[Samba] Setting up Second Samba DC samba-tool ntacl sysvolreset fails

Sina Owolabi notify.sina at gmail.com
Mon Nov 13 23:12:11 UTC 2017 

Hi Rowland

I removed the winbind lines, and added the 'idmap_ldb:use rfc2307 =
yes' line to the second DC, and
rebooted the servers,  but the error does not go away.

First DC:
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes

        template shell = /bin/bash
        template homedir = /share/%U

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Second DC:
[global]
        netbios name = TESTDC2
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        tls enabled = yes

        template shell = /bin/bash
        template homedir = /share/%U


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[root at testdc2 private]# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

On Mon, Nov 13, 2017 at 10:43 AM, Rowland Penny <rpenny at samba.org> wrote:
> On Mon, 13 Nov 2017 09:59:23 +0100
> Sina Owolabi via samba <samba at lists.samba.org> wrote:
>
>> Hi List!
>>
>> I am working my way through getting familiar with samba and I have two
>> domain controllers now with an additional samba file server.
>> The servers are CentOS 7.4.1708;
>>  the domain controllers are built from source with samba-4.7.1;
>>  and the file server, installed winbind, smb and nmb from CentOS
>> repos.
>>
>> My problem is after bringing up the second domain controller and
>> successfully joining it to the domain, as the wiki directs I tried to
>> run samba-tool ntacl sysvolreset and this fails.
>>
>> [root at testdc2 private]# samba-tool ntacl sysvolreset
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
>> The requested operation was unsuccessful.')
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run return self.run(*args, **kwargs)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 239, in run lp, use_ntvfs=use_ntvfs)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl use_ntvfs=use_ntvfs,
>> skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>>   File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py",
>> line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>> Please what am I doing wrong?
>
> Have you added any other GPO's to your first DC ?
> If so, you need to 'sync' them to the second DC.
>
>>
>>
>> "Primary" DC config file:
>>
>> # Global parameters
>> [global]
>>         dns forwarder = 8.8.8.8
>>         netbios name = TESTBOX
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>>         idmap_ldb:use rfc2307 = yes
>>         log file = /var/log/samba/%m.log
>>         log level = 3
>>         tls enabled = yes
>>         winbind enum groups = Yes
>>         winbind enum users = Yes
>
> You should remove the two lines above, you do not need them.
>
>>
>>         template shell = /bin/bash
>>         template homedir = /share/%U
>>
>> [netlogon]
>>         path
>> = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read
>> only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>> New DC config file:
>> # Global parameters
>> [global]
>>         netbios name = TESTDC2
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>
> You need to add 'idmap_ldb:use rfc2307 = yes'
>
> Rowland

More information about the samba mailing list