[Samba] windows sysvol share

Adriana Moga adriana.gologaneanu at gmail.com
Thu Mar 19 02:03:43 MDT 2015 

Thanks Rowlan, maybe I will test the script in the lab. The samba server is
in production already.
What Andreas proposed, "oplocks = no" and "level2 oplocks = no", solved the
problem.

Many thanks!

On Wed, Mar 18, 2015 at 6:29 PM, Rowland Penny <rowlandpenny at googlemail.com>
wrote:

>  On 18/03/15 15:03, Adriana Moga wrote:
>
>   Sorry, I have omitted to post the config file.
>
> # cat /usr/local/samba/etc/smb.conf
> [global]
>         workgroup = myDomain
>         realm = myDomain.local
>         netbios name = DCLINUX
>         server role = active directory domain controller
>
>         dsdb:schema update allowed = yes
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/rcs-rds.local/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>  I have joined samba as a Domain Controller in a windows domain. Directory
> replication has no problems, "samba-tool drs showrepl" shows connections
> with other DC. Just some time to time "samba-tool show repl" gives a
> "NT_STATUS_IO_TIMEOUT". I don't know why.
>
>  # /usr/local/samba/bin/samba-tool drs options
> Current DSA options: IS_GC
>
>  Replication of the Sysvol isn't implemented, so I manually mounted the
> share.
>
>  Clients connections:
>    # /usr/local/samba/bin/net status sessions
> PID     Username      Group         Machine
> -------------------------------------------------------------------
>   12440   3000351       3000023    ...198.200 (ipv4:..198.200:61735)
>   12415   3001838       users         ...227.68 (ipv4:...227.68:2647)
>   12320   3000376       users         ...197.38 (ipv4:...197.38:64120)
>   11746   3001173       3000023     ...14.46 (ipv4:...14.46:57925)
>
>  thanks!
>
> On Wed, Mar 18, 2015 at 4:45 PM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>>   On 18/03/15 14:40, Adriana Moga wrote:
>>
>>   Of course, the sysvol is located on a windows controller from the
>> forest.
>>
>> mount -t cifs -o username=domain_admin_user
>> //windowsDC.myDomain.local/SYSVOL /mnt/smb/sysvol
>>
>> and copied the files with -R --preserve to
>> /usr/local/samba/var/locks/sysvol/
>>
>>  Below logs are provided from /usr/local/samba/var/log.smbd file.
>>
>>  regards,
>>
>>    On Wed, Mar 18, 2015 at 3:36 PM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>> On 18/03/15 13:17, Adriana Moga wrote:
>>>
>>>> Hello,
>>>>
>>>> I have manually mounted the SYSVOL share, sync it with samba and run
>>>> samba-tool ntacl sysvolreset.
>>>>
>>>
>>>  What do you mean 'manually mounted the SYSVOL share' ? how did you do
>>> this ?
>>>
>>>  But I'm not sure if all windows policies are acceptable by samba
>>>> because of
>>>> errors logs:
>>>>
>>>> 2015/03/18 09:30:52.197934,  0]
>>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>>>    Oplock break failed for file
>>>>
>>>> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>>> -- replying anyway
>>>>
>>>> [2015/03/18 10:50:01.905964,  0]
>>>> ../source3/smbd/oplock.c:338(oplock_timeout_handler)
>>>>    Oplock break failed for file
>>>>
>>>> myDomain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows
>>>> NT/SecEdit/GptTmpl.inf -- replying anyway
>>>>    STATUS=daemon 'smbd' finished starting up and ready to serve
>>>> connectionsOplock break failed for file
>>>>
>>>> rcs-rds.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol
>>>> -- replying anyway
>>>>
>>>
>>>  What log is this from?
>>>
>>> Can you post your smb.conf
>>>
>>> Rowland
>>>
>>>
>>>
>>>> What troubles could give these errors?
>>>>
>>>> Samba version 4.1.15 - Debian 7.8 (3.2.0-4-amd64 #1 SMP Debian 3.2.65-1
>>>> x86_64 GNU/Linux) is joined as a domain controller to an existing
>>>> windows
>>>> domain.
>>>> Windows domain controllers (2003 R2, 2012R2) own FSMO roles.
>>>>
>>>> smbstatus:
>>>>
>>>> Locked files:
>>>> Pid          Uid        DenyMode   Access      R/W        Oplock
>>>> SharePath   Name   Time
>>>>
>>>> --------------------------------------------------------------------------------------------------
>>>> 9881         3001393    DENY_NONE  0x20089     RDONLY
>>>>  EXCLUSIVE+BATCH
>>>> /usr/local/samba/var/locks/sysvol
>>>> myDomain/Policies/{8F6D6798-D5A0-4BED-9548-88E45918ADA0}/GPT.INI   Wed
>>>> Mar
>>>> 18 14:00:41 2015
>>>>
>>>> 4928         3001476    DENY_WRITE 0x120089    RDONLY     NONE
>>>> /usr/local/samba/var/locks/sysvol
>>>>
>>>> myDomain/Policies/{7AAC2031-1B06-487B-9520-603666A7F00D}/User/Registry.pol
>>>>
>>>> Also, I don't know what is wrong with sysvolcheck.
>>>>
>>>> # /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
>>>> file or directory')
>>>>    File
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line
>>>> 249, in run
>>>>      lp)
>>>>    File
>>>>
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1726, in checksysvolacl
>>>>      direct_db_access)
>>>>    File
>>>>
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1677, in check_gpos_acl
>>>>      domainsid, direct_db_access)
>>>>    File
>>>>
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1621, in check_dir_acl
>>>>      fsacl = getntacl(lp, path, direct_db_access=direct_db_access,
>>>> service=SYSVOL_SERVICE)
>>>>    File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>>>> line
>>>> 73, in getntacl
>>>>      xattr.XATTR_NTACL_NAME
>>>>
>>>>
>>>> Thanks,
>>>>
>>>
>>>   --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>  This raises more questions than what it answers:
>>
>> Why are you doing this?
>> Why do you expect it to work?
>> Have you joined the samba4 machine to the domain as a secondary DC?
>>
>> And lastly (and for the second time of asking) can you post your smb.conf
>> from the samba4 machine.
>>
>> Rowland
>>
>
>
> OK, I understand a bit better now, you are mounting sysvol from the
> windows server, copying it to the correct position and then trying to reset
> the ACLs with samba-tool, I am not sure this is going to work and as I
> don't have a windows server, I cannot try it.
>
> What I have found is this post on the samba mailing list:
> https://lists.samba.org/archive/samba/2013-April/173003.html
>
> The script shown is a bit basic, but should work, main problem as far as I
> can see, what if it doesn't work, you could loose everything in sysvol on
> the samba4 DC.
>
> If you are interested, I have re-written it with much more error checking
> and you are welcome to a copy, but note, I cannot test it and you will use
> it at your own risk.
>
> Rowland
>

More information about the samba mailing list