[Samba] sysvol acl's broken beyond repair

Rowland Penny rowlandpenny241155 at gmail.com
Sun Oct 4 11:20:53 UTC 2015 

On 04/10/15 12:00, Krutskikh Ivan wrote:
> ok, I've investigated the problem more closely. First of all, I didn't
> mention that I have 2 domain controllers: dc(initial) and bdc (backup).
> Rsync command
>
> /usr/bin/rsync -XAavz --delete-after dc:/usr/local/samba/var/locks/sysvol/*
> /usr/local/samba/var/locks/sysvol/
>
> fires every 5 minutes on bdc.
>
> However, if I try to gpupdate from bdc I get the above error. Gpupdating
> from dc works fine. The strangest thing is that when I try reseting sysvol
> on bdc I get
>
> root at bdc:/lib/systemd/system# samba-tool ntacl sysvolreset
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Module 'acl_xattr' loaded
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service sysvol
>
> And more repeating lines about xattrs and idmap. I think, this is due to
> some misconfiguration on bdc.
>
> 2015-10-03 18:46 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 03/10/15 16:20, Krutskikh Ivan wrote:
>>
>>> Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error
>>> and misses something more severe later on.
>>>
>>> 2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>>>
>>>
>> You need to look further, I don't think your DC is broken, I think
>> sysvolcheck is broken. Try raising the log level on the DC to 10 and see if
>> anything pops up in the logs, also check the logs on the connecting PCs,
>> this may be a windows error.
>>
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Ok, first thing first, you do not have a DC and a BDC, you have two DCs. 
All DCs are equal apart from the FSMO roles.

Next, the DCs are not equal if they are Samba Dcs :-)
They should be, but they aren't because idmap.ldb is different on the 
two DCs.

Have a look here:
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups

Rowland

More information about the samba mailing list