[Samba] Warning messages when provisioning an ADDC
Thomas Geppert
t.geppert at t-online.de
Fri Feb 5 14:45:13 UTC 2021
Thank you guys for looking at this.
On 05/02/2021 11:39, Rowland penny via samba wrote:
> However these numbers are appearing during a provision and surely at
> this point all the ID numbers are in the '3000000' range, so where are
> the '30000' numbers coming from ?
Sorry, I didn't tell the whole story. To fit the uids and gids into the default mapping range of an unprivileged container I also had to set
lowerBound: 30000
upperBound: 65533
in idmap_init.ldif
I didn't want to enlarge the allowed mapping range for the Linux container because I wont have that many uids and gids.
On 05/02/2021 11:06, Ralph Boehme via samba wrote:
> the module does a getgrgid() call on those ids and apparently nsswitch doesn't know about those ids. Do you have winbind in nsswitch.conf?
> Fwiw, I have no idea if that is sensible on an AD DC... :)
>
> Having said that, when the mapping fails the full NT ACL will not be stored correctly, so this likely means your AD DC setup is screwed. What does samba-tool ntacl sysvolcheck/sysvolreset have to say on this?
"samba-tool ntacl sysvolcheck" did throw an exception:
ERROR(<class 'TypeError'>): uncaught exception - (61, 'No data available')
File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 446, in run
lp)
File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1885, in checksysvolacl
fsacl = getntacl(lp, dir_path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/local/samba/lib/python3.7/site-packages/samba/ntacls.py", line 121, in getntacl
xattr.XATTR_NTACL_NAME)
and "samba-tool ntacl sysvolreset" issued the same "Unknown gid" warnings as the provisioning script.
However, after adding winbind to the passwd and group entries in /etc/nsswitch.conf the sysvolreset completes without any messages but the sysvolcheck is still not happy and throws the exception.
The error message seems to indicate that it's expecting to find a NTACL where there is none. Any idea why ?
-----------
Thomas
More information about the samba
mailing list