[Samba] sysvolcheck on fresh samba 4.7 DCs

L.P.H. van Belle belle at bazuin.nl
Thu Oct 26 09:53:57 UTC 2017 

Run this check up: 

https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 

And to just run it as test. 
Also change line 202 204 214 215. just put a # in front of it. 
So you make sure nothing is applied with this test. 

Run it on both servers and compair the output file default-rights-sysvol.acl
If you have differences, a diff of the 2 files should show it to you. 



Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: donderdag 26 oktober 2017 11:38
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] sysvolcheck on fresh samba 4.7 DCs
> 
> Hi,
> 
> I joined a new samba-4.7 DC to our AD, replicated everything 
> over, then 
> turned off the old DCs, seized fsmo roles, and added two 
> extra 4.7 DCs.
> 
> Everything above succeeded without warnings, and everything 
> seems to be 
> running very well finally, except for the sysvolcheck / sysvolreset.
> 
> We're on xfs, and the File System Support checks on the samba 
> wiki page 
> all pass, although at the time of the domain join, I had not yet 
> installed acl / xattr / attr. Not sure if these are required at join 
> time, but anyway, no warning was given during the join.
> 
> I added those packages later, after discovering that "getfacl 
> /var/lib/samba/sysvol" displayed no extended ACLs at all.
> 
> Next I tried samba-tool ntacl sysvolcheck:
> 
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - 
> (2, 'No such file or directory')
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
> line 270, in run
> >     lp)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1723, in checksysvolacl
> >     direct_db_access)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1659, in check_gpos_acl
> >     direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 81, in getntacl
> >     xattr.XATTR_NTACL_NAME)
> 
> Thinking I had to perhaps do sysvolreset first, but:
> 
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > load_module_absolute_path: Module 
> '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service Unknown Service (snum == -1)
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service Unknown Service (snum == -1)
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ldb_wrap open of idmap.ldb
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos 
> filemode = true' and 'force unknown acl user = true' for 
> service sysvol
> > ERROR(runtime): uncaught exception - (-1073741823, 
> '{Operation Failed} The requested operation was unsuccessful.')
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
> line 239, in run
> >     lp, use_ntvfs=use_ntvfs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1609, in setsysvolacl
> >     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, 
> samdb, lp, use_ntvfs, passdb=s4_passdb)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1502, in set_gpos_acl
> >     use_ntvfs=use_ntvfs, skip_invalid_chown=True, 
> passdb=passdb, service=SYSVOL_SERVICE)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in setntacl
> >     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, sd, service=service)
> > open: error=2 (No such file or directory)
> 
> The idmap.ldb was NOT copied from the old DCs, but I kept the new 
> default one instead, since all three DCs are new, this would be ok..?
> 
> This happens on all three new DCs, debian stretch, very basic 
> smb.conf 
> as generated by the samba-tool domain join:
> 
> > # Global parameters
> > [global]
> > 	netbios name = DC6
> > 	realm = SAMBA.COMPANY.COM
> > 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > 	workgroup = WRKGRP
> > 	server role = active directory domain controller
> > 
> > 	log level = 3
> > 
> > [netlogon]
> > 	path = /var/lib/samba/sysvol/samba.company.com/scripts
> > 	read only = No
> > 
> > [sysvol]
> > 	path = /var/lib/samba/sysvol
> > 	read only = No
> 
> Could anyone tell me where to look for the problem, here?
> 
> MJ
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list