[Samba] Error running samba-tool dbtool --reset-well-known-acls
Achim Gottinger
achim at ag-web.biz
Fri Aug 2 10:08:30 MDT 2013
Am 28.07.2013 16:14, schrieb Achim Gottinger:
> Hi,
>
> I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers
> run debian wheezy and the add was created at the beginning of the year
> with an classic upgrade to version 4.0.0.
> Recent release notes do not provide information about required upgrade
> tasks. So i ran.
> samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
> few errors about missong members in computer groups whom where fixable
> with samba-tool dbcheck --reset-well-known-acls --fix.
> On my second DC however one issue remains.
>
> >samba-tool dbcheck --reset-well-known-acls
> Checking 336 objects
> Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
> Controllers,DC=domain,DC=local
> Please use --fix to fix these errors
> Checked 336 objects (1 errors)
>
> >samba-tool dbcheck --reset-well-known-acls --fix
> Checking 336 objects
> Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
> Controllers,DC=domain,DC=local? [y/N/all/none] y
> Failed to fix attribute nTSecurityDescriptor : (65,
> "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on
> entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local'
> wasn't specified!")
> Checked 336 objects (1 errors)
>
>
> This is the global section of my smb.conf on DC1. Only netbios name
> and dns forwarder are different on DC2.
>
>
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = domain.local
> netbios name = DC1
> server role = active directory domain controller
> dns forwarder = 192.168.200.200
> idmap_ldb:use rfc2307 = yes
> log level = 1
> strict allocate = yes
> acl:read=false
> template shell = /bin/bash
> wins support = Yes
> deadtime = 10
> socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
> TCP_KEEPINTVL=10 TCP_KEEPCNT=5
> ea support = yes
> store dos attributes = yes
> map readonly = no
> map archive = no
> map system = no
> map hidden = no
>
> I connected to both DC's with ADSI and checked rIDNextRID
>
> DC1:
> CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247
> CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0
>
> DC2:
> CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not
> defined (german Nicht Festgelegt)
> CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714
>
> Unfortunately i was not able to change that attribute from undefined
> to 0 on DC2. I want to avoid editing ldb files by guess so i'd
> appreciate suggestions.
>
> Thanks in advance
> achim
Hi again,
So far this error does not seem to cause any trouble in the domain. DC1
is my rid Master.
When I try to move the rid role to DC2 i get the follwoing error:
samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!
Afterwards the role is assigned to DC2 in samba-tool fsmo show.
I get the same error when i try to move the role back to DC1.
Does anyone have an clue what is going wrong here?
Thanks in advance,
Achim
More information about the samba
mailing list