[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Rowland Penny rpenny at samba.org
Mon Nov 13 09:43:59 UTC 2017


On Mon, 13 Nov 2017 09:59:23 +0100
Sina Owolabi via samba <samba at lists.samba.org> wrote:

> Hi List!
> 
> I am working my way through getting familiar with samba and I have two
> domain controllers now with an additional samba file server.
> The servers are CentOS 7.4.1708;
>  the domain controllers are built from source with samba-4.7.1;
>  and the file server, installed winbind, smb and nmb from CentOS
> repos.
> 
> My problem is after bringing up the second domain controller and
> successfully joining it to the domain, as the wiki directs I tried to
> run samba-tool ntacl sysvolreset and this fails.
> 
> [root at testdc2 private]# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
> The requested operation was unsuccessful.')
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 
> Please what am I doing wrong?

Have you added any other GPO's to your first DC ?
If so, you need to 'sync' them to the second DC.

> 
> 
> "Primary" DC config file:
> 
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = TESTBOX
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/%m.log
>         log level = 3
>         tls enabled = yes
>         winbind enum groups = Yes
>         winbind enum users = Yes

You should remove the two lines above, you do not need them.

> 
>         template shell = /bin/bash
>         template homedir = /share/%U
> 
> [netlogon]
>         path
> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
> only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> New DC config file:
> # Global parameters
> [global]
>         netbios name = TESTDC2
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM

You need to add 'idmap_ldb:use rfc2307 = yes' 

Rowland



More information about the samba mailing list