Enabling s3fs on samba4 DC

Andrew Bartlett abartlet at samba.org
Tue Aug 28 02:23:39 MDT 2012 

On Tue, 2012-08-28 at 10:16 +0200, Daniele Dario wrote:
> Hi Andrew,
> 
> On Tue, 2012-08-28 at 15:21 +1000, Andrew Bartlett wrote:
> > On Mon, 2012-08-27 at 10:35 +0200, Daniele Dario wrote:
> > > Hi samba team,
> > > it's a long time since my last question and I've seen many progresses
> > > during this time so I'll say you "great job guys".
> > > 
> > > In my installation I have 2 s4 DCs (at the moment DC1 is Version
> > > 4.0.0beta3-GIT-d1aeb2d and DC2 is Version 4.0.0beta3-GIT-c983ea8) both
> > > are using bind 9.9 + samba_dlz for DNS and they are running without
> > > problems since my last update to beta3 (again great job guys).
> > > 
> > > I'm planning to move network shares from a s3 fileserver which is joined
> > > to the domain to DC2 and I'd use s3fs (to reduce HW) but I've heard that
> > > there are some things to do when changing from NTVFS to s3fs (both DCs
> > > are using NTVFS) so can someone please point me to the right way to
> > > proceed?
> > 
> > 
> > 
> > > Is it better to upgrade to latest beta release before to migrate from
> > > NTVFS to S3FS?
> > 
> > Please either wait for beta7 (very soon) or use GIT master.  I've
> > finally fixed a lot of issues here. 
> > 
> > It won't really matter, but you can do it in stages if you like.
> > 
> > > When upgrading to latest release I would run samba-tool dbcheck
> > > --cross-ncs --fix on the installation I've upgraded before to start
> > > samba am I right?
> > 
> > Yes.
> > 
> > If you only have a sysvol share, then running:
> > 
> > samba-tool ntacl sysvolreset
> > 
> > after configuring it back to the default file server (s3fs) will set the
> > POSIX ACLs you need.
> > 
> > > This should check and fix dbs in the DC I've upgraded so shall I check
> > > something before to restart samba to avoid replication problems with the
> > > other DC?
> > 
> > Honestly, I don't think we changed anything that this will matter for
> > since beta3, so don't worry too much.
> > 
> > > I would start upgrading the "secondary" DC and once it is again ok and
> > > running I would do the same on the "primary", am I right?
> > 
> > That should be OK.
> > 
> > Andrew Bartlett
> > 
> 
> I upgraded to latest git (Version 4.0.0beta7-GIT-b05d28e) secondary DC
> and this is the response of dbcheck:
> 
> [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> Checking 4207 objects
> ERROR: parent object not found for CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> Move object CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> Failed to rename object CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,CN=Configuration,DC=saitelitalia,DC=local' [y/N/all/none] y
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=DomainDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=ForestDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=saitelitalia,DC=local' [y/N/all/none] y
> Checked 4207 objects (5 errors)
> 
> Retrying 
> 
> [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> Checking 4207 objects
> ERROR: parent object not found for CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> Move object CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> Failed to rename object CN=NTDS Settings
> \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> Checked 4207 objects (1 errors)

That is an interesting case.  Each deleted object should be a child of
'cn=deleted objects' directly I think.  Clearly we need to add a rule
that puts it there, rather than tries to put it in lostAndFound. 

> This seems to be a non blocking error because I restarted samba4 on the
> secondary DC and all seems to be ok.

Yeah, we need to improve the tool, but it won't harm anything as far as
I know. 

> Now I will run samba-tool ntacl sysvolreset but this should be done with
> samba stopped am I right?

This can run on-line. 

> Before to restart the service I have to enable s3fs and disable ntvfs
> isn't it?

Yes, you should remove:

server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc

from your smb.conf before you run 'samba-tool ntacl sysvolreset' and before you restart samba.

(See also the --use-ntvfs and --use-s3fs options to samba-tool ntacl sysvolreset)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list