[Samba] sysvolcheck on fresh samba 4.7 DCs

mj lists at merit.unu.edu
Thu Oct 26 09:38:19 UTC 2017 

Hi,

I joined a new samba-4.7 DC to our AD, replicated everything over, then 
turned off the old DCs, seized fsmo roles, and added two extra 4.7 DCs.

Everything above succeeded without warnings, and everything seems to be 
running very well finally, except for the sysvolcheck / sysvolreset.

We're on xfs, and the File System Support checks on the samba wiki page 
all pass, although at the time of the domain join, I had not yet 
installed acl / xattr / attr. Not sure if these are required at join 
time, but anyway, no warning was given during the join.

I added those packages later, after discovering that "getfacl 
/var/lib/samba/sysvol" displayed no extended ACLs at all.

Next I tried samba-tool ntacl sysvolcheck:

> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1659, in check_gpos_acl
>     direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl
>     xattr.XATTR_NTACL_NAME)

Thinking I had to perhaps do sysvolreset first, but:

> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> ldb_wrap open of idmap.ldb
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 3000000
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 3000000
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 3000000
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
> open: error=2 (No such file or directory)

The idmap.ldb was NOT copied from the old DCs, but I kept the new 
default one instead, since all three DCs are new, this would be ok..?

This happens on all three new DCs, debian stretch, very basic smb.conf 
as generated by the samba-tool domain join:

> # Global parameters
> [global]
> 	netbios name = DC6
> 	realm = SAMBA.COMPANY.COM
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> 	workgroup = WRKGRP
> 	server role = active directory domain controller
> 
> 	log level = 3
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/samba.company.com/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No

Could anyone tell me where to look for the problem, here?

MJ

More information about the samba mailing list