[Samba] RPC, DCOM, 1745 and Other Errors

Taylor, Jonn jonnt at taylortelephone.com
Mon Sep 29 12:18:26 MDT 2014


On 09/29/2014 12:28 PM, Chan Min Wai wrote:
> Hi Taylor,
>
> Well I've my win2k8 DC partially removed.
> What I hate most is that samba will fill up the win2k8 Dc was not
> found in both the syslog and also the samba log.
>
> Other than that...
>
> I think it work well.
>
> Is there other issue I'm not aware of?

Yes, it is possible to corrupt you domain. The problem is that the
dcpromo does not remove the meta data for that DC. Currently none of the
domain tools can remove it so all your DC's will continue to try and
replicate to it. In my testing I found that the domain get corrupted
after a few weeks.

There was a post on the dev list a week or so ago about this. I think
this is a huge BUG and needs to get fixed before they release 4.2.

>
> Thank You.
>
> On Tue, Sep 30, 2014 at 12:07 AM, Taylor, Jonn
> <jonnt at taylortelephone.com <mailto:jonnt at taylortelephone.com>> wrote:
>
>     On 09/29/2014 10:01 AM, Chan Min Wai wrote:
>     > Dear Thomas,
>     >
>     > You are on the right path.
>     > However there are limitations that you should know.
>     >
>     > 1. We cannot add/remove shared drive via RPC yet. (Unless I
>     missed something, do correct me if I'm wrong I'll be happy if that
>     run)
>     >
>     > Adding and removing share on samba require changes on smb.conf.
>     >
>     > You can look on the guide below on how to add them in.
>     >
>     >
>     > 2. Disks share access control on domain computer.
>     > Have a look on this guide.
>     > You will need that additions access
>     >
>     > SeDiskOperatorPrivilege
>     >
>     >
>     https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>     >
>     > Hope these info help and may the source be with you.
>     >
>     >
>     > As for your upgrade path.
>     > You should try this. Since samba Dc is not compatible with 2003.
>     >
>     > 1. Upgrade both your windows to 2008 no R2 trial.
>     > 2. Promoting the whole dc to 2008.
>     > 3. Join samba DC, work on the symbol replication from windows to
>     Linux.
>     > 4. Transfer FSMO
>     > 5. Demote your 2 DC or make them your member server/files server.
>     The only problem with this is that you can not demote the 2 DC's once
>     you join a samba 4 AD server to your domain. This is a BUG that
>     has been
>     a real problem for a long time. I did this same thing a year ago with
>     our domain and had to rebuild it from scratch.
>
>
>     > 6 done.
>     >
>     >
>     >
>     > Regards,
>     > Chan Min Wai
>     >
>     >> Thomas Mulkey <tmulkey at incentafcu.org
>     <mailto:tmulkey at incentafcu.org>> 於 29 Sep 2014 9:32 PTG 寫道:
>     >>
>     >> I am evaluating Samba 4 as a replacement for our existing
>     Windows 2003 servers, as the cost to license 2008 and CALS is not
>     going to be in my companies budget.  Bear with me, as I have some
>     basic experience with Linux and know a few things, I am by no
>     means a fully trained Linux or Samba Jedi.
>     >>
>     >> My test environment goal is to have two Active Directory Domain
>     Controllers and one Member Server with File Shares all running on
>     Samba
>     >>
>     >> So far I have setup one AD Domain Controller (AD1)  I
>     downloaded and compiled the latest source code doing the git
>     mirror thing, and am running Samba 4.2.0prel-GIT-043585F on
>     CentOS  6.5.  I used this HOWTO to configure the AD DC: 
>     http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
>     >>
>     >> This process all went smooth, and I was able to join my Windows
>     7 test machines to the domain and login successfully and use the
>     RSAT tools successfully.
>     >>
>     >> I then setup the File server and made it a member server and
>     joined it successfully to the domain, using these instructions
>     here:  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>     >>
>     >> This went as expected
>     >>
>     >> I then setup my test share on the file server using the
>     directions here:
>     https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>     >>
>     >> I actually partitioned/formatted a second disk with ext4 and
>     put it in /etc/fstab with the user_xattr,acl support
>     >>
>     >> When I then go to remotely manage the share via a Win7
>     workstation and I go to computer manager and open the test file
>     server (FS1) at first it looks good.  I then click on the "System
>     Tools" section to expand it and I get "Event Viewer cannot connect
>     to the computer FS1: The error reported is the RPC Server is
>     unavailable"  I click OK on the error and it then say again it is
>     connecting to FS1 and expand the section where I can see the
>     Shared Folders.  As soon as I expand shared folders and click on
>     shared I get the following "You do not have permissions to see the
>     list of shares for Windows clients" and I will not let me see the
>     shares.
>     >>
>     >> I then decided to make a share right on the Domain Controller
>     itself, to see if it was something on the file server or something
>     on the workstation.  When I go to computer management and connect
>     to the DC (AD1)it connects, but when I expand System Tools, I get
>     the following error "The Procedure Number is out of Range(1745)" 
>     However after clicking "OK" on this error I am able to see and
>     manage the Share and permissions as expected
>     >>
>     >> I have been scouring the net for 2 days to try to find and
>     answer and I am at a standstill as to what to do next to fix or
>     further troubleshoot the issue.  Any help or ideas would be
>     greatly appreciated.
>     >>
>     >> Here is the smb.conf on my Domain Controller
>     >>
>     >> #Global parameters
>     >> [global]
>     >>        workgroup = INCENTA
>     >>        realm = INCENTA.LOCAL
>     >>        netbios name = AD1
>     >>        server role = active directory domain controller
>     >>        dns forwarder = 8.8.8.8
>     >>        vfs objects = acl_xattr
>     >>        map acl inherit = Yes
>     >>        store dos attributes = Yes
>     >>
>     >> [netlogon]
>     >>        path =
>     /usr/local/samba/var/locks/sysvol/incenta.local/scripts
>     >>        read only = No
>     >>
>     >> [sysvol]
>     >>        path = /usr/local/samba/var/locks/sysvol
>     >>        read only = No
>     >>
>     >> [Demo]
>     >> path = /DATA/Demo
>     >> read only = no
>     >>
>     >>
>     >>
>     >> Here is the smb.conf on my file server
>     >>
>     >> [global]
>     >>
>     >>   netbios name = FS1
>     >>   workgroup = INCENTA
>     >>   security = ADS
>     >>   realm = INCENTA.LOCAL
>     >>   encrypt passwords = yes
>     >>
>     >>   idmap config *:backend = tdb
>     >>   idmap config *:range = 70001=80000
>     >>   idmap config INCENTA:backend = ad
>     >>   idmap config INCENTA:schema_mode = rfc2307
>     >>   idmap config INCENTA:range = 500-40000
>     >>
>     >>   winbind nss info = rfc2307
>     >>   winbind trusted domains only = no
>     >>   winbind use default domain = yes
>     >>   winbind enum users = yes
>     >>   winbind enum groups = yes
>     >>
>     >>   vfs objects = acl_xattr
>     >>   map acl inherit = Yes
>     >>   store dos attributes = Yes
>     >>
>     >>
>     >> [Demo]
>     >> path = /DATA/Demo
>     >> read only = no
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> --
>     >> To unsubscribe from this list go to the following URL and read the
>     >> instructions:  https://lists.samba.org/mailman/options/samba
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list