[Samba] [SAMBA] Problems with joining a second DC to AD
Rowland Penny
rowlandpenny at googlemail.com
Tue May 26 06:44:55 MDT 2015
On 26/05/15 12:51, Stephan Mattecka wrote:
>> Gesendet: Dienstag, 26. Mai 2015 um 13:31 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: "Stephan Mattecka" <ste-fun_s at gmx.de>
>> Cc: samba at lists.samba.org
>> Betreff: Re: Aw: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
>>
>> On 26/05/15 10:42, Stephan Mattecka wrote:
>>> Gesendet: Donnerstag, 21. Mai 2015 um 19:06 Uhr
>>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
>>> On 21/05/15 17:41, Stephan Mattecka wrote:
>>>> Hi Rowland and Louis,
>>>>
>>>> I did try both of your suggestions, but nothing changed on DC2. I did check all the DNS-settings (resolv.conf and hosts), so that I don't think that this is the reason for the error-messages.
>>>>
>>>> I did set the loglevel to 5 and will try to find the differences between both machines. These are just virtual machines to test the building of a AD-Domain before using it in real life.
>>>>
>>>> Regards
>>>> Stephan
>>>>
>>>>
>>>>
>>>>
>>>> Gesendet: Donnerstag, 21. Mai 2015 um 10:39 Uhr
>>>> Von: "L.P.H. van Belle" <belle at bazuin.nl>
>>>> An: "samba at lists.samba.org" <samba at lists.samba.org>
>>>> Betreff: Re: [Samba] [SAMBA] Problems with joining a second DC to AD
>>>> Hai,
>>>>
>>>> I hope, your domain is not .lan ( reserved name for mDNS )
>>>> can be used, but can give problemens.
>>>>
>>>> in smb.conf
>>>> change :
>>>> interfaces = lo, eth0
>>>> to
>>>> interfaces = lo, IP_of_eth0
>>>>
>>>> and make sure your /etc/hosts and /etc/resolv.conf on DC2 are correct.
>>>> make sure you have in /etc/resolv.conf on DC2.
>>>> search example.lan
>>>> nameserver IP_OF_DC1
>>>>
>>>>
>>>>
>>>> and try again.
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: ste-fun_s at gmx.de [mailto:samba-bounces at lists.samba.org]
>>>>> Namens Stephan Mattecka
>>>>> Verzonden: donderdag 21 mei 2015 9:18
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] [SAMBA] Problems with joining a second DC to AD
>>>>>
>>>>> Hello,
>>>>>
>>>>> I try to setup an AD-Domain with the help of Sernet-Samba
>>>>> packages. Currently I'm using Scientific Linux (SL) 6.6 and
>>>>> Sernet-Samba 4.1.17 packages. I tried the procedure two times
>>>>> with fresh minimal SL installations.
>>>>>
>>>>> I could successfully install a AD-Domain-Controller.
>>>>> Now I tried to add a second DC to this AD-Domain and followed
>>>>> carefully the instructions at the samba wiki.
>>>>> I could also join the second DC to my domain, but when I try to run
>>>>>
>>>>> samba-tool ntacl sysvolreset
>>>>>
>>>>> on the 2nd DC I get the following error messages:
>>>>>
>>>>>
>>>>> open: error=2 (No such file or directory)
>>>>> ERROR(runtime): uncaught exception - (-1073741823,
>>>>> 'Undetermined error')
>>>>> File
>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>> line 175, in _run
>>>>> return self.run(*args, **kwargs)
>>>>> File
>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py",
>>>>> line 218, in run
>>>>> lp, use_ntvfs=use_ntvfs)
>>>>> File
>>>>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>>>>> ", line 1612, in setsysvolacl
>>>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
>>>>> samdb, lp, use_ntvfs, passdb=s4_passdb)
>>>>> File
>>>>> "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py
>>>>> ", line 1505, in set_gpos_acl
>>>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>>>>> passdb=passdb, service=SYSVOL_SERVICE)
>>>>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py",
>>>>> line 154, in setntacl
>>>>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>>>> security.SECINFO_GROUP | security.SECINFO_DACL |
>>>>> security.SECINFO_SACL, sd, service=service)
>>>>>
>>>>> My smb.conf on DC1:
>>>>>
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = EXAMPLE.LAN
>>>>> netbios name = DC1
>>>>> interfaces = lo, eth0
>>>>> bind interfaces only = Yes
>>>>> server role = active directory domain controller
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> [netlogon]
>>>>> path = /var/lib/samba/sysvol/pentracor.lan/scripts
>>>>> read only = No
>>>>> [sysvol]
>>>>> path = /var/lib/samba/sysvol
>>>>> read only = No
>>>>>
>>>>> smb.conf ond DC2:
>>>>>
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = example.lan
>>>>> netbios name = DC2
>>>>> interfaces = lo, eth1
>>>>> bind interfaces only = Yes
>>>>> server role = active directory domain controller
>>>>> [netlogon]
>>>>> path = /var/lib/samba/sysvol/example.lan/scripts
>>>>> read only = No
>>>>> [sysvol
>>>>> path = /var/lib/samba/sysvol
>>>>> read only = No
>>>>>
>>>>> I did turn off iptables and SELinux on both machines for
>>>>> testing purposes. The folder /var/lib/samba/sysvol exists on
>>>>> DC2. On DC1 I can run the sysvolreset command without any problems.
>>>>>
>>>>> Hopefully someone has an idea what might be wrong here.
>>>>>
>>>>> Regards
>>>>> Stephan Mattecka
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]
>>>> OK, try commenting out the interfaces lines, restart samba on both
>>>> machines and see how you go on.
>>>> I do not know if you are trying in anyway to sync sysvol between the 2
>>>> DCs, if you are this could give you a problem, as idmap.ldb is different
>>>> between the DCs, the workaround is to copy idmap.ldb from the first DC
>>>> to the second and run sysvolreset, but this is where we came in :-D
>>>>
>>>> Can you post the command you used to provision the first DC and the
>>>> command you used to join the second DC to the first.
>>>>
>>>> Rowland
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>>> Hello Rowland,
>>>
>>> I did comment the interfaces lines but nothing changed for the sysvolcheck on dc2.
>>> I also get an error message for ntacl sysvolcheck. The loglevel 5 output is the following (for sysvolcheck in this case, I deleted some lines about loglevels being 5):
>>>
>>> INFO: Current debug levels:
>>> all: 5
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> pm_process() returned Yes
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> doing parameter workgroup = EXAMPLE
>>> doing parameter realm = example.lan
>>> doing parameter netbios name = DC2
>>> doing parameter server role = active directory domain controller
>>> doing parameter log level = 5
>>> INFO: Current debug levels:
>>> all: 5
>>> doing parameter idmap_ldb:use rfc2307 = yes
>>> Processing section "[netlogon]"
>>> doing parameter path = /var/lib/samba/sysvol/example.lan/scripts
>>> doing parameter read only = No
>>> Processing section "[sysvol]"
>>> doing parameter path = /var/lib/samba/sysvol
>>> doing parameter read only = No
>>> pm_process() returned Yes
>>> Attempting to register passdb backend smbpasswd
>>> Successfully added passdb backend 'smbpasswd'
>>> Attempting to register passdb backend tdbsam
>>> Successfully added passdb backend 'tdbsam'
>>> Attempting to register passdb backend wbc_sam
>>> Successfully added passdb backend 'wbc_sam'
>>> Attempting to register passdb backend samba_dsdb
>>> Successfully added passdb backend 'samba_dsdb'
>>> Attempting to register passdb backend samba4
>>> Successfully added passdb backend 'samba4'
>>> Attempting to register passdb backend ldapsam
>>> Successfully added passdb backend 'ldapsam'
>>> Attempting to register passdb backend NDS_ldapsam
>>> Successfully added passdb backend 'NDS_ldapsam'
>>> Attempting to register passdb backend IPA_ldapsam
>>> Successfully added passdb backend 'IPA_ldapsam'
>>> Attempting to find a passdb backend to match samba_dsdb:tdb:///var/lib/samba/private/sam.ldb (samba_dsdb)
>>> Found pdb backend samba_dsdb
>>> ldb_wrap open of idmap.ldb
>>> pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb has a valid init
>>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
>>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run
>>> lp)
>>> File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
>>> direct_db_access)
>>> File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
>>> domainsid, direct_db_access)
>>> File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
>>> fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>>> File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl
>>> xattr.XATTR_NTACL_NAME)
>>>
>>> For provisioning and joining I followed strictly the HowTos on the samba Wiki. I used the following commands:
>>>
>>> samba-tool domain provision --use-rfc2307 --interactive --option="interfaces=lo eth0" --option="bind interfaces only=yes" (provisioning on DC1)
>>>
>>> samba-tool domain join example.lan DC -Uadministrator --realm=example.lan --dns-backend=SAMBA_INTERNAL --option="interfaces=lo eth0" --option="bind interfaces only=yes" (joining DC2)
>>>
>>> I just came to the problem because I wanted to sync the sysvol between the two DCs. But then I got this error-message on DC2.
