Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via samba:> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba: > >>> What do I set idmap range to while NOT breaking the existing >>> users/groups? >> >> Nothing, you do not need to add anything. > > great > >>> Will that help me to get correct ACL editing perms again? >> >> No, you seem to have another problem. Is this a DC that doesn't hold >> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and >> idmap.ldb from the PDC_Emulator DC ? > > I found a thread around that ... and will check for that asap. > > Sure, I sync sysvol for years, and remember syncing idmap.ldb years ago. > But I haven't touched that for a long time.checked things: 2 DCs "backup" and "dc2" (don't ask ;-) ). dc2 is the one with the PDC_Emulator FSMO role. "backup" rsyncs sysvol from "dc2". I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and restarted the samba-ad-dc.service "samba-tool ntacl sysvolreset" on dc2 tells idmap range not specified for domain '*' idmap range not specified for domain '*' (dozens of lines, then:) ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2 (../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136 set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer.') File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 412, in run provision.setsysvolacl(samdb, netlogon, sysvol, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1747, in setsysvolacl _setntacl(os.path.join(root, name)) File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1736, in _setntacl return setntacl( File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in setntacl smbd.set_nt_acl( I assume I would have to fix the ACLs on "dc2" and rsync syncs the corrected permissions over.
Am 23.03.22 um 13:01 schrieb Stefan G. Weichinger via samba:> Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via samba: >> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba: >> >>>> What do I set idmap range to while NOT breaking the existing >>>> users/groups? >>> >>> Nothing, you do not need to add anything. >> >> great >> >>>> Will that help me to get correct ACL editing perms again? >>> >>> No, you seem to have another problem. Is this a DC that doesn't hold >>> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and >>> idmap.ldb from the PDC_Emulator DC ? >> >> I found a thread around that ... and will check for that asap. >> >> Sure, I sync sysvol for years, and remember syncing idmap.ldb years >> ago. But I haven't touched that for a long time. > > checked things: > > 2 DCs "backup" and "dc2" (don't ask ;-) ). > > dc2 is the one with the PDC_Emulator FSMO role. > > "backup" rsyncs sysvol from "dc2". > > I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and > restarted the samba-ad-dc.service > > > "samba-tool ntacl sysvolreset"? on dc2 tells > > > > idmap range not specified for domain '*' > idmap range not specified for domain '*' > > (dozens of lines, then:) > > > ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2 > (../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136 > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. > ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} > The buffer is too small to contain the entry. No information has been > written to the buffer.') > ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line > 186, in _run > ??? return self.run(*args, **kwargs) > ? File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line > 412, in run > ??? provision.setsysvolacl(samdb, netlogon, sysvol, > ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", > line 1747, in setsysvolacl > ??? _setntacl(os.path.join(root, name)) > ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", > line 1736, in _setntacl > ??? return setntacl( > ? File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in > setntacl > ??? smbd.set_nt_acl( > > > I assume I would have to fix the ACLs on "dc2" and rsync syncs the > corrected permissions over.How can I proceed here? Did I miss anything obvious? Editing GPOs worked before.
Am 24.03.22 um 19:29 schrieb Stefan G. Weichinger via samba:>> I assume I would have to fix the ACLs on "dc2" and rsync syncs the >> corrected permissions over. > > How can I proceed here? Did I miss anything obvious? > > Editing GPOs worked before.*bump*