[Samba] Unable_to_migrate_shares_from_AD_to_file_server

Srikar Somineni srikars at vedams.com
Wed May 31 16:02:32 UTC 2017


Hi All,
        I am trying to migrate shares from my Win2k12 R2 AD
server(SJCLAB2.LOCAL) to Ubuntu 16.04 samba fileserver present in same
domain. Samba version is 4.3.11-Ubuntu.
Before migrating shares I was able to successfully join fileserver to
Active Directory.

Below is my samba server configuration.
#======================= Global Settings =======================

[global]


   workgroup = SJCLAB2
   security = ADS
   realm = SJCLAB2.LOCAL
   wins server = SJCLAB2.LOCAL
   password server = SJCLAB2.LOCAL
   server string = %h server (Samba, Ubuntu)
   domain master = no
   local master = no
   preferred master = no
   printcap name = /etc/printcap
   load printers = no
   dns proxy = no
   interfaces = 127.0.0.0/8 ens4
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   log level = 10
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   passdb backend = tdbsam
   map untrusted to domain = Yes
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

############ Misc ############
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   restrict anonymous = 2
    idmap config *:backend = tdb
    idmap config *:range = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    # This way users log in with username instead of username at example.org
    winbind use default domain = yes
    # Inherit groups in groups
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = no

[sjc_demouser2]    -------------------->Share present on AD and create on
file server
  browseable = yes
  users=@SJCLAB2/administrator
  force unknown acl user = yes
  writable = yes
  create mask = 0700
  directory mask = 0770
  acl group control = yes
  acl check permissions = True
  nt acl support = yes
  force directory security mode = 770
  inherit permissions = yes
  inherit acls = yes
  inherit owner = no
  map acl inherit = yes
  path = /home/sjc_demouser2
  dos filemode = yes
  vfs objects = acl_xattr


After joining I tried to migrate shares on my AD to fileserver using "net
rpc" while preserving acls with the below command.

#net rpc share migrate shares sjc_demouser2 -U administrator -S
sjclab2.local --destination=localhost --acls -v -d=10

After running the above command I got the  error *"*WERR_ACCESS_DENIED*".*
Below is the snippet of debug message that got generated.
rpc_api_pipe: host localhost
signed SMB2 message
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000008 (8)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=12
[0000] 1C 00 02 00 00 00 00 00   05 00 00 00               ........ ....
Got pdu len 36, data_len 12
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host localhost returned 12 bytes.
     srvsvc_NetShareAdd: struct srvsvc_NetShareAdd
        out: struct srvsvc_NetShareAdd
            parm_error               : *
                parm_error               : 0x00000000 (0)
            result                   : WERR_ACCESS_DENIED
cannot add share: WERR_ACCESS_DENIED
signed SMB2 message
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
signed SMB2 message
return code = -1
Freeing parametrics:

Later I tried "net rpc share migrate files"
#net rpc share migrate files sjc_demouser2 -U administrator -S
sjclab2.local destination=localhost --acls -v -d=10
Observed that I was able to migrate files from my AD share to fileserver
share but when directories are migrated, I got the error
"NT_STATUS_REVISION_MISMATCH "
Below is the snippet of debug message that got generated.

signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
got mask: \*, name: tst
got dir: tst
opening dir \tst on originating server
signed SMB2 message
creating dir \tst on the destination server
signed SMB2 message
signed SMB2 message
cannot check for directory \tst: NT_STATUS_REVISION_MISMATCH
signed SMB2 message
signed SMB2 message
listing \* failed with error: NT_STATUS_REVISION_MISMATCH
could not handle files for share: sjc_demouser2
rpc command function failed! (NT_STATUS_REVISION_MISMATCH)
signed SMB2 message
return code = -1
Freeing parametrics:

Can someone please tell me why I was unable to migrate shares using net rpc
and got error "WERR_ACCESS_DENIED"?
Also please tell me why I got an error "NT_STATUS_REVISION_MISMATCH" when
migrate files command was run on share containing directories?

Please excuse me for the lengthy text.Thanks in advance.

Regards,
S.Srikar.


More information about the samba mailing list