[Samba] smb.conf different between first DC and replica DC

Brian Candler b.candler at pobox.com
Mon Dec 12 21:50:16 UTC 2016 

Rowland Penny wrote:
>>> Now, I think it's worked OK. However I see there are two lines in
>>> smb.conf on the first server which aren't in the second server:
>>>
>>>       idmap_ldb:use rfc2307 = yes
>>>       xattr_tdb:file = /usr/local/samba/var/locks/xattr.tdb
>>>
>>> Should I add these to the second machine?
>> In theory yes, but the presence of the second line shows you are not
>> using the system ACLs, you are using a tdb file. You may have to run
>> the provision again;-)
I think I know what happened - I had forgotten to delete smb.conf before 
re-running the provisioning step. (Previously I had provisioned in an 
unprivileged lxd container, and that was why Samba was trying to use the 
xattr_tdb file)

Andrew Bartlett wrote:
> There is no need to re-run provision.  Just take out that line and run
> the 'samba-tool ntacl sysvolreset' command (assuming no shares other
> than [sysvol] and [netlogon] are used).
That's really helpful, thank you. All looks good now.

Aside: I had to rsync the sysvol over first, otherwise I got an exception:

root at wrn-dc2:~# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 239, in run
     lp, use_ntvfs=use_ntvfs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", 
line 162, in setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

Using strace showed it was trying to access 
/usr/local/samba/var/locks/sysvol/ad.example.net/Policies/ which didn't 
exist yet.

Cheers,

Brian.

More information about the samba mailing list