>>> My first thought was that something was wrong with the imported file, so I started the procedure again, to see if I get the same error-message without importing the data from DC1.
>>>
>>> Regards
>>> Stephan
>> Strange, it seems to be saying that you do not have sysvol directory.
>>
>> What does 'ls -la /var/lib/samba/sysvol/' show ?
>>
>> and 'getfacl /var/lib/samba/sysvol'
>>
>> Rowland
>>
>>
> [root at dc2 ~]# ls -alh /var/lib/samba/sysvol/
> total 20K
> drwxrwx---+ 3 root 3000000 4.0K May 26 10:37 .
> drwxr-xr-x. 10 root root 4.0K May 20 15:28 ..
> drwxrwx---+ 4 root 3000000 4.0K May 21 14:51 example.lan
>
> [root at dc2 ~]# getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> I did even try copy the Policies folder from DC1 to DC2 because I thought this might be the missing folder, but this also does not help.
>
> Stephan
OK, the above results look ok to me, so I had a look on a test setup I
have up and running and on the second DC (running sernet-samba 4.2.1) I
found this:
root at testdc2:~# ls -la /var/lib/samba/sysvol/
total 12
drwxr-xr-x 3 root root 4096 May 12 14:40 .
drwxr-xr-x 10 root root 4096 May 26 09:55 ..
drwxr-xr-x 3 root root 4096 May 12 14:40 sambadom.example.com
root at testdc2:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
It doesn't seem to have any ACLs
So I tried to check them:
root at testdc2:~# samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data
available')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1721, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
getntacl
xattr.XATTR_NTACL_NAME)
Hmm, that doesn't look good, tried to reset them (or in this case set them):
root at testdc2:~# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
218, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1616, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1509, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
Well that doesn't appear to have worked, tried restarting samba, checked
smb.conf etc, but when I looked at the dir again, I found this:
root at testdc2:~# ls -la /var/lib/samba/sysvol/
total 20
drwxrwx---+ 3 root 3000000 4096 May 26 13:20 .
drwxr-xr-x 10 root root 4096 May 26 13:20 ..
drwxrwx---+ 3 root 3000000 4096 May 12 14:40 sambadom.example.com
root at testdc2:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000007:r-x
user:3000008:rwx
user:3000009:r-x
group::rwx
group:3000000:rwx
group:3000007:r-x
group:3000008:rwx
group:3000009:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000007:r-x
default:user:3000008:rwx
default:user:3000009:r-x
default:group::---
default:group:3000000:rwx
default:group:3000007:r-x
default:group:3000008:rwx
default:group:3000009:r-x
default:mask::rwx
default:other::---
What! it now has ACLs, tried to check them again:
root at testdc2:~# samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1666, in check_gpos_acl
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
getntacl
xattr.XATTR_NTACL_NAME)
I am now beginning to think this a samba-tool problem and there isn't
anything actually wrong with sysvol.
Rowland
More information about the samba
mailing list