[Samba] Error running samba-tool dbtool --reset-well-known-acls

Fri Aug 2 10:16:26 MDT 2013

Am 02.08.2013 18:08, schrieb Achim Gottinger:
> Am 28.07.2013 16:14, schrieb Achim Gottinger:
>> Hi,
>>
>> I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers 
>> run debian wheezy and the add was created at the beginning of the 
>> year with an classic upgrade to version 4.0.0.
>> Recent release notes do not provide information about required 
>> upgrade tasks. So i ran.
>> samba-tool dbcheck --reset-well-known-acls. On the first DC it found 
>> a few errors about missong members in computer groups whom where 
>> fixable with samba-tool dbcheck --reset-well-known-acls --fix.
>> On my second DC however one issue remains.
>>
>> >samba-tool dbcheck --reset-well-known-acls
>> Checking 336 objects
>> Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
>> Controllers,DC=domain,DC=local
>> Please use --fix to fix these errors
>> Checked 336 objects (1 errors)
>>
>> >samba-tool dbcheck --reset-well-known-acls --fix
>> Checking 336 objects
>> Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
>> Controllers,DC=domain,DC=local? [y/N/all/none] y
>> Failed to fix attribute nTSecurityDescriptor : (65, 
>> "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') 
>> on entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' 
>> wasn't specified!")
>> Checked 336 objects (1 errors)
>>
>>
>> This is the global section of my smb.conf on DC1. Only netbios name 
>> and dns forwarder are different on DC2.
>>
>>
>> # Global parameters
>> [global]
>> workgroup = DOMAIN
>> realm = domain.local
>> netbios name = DC1
>> server role = active directory domain controller
>> dns forwarder = 192.168.200.200
>> idmap_ldb:use rfc2307 = yes
>> log level = 1
>> strict allocate = yes
>> acl:read=false
>> template shell = /bin/bash
>> wins support = Yes
>> deadtime = 10
>> socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 
>> TCP_KEEPINTVL=10 TCP_KEEPCNT=5
>> ea support = yes
>> store dos attributes = yes
>> map readonly = no
>> map archive = no
>> map system = no
>> map hidden = no
>>
>> I connected to both DC's with ADSI and checked rIDNextRID
>>
>> DC1:
>> CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247
>> CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0
>>
>> DC2:
>> CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not 
>> defined (german Nicht Festgelegt)
>> CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714
>>
>> Unfortunately i was not able to change that attribute from undefined 
>> to 0 on DC2. I want to avoid editing ldb files by guess so i'd 
>> appreciate suggestions.
>>
>> Thanks in advance
>> achim
> Hi again,
> So far this error does not seem to cause any trouble in the domain. 
> DC1 is my rid Master.
> When I try to move the rid role to DC2 i get the follwoing error:
>
> samba-tool fsmo seize --role=rid
> Attempting transfer...
> FSMO transfer of 'rid' role successful
> ERROR: Failed to initiate role seize of 'rid' role: objectclass: 
> modify message must have elements/attributes!
>
> Afterwards the role is assigned to DC2 in samba-tool fsmo show.
> I get the same error when i try to move the role back to DC1.
>
> Does anyone have an clue what is going wrong here?
>
> Thanks in advance,
> Achim
Ok, seize was nor a good choice tried
samba-tool fsmo transfer--role=rid instead, which works without errors, 
but it does not fix the rIDNextRID issue.