[Samba] since i added second DC i have some trouble
J. Echter
j.echter at echter-kuechen-elektro.de
Tue Jun 14 17:24:23 UTC 2016
Am 14.06.2016 um 19:16 schrieb Rowland penny:
> On 14/06/16 17:38, J. Echter wrote:
>> Hi,
>>
>> i provisioned a domain and all went well, until i added the second dc....
>>
>> for example:
>>
>> the new DC2 tells me:
>>
>> getfacl /usr/local/samba/var/locks/sysvol
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134users:r-x
>> user:ELEMAY\134guest:rwx
>> user:ELEMAY\134domain\040guests:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134users:r-x
>> group:ELEMAY\134guest:rwx
>> group:ELEMAY\134domain\040guests:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134users:r-x
>> default:user:ELEMAY\134guest:rwx
>> default:user:ELEMAY\134domain\040guests:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134users:r-x
>> default:group:ELEMAY\134guest:rwx
>> default:group:ELEMAY\134domain\040guests:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> the old DC1 tells me:
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134server\040operators:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134server\040operators:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134server\040operators:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> smb.conf is identical:
>>
>> DC2:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>> workgroup = ELEMAY
>> dns forwarder = 192.168.0.1
>> passdb backend = samba_dsdb
>> server role = active directory domain controller
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind nss info = rfc2307
>> rpc_server:tcpip = no
>> rpc_daemon:spoolssd = embedded
>> rpc_server:spoolss = embedded
>> rpc_server:winreg = embedded
>> rpc_server:ntsvcs = embedded
>> rpc_server:eventlog = embedded
>> rpc_server:srvsvc = embedded
>> rpc_server:svcctl = embedded
>> rpc_server:default = external
>> winbindd:use external pipes = true
>> idmap config elemay:range = 10000-99999
>> idmap config elemay:schema_mode = rfc2307
>> idmap config elemay:backend = ad
>> idmap config *:range = 2000-9999
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>> read only = No
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>
>> DC1:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[Profiles]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>> workgroup = ELEMAY
>> dns forwarder = 192.168.0.1
>> passdb backend = samba_dsdb
>> server role = active directory domain controller
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind nss info = rfc2307
>> rpc_server:tcpip = no
>> rpc_daemon:spoolssd = embedded
>> rpc_server:spoolss = embedded
>> rpc_server:winreg = embedded
>> rpc_server:ntsvcs = embedded
>> rpc_server:eventlog = embedded
>> rpc_server:srvsvc = embedded
>> rpc_server:svcctl = embedded
>> rpc_server:default = external
>> winbindd:use external pipes = true
>> idmap config elemay:range = 10000-99999
>> idmap config elemay:schema_mode = rfc2307
>> idmap config elemay:backend = ad
>> idmap config *:range = 2000-9999
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>> read only = No
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>
>> [Profiles]
>> path = /srv/samba/Profiles/
>> csc policy = disable
>> profile acls = Yes
>> create mask = 0600
>> directory mask = 0700
>> read only = No
>>
>> getent passwd:
>>
>> works on both and shows me domain users, for example:
>>
>> dc2:
>>
>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>
>>
>> dc1:
>>
>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>
>> but, as you see, it has different numbers.
>>
>>
>>
>> what went wrong here?
>>
>>
>> thanks
>>
>> juergen
>>
>
> Nothing, you just seem to be running into the same problem that a couple
> of others have, idmap.ldb can and usually is different between DCs.
>
> that makes three users this week and it is only Tuesday :-D
>
> You can copy idmap.ldb from the first DC to any others, you would then
> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
> keep the idmap.ldb files in sync.
>
> Rowland
>
>
Hi,
i recognized that some other people may have the same situation :) But i
already posted...
So my problem was that i cant add gpo rules to my computers/users,
windows (gpupdate) told me that gpt.ini couldn't be read on one of the
servers.
I checked everything i know, and that is not much, and came to the
conclusion that the problem must be the wrong ACL's on my sysvol.
I have setup a rsync sysvol replication from DC1 -> DC2.
I read here that sharing files is a 'no go', but i do share files on
DC1. My profiles. I will move them to a NAS later on...
Does the above problem cause the issue i mentioned?
Or do i follow the totally wrong way?
I would appreciate some enlightenment :D
Any information you need i will provide happily :)
Thanks.
More information about the samba
mailing list