Setting up Second Samba DC samba-tool ntacl sysvolreset fails

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
Hi List!

I am working my way through getting familiar with samba and I have two
domain controllers now with an additional samba file server.
The servers are CentOS 7.4.1708;
 the domain controllers are built from source with samba-4.7.1;
 and the file server, installed winbind, smb and nmb from CentOS repos.

My problem is after bringing up the second domain controller and
successfully joining it to the domain, as the wiki directs I tried to
run samba-tool ntacl sysvolreset and this fails.

[root@testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

Please what am I doing wrong?


"Primary" DC config file:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes
        winbind enum groups = Yes
        winbind enum users = Yes

        template shell = /bin/bash
        template homedir = /share/%U

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

New DC config file:
# Global parameters
[global]
        netbios name = TESTDC2
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

File server config file (thank you Roland!):
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.TESTING.COM

    server string = Samba Server Version %v

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes

    idmap config *:backend = tdb
    idmap config *:range = 3000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999
    template shell = /bin/bash

    template homedir = /share/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    log file = /var/log/samba/log.%m
    max log size = 50
    username map = /etc/samba/user.map

[homes]
        comment = Home Directories
        browseable = no
        read only = no

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
On Mon, 13 Nov 2017 09:59:23 +0100
Sina Owolabi via samba <[hidden email]> wrote:

> Hi List!
>
> I am working my way through getting familiar with samba and I have two
> domain controllers now with an additional samba file server.
> The servers are CentOS 7.4.1708;
>  the domain controllers are built from source with samba-4.7.1;
>  and the file server, installed winbind, smb and nmb from CentOS
> repos.
>
> My problem is after bringing up the second domain controller and
> successfully joining it to the domain, as the wiki directs I tried to
> run samba-tool ntacl sysvolreset and this fails.
>
> [root@testdc2 private]# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
> The requested operation was unsuccessful.')
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
> Please what am I doing wrong?

Have you added any other GPO's to your first DC ?
If so, you need to 'sync' them to the second DC.

>
>
> "Primary" DC config file:
>
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = TESTBOX
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/%m.log
>         log level = 3
>         tls enabled = yes
>         winbind enum groups = Yes
>         winbind enum users = Yes

You should remove the two lines above, you do not need them.

>
>         template shell = /bin/bash
>         template homedir = /share/%U
>
> [netlogon]
>         path
> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
> only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> New DC config file:
> # Global parameters
> [global]
>         netbios name = TESTDC2
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM

You need to add 'idmap_ldb:use rfc2307 = yes'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
Hi Rowland

I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 =
yes' line to the second DC, and
rebooted the servers,  but the error does not go away.

First DC:
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes

        template shell = /bin/bash
        template homedir = /share/%U

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Second DC:
[global]
        netbios name = TESTDC2
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        tls enabled = yes

        template shell = /bin/bash
        template homedir = /share/%U


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[root@testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

On Mon, Nov 13, 2017 at 10:43 AM, Rowland Penny <[hidden email]> wrote:

> On Mon, 13 Nov 2017 09:59:23 +0100
> Sina Owolabi via samba <[hidden email]> wrote:
>
>> Hi List!
>>
>> I am working my way through getting familiar with samba and I have two
>> domain controllers now with an additional samba file server.
>> The servers are CentOS 7.4.1708;
>>  the domain controllers are built from source with samba-4.7.1;
>>  and the file server, installed winbind, smb and nmb from CentOS
>> repos.
>>
>> My problem is after bringing up the second domain controller and
>> successfully joining it to the domain, as the wiki directs I tried to
>> run samba-tool ntacl sysvolreset and this fails.
>>
>> [root@testdc2 private]# samba-tool ntacl sysvolreset
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
>> The requested operation was unsuccessful.')
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run return self.run(*args, **kwargs)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 239, in run lp, use_ntvfs=use_ntvfs)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
>> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
>> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>> Please what am I doing wrong?
>
> Have you added any other GPO's to your first DC ?
> If so, you need to 'sync' them to the second DC.
>
>>
>>
>> "Primary" DC config file:
>>
>> # Global parameters
>> [global]
>>         dns forwarder = 8.8.8.8
>>         netbios name = TESTBOX
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>>         idmap_ldb:use rfc2307 = yes
>>         log file = /var/log/samba/%m.log
>>         log level = 3
>>         tls enabled = yes
>>         winbind enum groups = Yes
>>         winbind enum users = Yes
>
> You should remove the two lines above, you do not need them.
>
>>
>>         template shell = /bin/bash
>>         template homedir = /share/%U
>>
>> [netlogon]
>>         path
>> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
>> only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>> New DC config file:
>> # Global parameters
>> [global]
>>         netbios name = TESTDC2
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>
> You need to add 'idmap_ldb:use rfc2307 = yes'
>
> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
On Tue, 14 Nov 2017 00:12:11 +0100
Sina Owolabi <[hidden email]> wrote:

> Hi Rowland
>
> I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 =
> yes' line to the second DC, and
> rebooted the servers,  but the error does not go away.
>

The error you are getting is usually caused by adding GPOs to the first
DC and then NOT copying them to the second DC before running
'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD
to find where the GPOs are supposed to be, but if it cannot find any,
it errors out.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> The error you are getting is usually caused by adding GPOs to the first
> DC and then NOT copying them to the second DC before running
> 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD
> to find where the GPOs are supposed to be, but if it cannot find any,
> it errors out.

AFAI've understood well, yo have also to copy the idmap to the new DC
to have perfectly matching xID:

        https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Samba - General mailing list
Thanks Rowland, Marco

I did an rsync --delete of the sysvol directory from the first to the
second DC and the errors
disappeared.

On Tue, Nov 14, 2017 at 11:10 AM, Marco Gaiarin via samba
<[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
>> The error you are getting is usually caused by adding GPOs to the first
>> DC and then NOT copying them to the second DC before running
>> 'sysvolreset'. The GPOs are also stored in AD, 'sysvolreset' reads AD
>> to find where the GPOs are supposed to be, but if it cannot find any,
>> it errors out.
>
> AFAI've understood well, yo have also to copy the idmap to the new DC
> to have perfectly matching xID:
>
>         https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings
>
> --
> dott. Marco Gaiarin                                     GNUPG Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797
>
>                 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>         (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba