[Samba] DC2 d­enie­s ac­cess­ whe­n sa­­ving ­throu­gh th­e Gro­

?icro MEGAS micromegas at mail333.com
Sat Nov 1 18:07:50 MDT 2014


> OK, make sure that the two idmap.ldb files match and then run 
> 'samba-tool ntacl sysvolreset' on both machines and see if this cured 
> this problem.

I did:

root at dc1:~$ service sernet-samba-ad stop
root at dc2:~$ service sernet-samba-ad stop
root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak
root at dc1:~$ scp /var/lib/samba/private/idmap.ldb dc2:/var/lib/samba/private/

then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on dc1 and dc2. then...

root at dc1:~$ samba-tool ntacl sysvolreset
root at dc2:~$ samba-tool ntacl sysvolreset
root at dc1:~$ service sernet-samba-ad start
root at dc2:~$ service sernet-samba-ad start

to be sure again I execute the sysvolreset command...

root at dc1:~$ samba-tool ntacl sysvolreset
root at dc2:~$ samba-tool ntacl sysvolreset

but when I execute "samba-tool ntacl sysvolcheck" I still get the uncaught exception error on dc1 and dc2 :(
Hi again,

I followed https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder and did a manual resync from dc1:/var/lib/samba/sysvol to dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool ntacl sysvolcheck" still fails with the uncaught exception error and I am not sure if this is a good sign. But independent of that I think I know why I am running into the issue that I described on that thread:

When I add a new GPO on DC1, it has following owner and file mode:

drwxrwx---+  4  502     500 4,0K Nov  1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635}

The owner of this new Group Policy Object is 502. That is my domain user "foo" which I has assigned the NIS/UNIX attribute uid=502 to. The group is 500 which is the gid=500 of my domain group "Domain Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that object successfully to DC2. When I do "ls -lh" on DC2 I get the same output. So fine so good, everything works fine and as expected until now. 

Now we do the reverse thing. I create a new GPO on DC2. The file mode on DC2 looks like that:

drwxrwx---+  3  502     500 4,0K Nov  1 22:29 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}

As we see the owner still is 502 that is equal to domain user "foo" and group id 500 which is "Domain Admins". After this object is synced to DC1, the object on DC1 thugh looks like that:

drwxr-x---+  3 root root    4,0K Nov  1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}

So here's the culprit ==> When the unison/rsync bidirectional is syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are synced. But objects synced from DC2 to DC1 change their owner/group and also the file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication

Mirco.

We see, the owner still is "foo" with uid=500 > Do things work if you test as "Administrator" (root) ?
> achim˜

Unfortunately not... when I login with "MYDOM\Administrator" on DC2 and cretae a new GPO it looks like that on DC2:

drwxrwx---+ 4 root     500 4,0K Nov  2 00:52 {562AB030-6351-42C1-9850-D5B12BF45570}

As soon as sysvol sync runs the directory on DC1 looks like that:

drwxr-x---+ 3 root root    4,0K Nov  2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570}

On this step, I even can't edit the GPO on DC2 where it worked before the unison sync started. That means, that after unison runs something is written also on the DC2 side, because DC2 won't let me allow to edit the GPO anymore. At this step, the GPO seems already to be not accessible.

The summary is:
----------------------
Whatever I create/modify on DC2 will be broken after the unison/bi-directional sync is run.
Whatever I add/modify on DC1 works 100% fine and lets me edit it either through DC1 or DC2.

==> GPO's created initially on DC2 will not be editable after unison has run, neither on DC1 and nor on DC2.
==> GPO's created initially on DC1 will be editable after unison has run on both DC1 and DC2

This is not what one would expect though, because I did expect I also can edit/add objects on DC2, but as I explained this is broken somehow. 
Any dev know more about that? I'm looking forward to hear from you.

Mirco.


More information about the samba mailing list