[Samba] Sysvol "incorrect parameter" on some new DC's
Adam Tauno Williams
awilliam at whitemice.org
Tue Aug 12 12:22:41 MDT 2014
On Tue, 2014-08-12 at 18:04 +0200, steve wrote:
> On Tue, 2014-08-12 at 10:51 -0400, Adam Tauno Williams wrote:
> > On Tue, 2014-08-12 at 10:02 -0400, Adam Tauno Williams wrote:
> > > I have a site with a working Samba4 AD domain with a single DC. It
> > > works.
> > > I've added three new DCs to the domain [using the SerNet packages for
> > > 4.0.21]. The intention is to then demote the old, original Samba4 DC.
> > > But problems exist for netlogon/sysvol. One of the new DCs - the second
> > > one added - works, clients can access netlogon & sysvol.
> > > However the other two DCs have ACL errors on their sysvol & netlogon
> > > volumes.
> > > ~> smbclient -U XXXXX -W XXXXXX \\\\DC4.example.com\\netlogon
> > > Enter XXXXXX password:
> > > Domain=[BACKBONE] OS=[Unix] Server=[Samba 4.0.21-SerNet-RedHat-7.el6]
> > > smb: \> ls
> > > NT_STATUS_INVALID_ACL listing \*
> > > Windows 7 clients see a "The parameter is incorrect" message.
> > > All three servers have sysvol contents that were rsync'd from the
> > > original DC in the same manner.
> > > On a DC where the sysvol does *not* work, the ntacl check seems to
> > > complete without errors.
> > > [root at HOST ~]# samba-tool ntacl sysvolreset
> > > Please note that POSIX permissions have NOT been changed, only the
> > > stored NT ACL
> > So if I do a sysvolreset immediately following the rsync now the client
> > appears to be able to connect - but I have to that reset every time
> > sysvol is updated.
> This is because the pseudo gid for the builtin groups in sysvol are not
> consistent between DCs. Copy the builtin db from the first DC to the
> other DCs.
Ok, I found some comments on the interwebz that pointed to an idmap
thing... but none were terribly precise.
So as a step in adding a new DC I should
(1) join the server with the DC role
(2) copy the idmap.ldb from an existing DC
(3) replicate sysvol via rsync
(4) start the Samba AD
???
> You should do this before starting samba on the DCs you have
> added. I don't know where sernet puts it, but on a source build it's
> called idmap.ldb. You must take the whole domain down to nothing
/var/lib/samba/private/idmap.ldb
By which you mean: stop all the DCs?
> and run sysvolreset before restarting.
More information about the samba
mailing list