[Samba] Error running samba-tool dbtool --reset-well-known-acls

Achim Gottinger achim at ag-web.biz
Sun Jul 28 08:14:16 MDT 2013 

Hi,

I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run 
debian wheezy and the add was created at the beginning of the year with 
an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade 
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a 
few errors about missong members in computer groups whom where fixable 
with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.

 >samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)

 >samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs: 
at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID 
Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!")
Checked 336 objects (1 errors)


This is the global section of my smb.conf on DC1. Only netbios name and 
dns forwarder are different on DC2.


# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no

I connected to both DC's with ADSI and checked rIDNextRID

DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0

DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not 
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714

Unfortunately i was not able to change that attribute from undefined to 
0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate 
suggestions.

Thanks in advance
achim~

More information about the samba mailing list