samba - Mar 2022 - sysvol permission errors on newly joined DC

On Fri, 2022-03-18 at 21:10 +0000, Carlos Gardel via samba
wrote:
> Good evening list,
> 
> I host a small samba AD domain with three DC:s (DC1, DC2 and DC3).
> 
> DC1 and DC2 are running on CentOS 6 with samba 4.9.8, so quite old.
> 
> Beginning of january this year I set up a new DC (DC3) on CentOS 8
> with samba 4.15.3 which i joined to the existing domain (following
> the guide at 
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> ). Domain join etc went fine and replication has been working without
> problems. Sysvol is syncing from DC1 (rsync).
Have you synced idmap.ldb from the DC holding the PDC_Emulator FSMO
role to the other DC's ?

Rowland

Hello Rowland and thank you for your reply!

Yes, I have synced idmap.ldb from the DC holding the FSMO role (DC1). Output
from ?history? command on DC3:

  288  rsync -av -e ssh root at DC1:/usr/local/samba/private/idmap.ldb.bak
/usr/local/samba/private/
  289  mv /usr/local/samba/private/idmap.ldb.bak
/usr/local/samba/private/idmap.ldb
  290  net cache flush
  303  samba-tool ntacl sysvolreset

When comparing the permissions of the /usr/local/samba/var/locks/sysvol folders
on DC1 and DC3 i noticed the following.

The sysvol folder itself has identical permissions on both DC:s:

DC1:
drwxrwx---+ 3 root 3000000  4096 Feb  4  2015 sysvol

DC3:
drwxrwx---+ 3 root 3000000  38 Feb  4  2015 sysvol

But the subfolder, named as the domain, has the following permissions (real
domain name is of course other than samdom.example.com):

DC1:
drwxrwx---+ 4 root 3000000  4096 Feb  4  2015 samdom.example.com

DC3:
drwxrwx--- 4 root 3000000  37 Feb  4  2015 samdom.example.com

I.e the trailing ?+? is missing on DC3.

Same again with next subfolders:

DC1:
drwxrwx---+ 27 root 3000000 4096 Mar 18 14:26 Policies
drwxrwx---+  2 root 3000000 4096 Jul  9  2015 scripts

DC3:
drwxrwx--- 27 root 3000000 4096 Mar 18 14:26 Policies
drwxrwx---  2 root 3000000   23 Jul  9  2015 scripts

Could this be the problem?

Kind regards,
Carlos



Fr?n: Rowland Penny via samba<mailto:samba at lists.samba.org>
Skickat: den 18 mars 2022 22:25
Till: samba at lists.samba.org<mailto:samba at lists.samba.org>
Kopia: Rowland Penny<mailto:rpenny at samba.org>
?mne: Re: [Samba] sysvol permission errors on newly joined DC

On Fri, 2022-03-18 at 21:10 +0000, Carlos Gardel via samba
wrote:
> Good evening list,
>
> I host a small samba AD domain with three DC:s (DC1, DC2 and DC3).
>
> DC1 and DC2 are running on CentOS 6 with samba 4.9.8, so quite old.
>
> Beginning of january this year I set up a new DC (DC3) on CentOS 8
> with samba 4.15.3 which i joined to the existing domain (following
> the guide at
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> ). Domain join etc went fine and replication has been working without
> problems. Sysvol is syncing from DC1 (rsync).
Have you synced idmap.ldb from the DC holding the PDC_Emulator FSMO
role to the other DC's ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba