[Samba] since i added second DC i have some trouble

J. Echter j.echter at echter-kuechen-elektro.de
Tue Jun 14 17:24:23 UTC 2016 

Am 14.06.2016 um 19:16 schrieb Rowland penny:
> On 14/06/16 17:38, J. Echter wrote:
>> Hi,
>>
>> i provisioned a domain and all went well, until i added the second dc....
>>
>> for example:
>>
>> the new DC2 tells me:
>>
>> getfacl /usr/local/samba/var/locks/sysvol
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134users:r-x
>> user:ELEMAY\134guest:rwx
>> user:ELEMAY\134domain\040guests:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134users:r-x
>> group:ELEMAY\134guest:rwx
>> group:ELEMAY\134domain\040guests:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134users:r-x
>> default:user:ELEMAY\134guest:rwx
>> default:user:ELEMAY\134domain\040guests:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134users:r-x
>> default:group:ELEMAY\134guest:rwx
>> default:group:ELEMAY\134domain\040guests:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> the old DC1 tells me:
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134server\040operators:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134server\040operators:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134server\040operators:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> smb.conf is identical:
>>
>> DC2:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>          realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>          workgroup = ELEMAY
>>          dns forwarder = 192.168.0.1
>>          passdb backend = samba_dsdb
>>          server role = active directory domain controller
>>          winbind enum groups = Yes
>>          winbind enum users = Yes
>>          winbind nss info = rfc2307
>>          rpc_server:tcpip = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          winbindd:use external pipes = true
>>          idmap config elemay:range = 10000-99999
>>          idmap config elemay:schema_mode = rfc2307
>>          idmap config elemay:backend = ad
>>          idmap config *:range = 2000-9999
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          map archive = No
>>          map readonly = no
>>          store dos attributes = Yes
>>          vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>>          path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>>          read only = No
>>
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>>
>>
>> DC1:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[Profiles]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>          realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>          workgroup = ELEMAY
>>          dns forwarder = 192.168.0.1
>>          passdb backend = samba_dsdb
>>          server role = active directory domain controller
>>          winbind enum groups = Yes
>>          winbind enum users = Yes
>>          winbind nss info = rfc2307
>>          rpc_server:tcpip = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          winbindd:use external pipes = true
>>          idmap config elemay:range = 10000-99999
>>          idmap config elemay:schema_mode = rfc2307
>>          idmap config elemay:backend = ad
>>          idmap config *:range = 2000-9999
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          map archive = No
>>          map readonly = no
>>          store dos attributes = Yes
>>          vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>>          path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>>          read only = No
>>
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>>
>>
>> [Profiles]
>>          path = /srv/samba/Profiles/
>>          csc policy = disable
>>          profile acls = Yes
>>          create mask = 0600
>>          directory mask = 0700
>>          read only = No
>>
>> getent passwd:
>>
>> works on both and shows me domain users, for example:
>>
>> dc2:
>>
>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>
>>
>> dc1:
>>
>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>
>> but, as you see, it has different numbers.
>>
>>
>>
>> what went wrong here?
>>
>>
>> thanks
>>
>> juergen
>>
> 
> Nothing, you just seem to be running into the same problem that a couple
> of others have, idmap.ldb can and usually is different between DCs.
> 
> that makes three users this week and it is only Tuesday :-D
> 
> You can copy idmap.ldb from the first DC to any others, you would then
> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
> keep the idmap.ldb files in sync.
> 
> Rowland
> 
> 

Hi,

i recognized that some other people may have the same situation :) But i
already posted...

So my problem was that i cant add gpo rules to my computers/users,
windows (gpupdate) told me that gpt.ini couldn't be read on one of the
servers.

I checked everything i know, and that is not much, and came to the
conclusion that the problem must be the wrong ACL's on my sysvol.

I have setup a rsync sysvol replication from DC1 -> DC2.

I read here that sharing files is a 'no go', but i do share files on
DC1. My profiles. I will move them to a NAS later on...

Does the above problem cause the issue i mentioned?

Or do i follow the totally wrong way?

I would appreciate some enlightenment :D

Any information you need i will provide happily :)

Thanks.

More information about the samba mailing list