[Samba] sysvol acl's broken beyond repair

Krutskikh Ivan stein.hak at gmail.com
Sun Oct 4 11:38:12 UTC 2015 

weird, I've just transfered the idmap.ldb file from dc to bdc and tried
sysvolreset. The same issue once again

2015-10-04 14:20 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 04/10/15 12:00, Krutskikh Ivan wrote:
>
>> ok, I've investigated the problem more closely. First of all, I didn't
>> mention that I have 2 domain controllers: dc(initial) and bdc (backup).
>> Rsync command
>>
>> /usr/bin/rsync -XAavz --delete-after
>> dc:/usr/local/samba/var/locks/sysvol/*
>> /usr/local/samba/var/locks/sysvol/
>>
>> fires every 5 minutes on bdc.
>>
>> However, if I try to gpupdate from bdc I get the above error. Gpupdating
>> from dc works fine. The strangest thing is that when I try reseting sysvol
>> on bdc I get
>>
>> root at bdc:/lib/systemd/system# samba-tool ntacl sysvolreset
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Module 'acl_xattr' loaded
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
>> 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
>> 'force unknown acl user = true' for service Unknown Service (snum == -1)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
>> 'force unknown acl user = true' for service sysvol
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
>> 'force unknown acl user = true' for service sysvol
>>
>> And more repeating lines about xattrs and idmap. I think, this is due to
>> some misconfiguration on bdc.
>>
>> 2015-10-03 18:46 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>>
>> On 03/10/15 16:20, Krutskikh Ivan wrote:
>>>
>>> Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error
>>>> and misses something more severe later on.
>>>>
>>>> 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com
>>>> >:
>>>>
>>>>
>>>> You need to look further, I don't think your DC is broken, I think
>>> sysvolcheck is broken. Try raising the log level on the DC to 10 and see
>>> if
>>> anything pops up in the logs, also check the logs on the connecting PCs,
>>> this may be a windows error.
>>>
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> Ok, first thing first, you do not have a DC and a BDC, you have two DCs.
> All DCs are equal apart from the FSMO roles.
>
> Next, the DCs are not equal if they are Samba Dcs :-)
> They should be, but they aren't because idmap.ldb is different on the two
> DCs.
>
> Have a look here:
>
> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list