[Samba] [SAMBA] Problems with joining a second DC to AD

Rowland Penny rowlandpenny at googlemail.com
Thu May 21 02:36:29 MDT 2015 

On 21/05/15 08:17, Stephan Mattecka wrote:
> Hello,
>   
> I try to setup an AD-Domain with the help of Sernet-Samba packages. Currently I'm using Scientific Linux (SL) 6.6 and Sernet-Samba 4.1.17 packages. I tried the procedure two times with fresh minimal SL installations.
>   
> I could successfully install a AD-Domain-Controller.
> Now I tried to add a second DC to this AD-Domain and followed carefully the instructions at the samba wiki.
> I could also join the second DC to my domain, but when I try to run
>   
> samba-tool ntacl sysvolreset
>   
> on the 2nd DC I get the following error messages:
>   
>
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 218, in run
>      lp, use_ntvfs=use_ntvfs)
>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1612, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1505, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 154, in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
>   
> My smb.conf on DC1:
>   
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          realm = EXAMPLE.LAN
>          netbios name = DC1
>          interfaces = lo, eth0
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> [netlogon]
>          path = /var/lib/samba/sysvol/pentracor.lan/scripts
>          read only = No
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>   
> smb.conf ond DC2:
>   
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          realm = example.lan
>          netbios name = DC2
>          interfaces = lo, eth1
>          bind interfaces only = Yes
>          server role = active directory domain controller
> [netlogon]
>          path = /var/lib/samba/sysvol/example.lan/scripts
>          read only = No
> [sysvol
>          path = /var/lib/samba/sysvol
>          read only = No
>   
> I did turn off iptables and SELinux on both machines for testing purposes. The folder /var/lib/samba/sysvol exists on DC2. On DC1 I can run the sysvolreset command without any problems.
>   
> Hopefully someone has an idea what might be wrong here.
>   
> Regards
> Stephan Mattecka

it is probably the lack of this line in your second DC:

         idmap_ldb:use rfc2307 = yes

Why this line isn't added when you join a secondary DC I do not know.

Rowland

More information about the samba mailing list