at lists.samba.org Betreff: Re: [Samba] Access Denied to Netlogon Share on secondary DC On Mon, 2020-05-04 at 22:24 +0200, Dirk Laurenz via samba wrote:> Hello $list, > > > > i can't access the netlogon share on the second dc. I got this error: > > > > Mai 04 22:13:53 dc02 smbd[3321]: [2020/05/04 22:13:53.035964, 0] > ../../source3/smbd/uid.c:448(change_to_user_internal) > > Mai 04 22:13:53 dc02 smbd[3321]: change_to_user_internal: > chdir_current_service() failed! >> > > I checked the rights which are identically on both nodes. Accessing as > admin works but not as user. >> I'm a little bit lost.. >How are you syncronising the netlogon share? You need to ensure the NT ACLs are reset on the new DC, see 'samba-tool ntacl sysvolreset', particularly if the idmap is not the same on both. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2020-May-05 07:26 UTC
[Samba] Access Denied to Netlogon Share on secondary DC
On 04/05/2020 22:18, Dirk Laurenz via samba wrote:> Hello Andrew, > > i use the rsync script from the wiki.... > > crontabl -l > > */5 * * * * rsync -XAavz --delete-after > --password-file=/etc/samba/rsync-sysvol.secret > rsync://sysvol-replication at dc01.samba.laurenz.ws/SysVol > /var/lib/samba/sysvol/Yes, but do you sync idmap.ldb from the first DC to the second DC ? Without doing this, you can and probably will have different ID's on each DC. Rowland
Dirk Laurenz
2020-May-05 09:48 UTC
[Samba] Access Denied to Netlogon Share on secondary DC
No change.... scp /var/lib/samba/private/idmap.ldb dc02:/var/lib/samba/private/idmap.ldb still access denied root at dc02:~# smbclient //localhost/netlogon -Udirk -c 'ls' Enter SAMBA\dirk's password: NT_STATUS_ACCESS_DENIED listing \* -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba Gesendet: Dienstag, 5. Mai 2020 09:26 An: samba at lists.samba.org Betreff: Re: [Samba] Access Denied to Netlogon Share on secondary DC On 04/05/2020 22:18, Dirk Laurenz via samba wrote:> Hello Andrew,>> i use the rsync script from the wiki....>> crontabl -l>> */5 * * * * rsync -XAavz --delete-after> --password-file=/etc/samba/rsync-sysvol.secret> rsync://sysvol-replication at dc01.samba.laurenz.ws/SysVol> /var/lib/samba/sysvol/Yes, but do you sync idmap.ldb from the first DC to the second DC ? Without doing this, you can and probably will have different ID's on each DC. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: <https://lists.samba.org/mailman/options/samba> https://lists.samba.org/mailman/options/samba