[Samba] [SAMBA] Problems with joining a second DC to AD
Stephan Mattecka
ste-fun_s at gmx.de
Tue May 26 05:51:18 MDT 2015
> Gesendet: Dienstag, 26. Mai 2015 um 13:31 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: "Stephan Mattecka" <ste-fun_s at gmx.de>
> Cc: samba at lists.samba.org
> Betreff: Re: Aw: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
>
> On 26/05/15 10:42, Stephan Mattecka wrote:
> > Gesendet: Donnerstag, 21. Mai 2015 um 19:06 Uhr
> > Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
> > On 21/05/15 17:41, Stephan Mattecka wrote:
> >> Hi Rowland and Louis,
> >>
> >> I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages.
> >>
> >> I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life.
> >>
> >> Regards
> >> Stephan
> >>
> >>
> >>
> >>
> >> Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr
> >> Von: "L.P.H. van Belle" <belle at bazuin.nl>
> >> An: "samba at lists.samba.org" <samba at lists.samba.org>
> >> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
> >> Hai,
> >>
> >> I hope, your domain is not .lan ( reserved name for mDNS )
> >> can be used, but can give problemens.
> >>
> >> in smb.conf
> >> change :
> >> interfaces = lo, eth0
> >> to
> >> interfaces = lo, IP_of_eth0
> >>
> >> and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct.
> >> make sure you have in /etc/resolv.conf on DC2.
> >> search example.lan
> >> nameserver IP_OF_DC1
> >>
> >>
> >>
> >> and try again.
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org]
> >>> Namens Stephan Mattecka
> >>> Verzonden: donderdag 21 mei 2015 9:18
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD
> >>>
> >>> Hello,
> >>>
> >>> I try to setup an AD-Domain with the help of Sernet-Samba
> >>> packages. Currently I'm using Scientific Linux (SL) 6.6 and
> >>> Sernet-Samba 4.1.17 packages. I tried the procedure two times
> >>> with fresh minimal SL installations.
> >>>
> >>> I could successfully install a AD-Domain-Controller.
> >>> Now I tried to add a second DC to this AD-Domain and followed
> >>> carefully the instructions at the samba wiki.
> >>> I could also join the second DC to my domain, but when I try to run
> >>>
> >>> samba-tool ntacl sysvolreset
> >>>
> >>> on the 2nd DC I get the following error messages:
> >>>
> >>>
> >>> open: error=2 (No such file or directory)
> >>> ERROR(runtime): uncaught exception - (-1073741823,
> >>> 'Undetermined error')
> >>> File
> >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> >>> line 175, in _run
> >>> return self.run(*args, **kwargs)
> >>> File
> >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
> >>> line 218, in run
> >>> lp, use_ntvfs=use_ntvfs)
> >>> File
> >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
> >>> ", line 1612, in setsysvolacl
> >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
> >>> samdb, lp, use_ntvfs, passdb=s4_passdb)
> >>> File
> >>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
> >>> ", line 1505, in set_gpos_acl
> >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> >>> passdb=passdb, service=SYSVOL_SERVICE)
> >>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py",
> >>> line 154, in setntacl
> >>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> >>> security.SECINFO_GROUP | security.SECINFO_DACL |
> >>> security.SECINFO_SACL, sd, service=service)
> >>>
> >>> My smb.conf on DC1:
> >>>
> >>>
> >>> # Global parameters
> >>> [global]
> >>> workgroup = EXAMPLE
> >>> realm = EXAMPLE.LAN
> >>> netbios name = DC1
> >>> interfaces = lo, eth0
> >>> bind interfaces only = Yes
> >>> server role = active directory domain controller
> >>> idmap_ldb:use rfc2307 = yes
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/pentracor.lan/scripts
> >>> read only = No
> >>> [sysvol]
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> smb.conf ond DC2:
> >>>
> >>>
> >>> # Global parameters
> >>> [global]
> >>> workgroup = EXAMPLE
> >>> realm = example.lan
> >>> netbios name = DC2
> >>> interfaces = lo, eth1
> >>> bind interfaces only = Yes
> >>> server role = active directory domain controller
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/example.lan/scripts
> >>> read only = No
> >>> [sysvol
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> I did turn off iptables and SELinux on both machines for
> >>> testing purposes. The folder /var/lib/samba/sysvol exists on
> >>> DC2. On DC1 I can run the sysvolreset command without any problems.
