thr3ads.net - samba - [Samba] samba-tool ntacl sysvolreset error on newly joined DC [Jan 2022]

If this information is useful, please help other people find it:
Share via:

Carlos Gardel

2022-Jan-06 18:02 UTC

[Samba] samba-tool ntacl sysvolreset error on newly joined DC

Hello!

I am running an active directory domain with two samba DC:s (DC1 och DC2).

The existing DC:s, working perfectly, are running on Centos 6 with samba 4.9.8.
Due to Centos 6 being EOL since quite some time I now want to join a new DC
(DC3) to the domain.

I have set up a new DC, running Centos 8/stream with samba 4.15.3 (compiled from
source), following the tutorial at
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
Everything has worked perfectly until the section ?Built-in User & Group ID
Mappings? where you are supposed to ?reset the Sysvol folder?s file system acces
Control lists on  the new DC? by running:
# samba-tool ntacl sysvolreset.

On running this command I get the following error output:

[root at dc3 ~]# samba-tool ntacl sysvolreset
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not
found.')
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/ntacl.py",
line 415, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs,
passdb=s4_passdb)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1631, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/ntacls.py", line
230, in setntacl
    service=service, session_info=session_info)
[root at dc3 ~]#

After changing samba log level to 4 the output is as follows (i have changed the
actual domain name and ip:s):

[root at dc3 ~]# samba-tool ntacl sysvolreset
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter dns forwarder = 192.168.100.1
doing parameter netbios name = DC3
doing parameter realm = DOMAIN.SAMDOM.COM
doing parameter server role = active directory domain controller
doing parameter workgroup = DOMAIN
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 4
Processing section "[sysvol]"
doing parameter path = /usr/local/samba/var/locks/sysvol
doing parameter read only = No
Processing section "[netlogon]"
doing parameter path =
/usr/local/samba/var/locks/sysvol/domain.samdom.com/scripts
doing parameter read only = No
pm_process() returned Yes
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
doing parameter dns forwarder = 192.168.100.1
doing parameter netbios name = DC3
doing parameter realm = DOMAIN.SAMDOM.COM
doing parameter server role = active directory domain controller
doing parameter workgroup = DOMAIN
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 4
Processing section "[sysvol]"
doing parameter path = /usr/local/samba/var/locks/sysvol
doing parameter read only = No
Processing section "[netlogon]"
doing parameter path =
/usr/local/samba/var/locks/sysvol/domain.samdom.com/scripts
doing parameter read only = No
pm_process() returned Yes
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
load_module_absolute_path: Module
'/usr/local/samba/lib/vfs/acl_xattr.so' loaded
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
vfs_ChDir to /root
vfs_ChDir to /usr/local/samba/var/locks/sysvol
vfs_ChDir to /root
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
lp_load_ex: refreshing parameters
Processing section "[global]"
doing parameter dns forwarder = 192.168.100.1
doing parameter netbios name = DC3
doing parameter realm = DOMAIN.SAMDOM.COM
doing parameter server role = active directory domain controller
doing parameter workgroup = DOMAIN
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 4
Processing section "[sysvol]"
doing parameter path = /usr/local/samba/var/locks/sysvol
doing parameter read only = No
Processing section "[netlogon]"
doing parameter path =
/usr/local/samba/var/locks/sysvol/domain.samdom.com/scripts
doing parameter read only = No
pm_process() returned Yes
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not
found.')
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/ntacl.py",
line 415, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs,
passdb=s4_passdb)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1631, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/ntacls.py", line
230, in setntacl
    service=service, session_info=session_info)
[root at dc3 ~]#
>From the output above I can not understand what is wrong. I have tried
searching for the error on google but have found nothing.I would very much appreciate any help on how to proceed!

Kind regards,
Carl

Rowland Penny

2022-Jan-06 18:16 UTC

head link

[Samba] samba-tool ntacl sysvolreset error on newly joined DC

On Thu, 2022-01-06 at 18:02 +0000, Carlos Gardel via samba
wrote:> Hello!
> 
> I am running an active directory domain with two samba DC:s (DC1 och
> DC2).
> 
> The existing DC:s, working perfectly, are running on Centos 6 with
> samba 4.9.8. Due to Centos 6 being EOL since quite some time I now
> want to join a new DC (DC3) to the domain.
> 
> I have set up a new DC, running Centos 8/stream with samba 4.15.3
> (compiled from source), following the tutorial at 
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> .
> Everything has worked perfectly until the section ?Built-in User &
> Group ID Mappings? where you are supposed to ?reset the Sysvol
> folder?s file system acces Control lists on  the new DC? by running:
> # samba-tool ntacl sysvolreset.
> 
> On running this command I get the following error output:
> 
> [root at dc3 ~]# samba-tool ntacl sysvolreset
> set_nt_acl_conn: init_files_struct failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name is
> not found.')
Have you synced idmap.ldb and sysvol to the new DC ?

See here:
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Rowland

samba - Jan 2022 - samba-tool ntacl sysvolreset error on newly joined DC

[Samba] samba-tool ntacl sysvolreset error on newly joined DC

[Samba] samba-tool ntacl sysvolreset error on newly joined DC