[Samba] windows sysvol share

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 18 10:29:23 MDT 2015 

On 18/03/15 15:03, Adriana Moga wrote:
> Sorry, I have omitted to post the config file.
>
> # cat /usr/local/samba/etc/smb.conf
> [global]
>         workgroup = myDomain
>         realm = myDomain.local
>         netbios name = DCLINUX
>         server role = active directory domain controller
>
>         dsdb:schema update allowed = yes
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/rcs-rds.local/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> I have joined samba as a Domain Controller in a windows domain. 
> Directory replication has no problems, "samba-tool drs showrepl" shows 
> connections with other DC. Just some time to time "samba-tool show 
> repl" gives a "NT_STATUS_IO_TIMEOUT". I don't know why.
>
>  # /usr/local/samba/bin/samba-tool drs options
> Current DSA options: IS_GC
>
> Replication of the Sysvol isn't implemented, so I manually mounted the 
> share.
>
> Clients connections:
> # /usr/local/samba/bin/net status sessions
> PID     Username      Group Machine
> -------------------------------------------------------------------
>   12440   3000351       3000023    ...198.200 (ipv4:..198.200:61735)
>   12415   3001838       users         ...227.68 (ipv4:...227.68:2647)
>   12320   3000376       users         ...197.38 (ipv4:...197.38:64120)
>   11746   3001173       3000023     ...14.46 (ipv4:...14.46:57925)
>
> thanks!
>
> On Wed, Mar 18, 2015 at 4:45 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 18/03/15 14:40, Adriana Moga wrote:
>>     Of course, the sysvol is located on a windows controller from the
>>     forest.
>>
>>     mount -t cifs -o username=domain_admin_user
>>     //windowsDC.myDomain.local/SYSVOL /mnt/smb/sysvol
>>
>>     and copied the files with -R --preserve to
>>     /usr/local/samba/var/locks/sysvol/
>>
>>     Below logs are provided from /usr/local/samba/var/log.smbd file.
>>
>>     regards,
>>
>>     On Wed, Mar 18, 2015 at 3:36 PM, Rowland Penny
>>     <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>         On 18/03/15 13:17, Adriana Moga wrote:
>>
>>             Hello,
>>
>>             I have manually mounted the SYSVOL share, sync it with
>>             samba and run
>>             samba-tool ntacl sysvolreset.
>>
>>
>>         What do you mean 'manually mounted the SYSVOL share' ? how
>>         did you do this ?
>>
>>             But I'm not sure if all windows policies are acceptable
>>             by samba because of
>>             errors logs:
>>
>>             2015/03/18 09:30:52.197934, 0]
>>             ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>                Oplock break failed for file
>>             myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>             -- replying anyway
>>
>>             [2015/03/18 10:50:01.905964, 0]
>>             ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>                Oplock break failed for file
>>             myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows
>>             NT/SecEdit/GptTmpl.inf -- replying anyway
>>                STATUS=daemon 'smbd' finished starting up and ready to
>>             serve
>>             connectionsOplock break failed for file
>>             rcs-rds.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>             -- replying anyway
>>
>>
>>         What log is this from?
>>
>>         Can you post your smb.conf
>>
>>         Rowland
>>
>>
>>
>>             What troubles could give these errors?
>>
>>             Samba version 4.1.15 - Debian 7.8 (3.2.0-4-amd64 #1 SMP
>>             Debian 3.2.65-1
>>             x86_64 GNU/Linux) is joined as a domain controller to an
>>             existing windows
>>             domain.
>>             Windows domain controllers (2003 R2, 2012R2) own FSMO roles.
>>
>>             smbstatus:
>>
>>             Locked files:
>>             Pid          Uid DenyMode   Access      R/W       Oplock
>>             SharePath   Name   Time
>>             --------------------------------------------------------------------------------------------------
>>             9881         3001393 DENY_NONE  0x20089  RDONLY   
>>              EXCLUSIVE+BATCH
>>             /usr/local/samba/var/locks/sysvol
>>             myDomain/Policies/{8F6D6798-D5A0-4BED-9548-88E45918ADA0}/GPT.INI
>>              Wed Mar
>>             18 14:00:41 2015
>>
>>             4928         3001476 DENY_WRITE 0x120089 RDONLY     NONE
>>             /usr/local/samba/var/locks/sysvol
>>             myDomain/Policies/{7AAC2031-1B06-487B-9520-603666A7F00D}/User/Registry.pol
>>
>>             Also, I don't know what is wrong with sysvolcheck.
>>
>>             # /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>             ERROR(<type 'exceptions.TypeError'>): uncaught exception
>>             - (2, 'No such
>>             file or directory')
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>             line 175, in _run
>>                  return self.run(*args, **kwargs)
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>             line
>>             249, in run
>>                  lp)
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>             line 1726, in checksysvolacl
>>                  direct_db_access)
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>             line 1677, in check_gpos_acl
>>                  domainsid, direct_db_access)
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>             line 1621, in check_dir_acl
>>                  fsacl = getntacl(lp, path,
>>             direct_db_access=direct_db_access,
>>             service=SYSVOL_SERVICE)
>>                File
>>             "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>>             line
>>             73, in getntacl
>>                  xattr.XATTR_NTACL_NAME
>>
>>
>>             Thanks,
>>
>>
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>     This raises more questions than what it answers:
>
>     Why are you doing this?
>     Why do you expect it to work?
>     Have you joined the samba4 machine to the domain as a secondary DC?
>
>     And lastly (and for the second time of asking) can you post your
>     smb.conf from the samba4 machine.
>
>     Rowland
>
>

OK, I understand a bit better now, you are mounting sysvol from the 
windows server, copying it to the correct position and then trying to 
reset the ACLs with samba-tool, I am not sure this is going to work and 
as I don't have a windows server, I cannot try it.

What I have found is this post on the samba mailing list: 
https://lists.samba.org/archive/samba/2013-April/173003.html

The script shown is a bit basic, but should work, main problem as far as 
I can see, what if it doesn't work, you could loose everything in sysvol 
on the samba4 DC.

If you are interested, I have re-written it with much more error 
checking and you are welcome to a copy, but note, I cannot test it and 
you will use it at your own risk.

Rowland

More information about the samba mailing list