> >>>
> >>> Hopefully someone has an idea what might be wrong here.
> >>>
> >>> Regards
> >>> Stephan Mattecka
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]
> >> OK, try commenting out the interfaces lines, restart samba on both
> >> machines and see how you go on.
> >> I do not know if you are trying in anyway to sync sysvol between the 2
> >> DCs, if you are this could give you a problem, as idmap.ldb is different
> >> between the DCs, the workaround is to copy idmap.ldb from the first DC
> >> to the second and run sysvolreset, but this is where we came in :-D
> >>
> >> Can you post the command you used to provision the first DC and the
> >> command you used to join the second DC to the first.
> >>
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
> > Hello Rowland,
> >
> > I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2.
> > I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5):
> >
> > INFO: Current debug levels:
> > all: 5
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > pm_process() returned Yes
> > schema_fsmo_init: we are master[no] updates allowed[no]
> > schema_fsmo_init: we are master[no] updates allowed[no]
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> > Processing section "[global]"
> > doing parameter workgroup = EXAMPLE
> > doing parameter realm = example.lan
> > doing parameter netbios name = DC2
> > doing parameter server role = active directory domain controller
> > doing parameter log level = 5
> > INFO: Current debug levels:
> > all: 5
> > doing parameter idmap_ldb:use rfc2307 = yes
> > Processing section "[netlogon]"
> > doing parameter path = /var/lib/samba/sysvol/example.lan/scripts
> > doing parameter read only = No
> > Processing section "[sysvol]"
> > doing parameter path = /var/lib/samba/sysvol
> > doing parameter read only = No
> > pm_process() returned Yes
> > Attempting to register passdb backend smbpasswd
> > Successfully added passdb backend 'smbpasswd'
> > Attempting to register passdb backend tdbsam
> > Successfully added passdb backend 'tdbsam'
> > Attempting to register passdb backend wbc_sam
> > Successfully added passdb backend 'wbc_sam'
> > Attempting to register passdb backend samba_dsdb
> > Successfully added passdb backend 'samba_dsdb'
> > Attempting to register passdb backend samba4
> > Successfully added passdb backend 'samba4'
> > Attempting to register passdb backend ldapsam
> > Successfully added passdb backend 'ldapsam'
> > Attempting to register passdb backend NDS_ldapsam
> > Successfully added passdb backend 'NDS_ldapsam'
> > Attempting to register passdb backend IPA_ldapsam
> > Successfully added passdb backend 'IPA_ldapsam'
> > Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb)
> > Found pdb backend samba_dsdb
> > ldb_wrap open of idmap.ldb
> > pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
> > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run
> > lp)
> > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
> > direct_db_access)
> > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
> > domainsid, direct_db_access)
> > File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
> > fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> > File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl
> > xattr.XATTR_NTACL_NAME)
> >
> > For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands:
> >
> > samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1)
> >
> > samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2)
> >
> > I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2.
> > My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1.
> >
> > Regards
> > Stephan
>
> Strange, it seems to be saying that you do not have sysvol directory.
>
> What does 'ls -la /var/lib/samba/sysvol/' show ?
>
> and 'getfacl /var/lib/samba/sysvol'
>
> Rowland
>
>
[root at dc2 ~]# ls -alh /var/lib/samba/sysvol/
total 20K
drwxrwx---+ 3 root 3000000 4.0K May 26 10:37 .
drwxr-xr-x. 10 root root 4.0K May 20 15:28 ..
drwxrwx---+ 4 root 3000000 4.0K May 21 14:51 example.lan
[root at dc2 ~]# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
I did even try copy the Policies folder from DC1 to DC2 because I thought this might be the missing folder, but this also does not help.
Stephan
More information about the samba
mailing list