Samba_4.3.11_Unable_to_migrate_shares_from_AD_to_file_server_with_net_rpc
Srikar Somineni
srikars at vedams.com
Wed May 31 21:20:15 UTC 2017
Hi All,
I am trying to migrate shares from a Win2k12 R2 AD
server(SJCLAB2.LOCAL) to Ubuntu 16.04 samba fileserver present in same
domain. Samba version is 4.3.11-Ubuntu.
Before migrating shares I was able to successfully join fileserver to
Active Directory.
Below is my samba server configuration.
#======================= Global Settings =======================
[global]
workgroup = SJCLAB2
security = ADS
realm = SJCLAB2.LOCAL
wins server = SJCLAB2.LOCAL
password server = SJCLAB2.LOCAL
server string = %h server (Samba, Ubuntu)
domain master = no
local master = no
preferred master = no
printcap name = /etc/printcap
load printers = no
dns proxy = no
interfaces = 127.0.0.0/8 ens4
bind interfaces only = yes
log file = /var/log/samba/log.%m
log level = 10
max log size = 1000
panic action = /usr/share/samba/panic-action %d
server role = member server
passdb backend = tdbsam
map untrusted to domain = Yes
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
############ Misc ############
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
idmap config *:backend = tdb
idmap config *:range = 10000-20000
winbind enum users = yes
winbind enum groups = yes
# This way users log in with username instead of username at example.org
winbind use default domain = yes
# Inherit groups in groups
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = no
[sjc_demouser2] -------------------->Share present on AD and create on
file server
browseable = yes
users=@SJCLAB2/administrator
force unknown acl user = yes
writable = yes
create mask = 0700
directory mask = 0770
acl group control = yes
acl check permissions = True
nt acl support = yes
force directory security mode = 770
inherit permissions = yes
inherit acls = yes
inherit owner = no
map acl inherit = yes
path = /home/sjc_demouser2
dos filemode = yes
vfs objects = acl_xattr
After joining I tried to migrate shares on my AD to fileserver using "net
rpc" while preserving acls with the below command.
#net rpc share migrate shares sjc_demouser2 -U administrator -S
sjclab2.local --destination=localhost --acls -v -d=10
After running the above command I got the error *"*WERR_ACCESS_DENIED*".*
Below is the snippet of debug message that got generated.
rpc_api_pipe: host localhost
signed SMB2 message
rpc_read_send: data_to_read: 20
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0024 (36)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x0000000c (12)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=12
[0000] 1C 00 02 00 00 00 00 00 05 00 00 00 ........ ....
Got pdu len 36, data_len 12
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host localhost returned 12 bytes.
srvsvc_NetShareAdd: struct srvsvc_NetShareAdd
out: struct srvsvc_NetShareAdd
parm_error : *
parm_error : 0x00000000 (0)
result : WERR_ACCESS_DENIED
cannot add share: WERR_ACCESS_DENIED
signed SMB2 message
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
signed SMB2 message
return code = -1
Freeing parametrics:
Later I tried "net rpc share migrate files"
#net rpc share migrate files sjc_demouser2 -U administrator -S
sjclab2.local destination=localhost --acls -v -d=10
Observed that I was able to migrate files from my AD share to fileserver
share but when directories are migrated, I got the error
"NT_STATUS_REVISION_MISMATCH "
Below is the snippet of debug message that got generated.
signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
got mask: \*, name: tst
got dir: tst
opening dir \tst on originating server
signed SMB2 message
creating dir \tst on the destination server
signed SMB2 message
signed SMB2 message
cannot check for directory \tst: NT_STATUS_REVISION_MISMATCH
signed SMB2 message
signed SMB2 message
listing \* failed with error: NT_STATUS_REVISION_MISMATCH
could not handle files for share: sjc_demouser2
rpc command function failed! (NT_STATUS_REVISION_MISMATCH)
signed SMB2 message
return code = -1
Freeing parametrics:
Can someone please tell me why I was unable to migrate shares using net rpc
and got error "WERR_ACCESS_DENIED"?
Also please tell me why I got an error "NT_STATUS_REVISION_MISMATCH" when
"net rpc share migrate files" command was run on share containing
directories?
Please excuse me for the lengthy text.Thanks in advance.
Regards,
S.Srikar.
More information about the samba-technical
mailing list