[Samba] Sysvol "incorrect parameter" on some new DC's

Ryan Ashley ryana at reachtechfp.com
Tue Aug 12 13:20:08 MDT 2014

I would place a script to do the following on my secondary DC's and run 
it with cron every fifteen minutes or so. Actually, I did this at one 
location and it worked fine!

 1. Stop samba4 service
 2. Copy over idmap.ldb
 3. Copy over the sysvol
 4. Start the samba4 service

Now you have the same idmap and sysvol on the secondary DC's.

On 08/12/2014 02:22 PM, Adam Tauno Williams wrote:
> On Tue, 2014-08-12 at 18:04 +0200, steve wrote:
>> On Tue, 2014-08-12 at 10:51 -0400, Adam Tauno Williams wrote:
>>> On Tue, 2014-08-12 at 10:02 -0400, Adam Tauno Williams wrote:
>>>> I have a site with a working Samba4 AD domain with a single DC.  It
>>>> works.
>>>> I've added three new DCs to the domain [using the SerNet packages for
>>>> 4.0.21].  The intention is to then demote the old, original Samba4 DC.
>>>> But problems exist for netlogon/sysvol.  One of the new DCs - the second
>>>> one added - works, clients can access netlogon & sysvol.
>>>> However the other two DCs have ACL errors on their sysvol & netlogon
>>>> volumes.
>>>> ~> smbclient -U XXXXX -W XXXXXX \\\\DC4.example.com\\netlogon
>>>> Enter XXXXXX password:
>>>> Domain=[BACKBONE] OS=[Unix] Server=[Samba 4.0.21-SerNet-RedHat-7.el6]
>>>> smb: \> ls
>>>> NT_STATUS_INVALID_ACL listing \*
>>>> Windows 7 clients see a "The parameter is incorrect" message.
>>>> All three servers have sysvol contents that were rsync'd from the
>>>> original DC in the same manner.
>>>> On a DC where the sysvol does *not* work, the ntacl check seems to
>>>> complete without errors.
>>>> [root at HOST ~]# samba-tool ntacl sysvolreset
>>>> Please note that POSIX permissions have NOT been changed, only the
>>>> stored NT ACL
>>> So if I do a sysvolreset immediately following the rsync now the client
>>> appears to be able to connect - but I have to that reset every time
>>> sysvol is updated.
>> This is because the pseudo gid for the builtin groups in sysvol are not
>> consistent between DCs. Copy the builtin db from the first DC to the
>> other DCs.
> Ok, I found some comments on the interwebz that pointed to an idmap
> thing... but none were terribly precise.
> So as a step in adding a new DC I should
>    (1) join the server with the DC role
>    (2) copy the idmap.ldb from an existing DC
>    (3) replicate sysvol via rsync
>    (4) start the Samba AD
> ???
>> You should do this before starting samba on the DCs you have
>> added. I don't know where sernet puts it, but on a source build it's
>> called idmap.ldb. You must take the whole domain down to nothing
> /var/lib/samba/private/idmap.ldb
> By which you mean: stop all the DCs?
>> and run sysvolreset before restarting.

More information about the samba mailing list