[Samba] [SAMBA] Problems with joining a second DC to AD

Rowland Penny rowlandpenny at googlemail.com
Tue May 26 05:31:29 MDT 2015 

On 26/05/15 10:42, Stephan Mattecka wrote:
> Gesendet: Donnerstag, 21. Mai 2015 um 19:06 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
> On 21/05/15 17:41, Stephan Mattecka wrote:
>> Hi Rowland and Louis,
>>
>> I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages.
>>
>> I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life.
>>
>> Regards
>> Stephan
>>
>>
>>
>>
>> Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr
>> Von: "L.P.H. van Belle" <belle at bazuin.nl>
>> An: "samba at lists.samba.org" <samba at lists.samba.org>
>> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
>> Hai,
>>
>> I hope, your domain is not .lan ( reserved name for mDNS )
>> can be used, but can give problemens.
>>
>> in smb.conf
>> change :
>> interfaces = lo, eth0
>> to
>> interfaces = lo, IP_of_eth0
>>
>> and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct.
>> make sure you have in /etc/resolv.conf on DC2.
>> search example.lan
>> nameserver IP_OF_DC1
>>
>>
>>
>> and try again.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org]
>>> Namens Stephan Mattecka
>>> Verzonden: donderdag 21 mei 2015 9:18
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD
>>>
>>> Hello,
>>>
>>> I try to setup an AD-Domain with the help of Sernet-Samba
>>> packages. Currently I'm using Scientific Linux (SL) 6.6 and
>>> Sernet-Samba 4.1.17 packages. I tried the procedure two times
>>> with fresh minimal SL installations.
>>>
>>> I could successfully install a AD-Domain-Controller.
>>> Now I tried to add a second DC to this AD-Domain and followed
>>> carefully the instructions at the samba wiki.
>>> I could also join the second DC to my domain, but when I try to run
>>>
>>> samba-tool ntacl sysvolreset
>>>
>>> on the 2nd DC I get the following error messages:
>>>
>>>
>>> open: error=2 (No such file or directory)
>>> ERROR(runtime): uncaught exception - (-1073741823,
>>> 'Undetermined error')
>>> File
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
>>> line 218, in run
>>> lp, use_ntvfs=use_ntvfs)
>>> File
>>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>>> ", line 1612, in setsysvolacl
>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
>>> samdb, lp, use_ntvfs, passdb=s4_passdb)
>>> File
>>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>>> ", line 1505, in set_gpos_acl
>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>>> passdb=passdb, service=SYSVOL_SERVICE)
>>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py",
>>> line 154, in setntacl
>>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>> security.SECINFO_GROUP | security.SECINFO_DACL |
>>> security.SECINFO_SACL, sd, service=service)
>>>
>>> My smb.conf on DC1:
>>>
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = EXAMPLE.LAN
>>> netbios name = DC1
>>> interfaces = lo, eth0
>>> bind interfaces only = Yes
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/pentracor.lan/scripts
>>> read only = No
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> smb.conf ond DC2:
>>>
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.lan
>>> netbios name = DC2
>>> interfaces = lo, eth1
>>> bind interfaces only = Yes
>>> server role = active directory domain controller
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/example.lan/scripts
>>> read only = No
>>> [sysvol
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> I did turn off iptables and SELinux on both machines for
>>> testing purposes. The folder /var/lib/samba/sysvol exists on
>>> DC2. On DC1 I can run the sysvolreset command without any problems.
>>>
>>> Hopefully someone has an idea what might be wrong here.
>>>
>>> Regards
>>> Stephan Mattecka
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]
>> OK, try commenting out the interfaces lines, restart samba on both
>> machines and see how you go on.
>> I do not know if you are trying in anyway to sync sysvol between the 2
>> DCs, if you are this could give you a problem, as idmap.ldb is different
>> between the DCs, the workaround is to copy idmap.ldb from the first DC
>> to the second and run sysvolreset, but this is where we came in :-D
>>
>> Can you post the command you used to provision the first DC and the
>> command you used to join the second DC to the first.
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
> Hello Rowland,
>
> I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2.
> I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5):
>
> INFO: Current debug levels:
>    all: 5
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> schema_fsmo_init: we are master[no] updates allowed[no]
> schema_fsmo_init: we are master[no] updates allowed[no]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = EXAMPLE
> doing parameter realm = example.lan
> doing parameter netbios name = DC2
> doing parameter server role = active directory domain controller
> doing parameter log level = 5
> INFO: Current debug levels:
>    all: 5
> doing parameter idmap_ldb:use rfc2307 = yes
> Processing section "[netlogon]"
> doing parameter path = /var/lib/samba/sysvol/example.lan/scripts
> doing parameter read only = No
> Processing section "[sysvol]"
> doing parameter path = /var/lib/samba/sysvol
> doing parameter read only = No
> pm_process() returned Yes
> Attempting to register passdb backend smbpasswd
> Successfully added passdb backend 'smbpasswd'
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Attempting to register passdb backend wbc_sam
> Successfully added passdb backend 'wbc_sam'
> Attempting to register passdb backend samba_dsdb
> Successfully added passdb backend 'samba_dsdb'
> Attempting to register passdb backend samba4
> Successfully added passdb backend 'samba4'
> Attempting to register passdb backend ldapsam
> Successfully added passdb backend 'ldapsam'
> Attempting to register passdb backend NDS_ldapsam
> Successfully added passdb backend 'NDS_ldapsam'
> Attempting to register passdb backend IPA_ldapsam
> Successfully added passdb backend 'IPA_ldapsam'
> Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb)
> Found pdb backend samba_dsdb
> ldb_wrap open of idmap.ldb
> pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run
>      lp)
>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
>      fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>    File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl
>      xattr.XATTR_NTACL_NAME)
>
> For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands:
>
> samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1)
>
> samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2)
>
> I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2.
> My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1.
>
> Regards
> Stephan

Strange, it seems to be saying that you do not have sysvol directory.

What does 'ls -la /var/lib/samba/sysvol/' show ?

and 'getfacl /var/lib/samba/sysvol'

Rowland

More information about the samba mailing list