[Samba] Sysvol "incorrect parameter" on some new DC's

[steve]

On Tue, 2014-08-12 at 10:51 -0400, Adam Tauno Williams wrote:
> On Tue, 2014-08-12 at 10:02 -0400, Adam Tauno Williams wrote: 
> > I have a site with a working Samba4 AD domain with a single DC.  It
> > works.
> > I've added three new DCs to the domain [using the SerNet packages for
> > 4.0.21].  The intention is to then demote the old, original Samba4 DC.
> > But problems exist for netlogon/sysvol.  One of the new DCs - the second
> > one added - works, clients can access netlogon & sysvol.
> > However the other two DCs have ACL errors on their sysvol & netlogon
> > volumes.
> > ~> smbclient -U XXXXX -W XXXXXX \\\\DC4.example.com\\netlogon
> > Enter XXXXXX password: 
> > Domain=[BACKBONE] OS=[Unix] Server=[Samba 4.0.21-SerNet-RedHat-7.el6]
> > smb: \> ls
> > NT_STATUS_INVALID_ACL listing \*
> > Windows 7 clients see a "The parameter is incorrect" message.
> > All three servers have sysvol contents that were rsync'd from the
> > original DC in the same manner.
> > On a DC where the sysvol does *not* work, the ntacl check seems to
> > complete without errors.
> > [root at HOST ~]# samba-tool ntacl sysvolreset
> > Please note that POSIX permissions have NOT been changed, only the
> > stored NT ACL
> 
> So if I do a sysvolreset immediately following the rsync now the client
> appears to be able to connect - but I have to that reset every time
> sysvol is updated.

This is because the pseudo gid for the builtin groups in sysvol are not
consistent between DCs. Copy the builtin db from the first DC to the
other DCs. You should do this before starting samba on the DCs you have
added. I don't know where sernet puts it, but on a source build it's
called idmap.ldb. You must take the whole domain down to nothing and run
sysvolreset before restarting.