[Samba] sysvolcheck on fresh samba 4.7 DCs
L.P.H. van Belle
belle at bazuin.nl
Thu Oct 26 09:53:57 UTC 2017
Run this check up:
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
And to just run it as test.
Also change line 202 204 214 215. just put a # in front of it.
So you make sure nothing is applied with this test.
Run it on both servers and compair the output file default-rights-sysvol.acl
If you have differences, a diff of the 2 files should show it to you.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: donderdag 26 oktober 2017 11:38
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] sysvolcheck on fresh samba 4.7 DCs
>
> Hi,
>
> I joined a new samba-4.7 DC to our AD, replicated everything
> over, then
> turned off the old DCs, seized fsmo roles, and added two
> extra 4.7 DCs.
>
> Everything above succeeded without warnings, and everything
> seems to be
> running very well finally, except for the sysvolcheck / sysvolreset.
>
> We're on xfs, and the File System Support checks on the samba
> wiki page
> all pass, although at the time of the domain join, I had not yet
> installed acl / xattr / attr. Not sure if these are required at join
> time, but anyway, no warning was given during the join.
>
> I added those packages later, after discovering that "getfacl
> /var/lib/samba/sysvol" displayed no extended ACLs at all.
>
> Next I tried samba-tool ntacl sysvolcheck:
>
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception -
> (2, 'No such file or directory')
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 270, in run
> > lp)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1723, in checksysvolacl
> > direct_db_access)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1659, in check_gpos_acl
> > direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> line 81, in getntacl
> > xattr.XATTR_NTACL_NAME)
>
> Thinking I had to perhaps do sysvolreset first, but:
>
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > load_module_absolute_path: Module
> '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service Unknown Service (snum == -1)
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service Unknown Service (snum == -1)
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ldb_wrap open of idmap.ldb
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service sysvol
> > ERROR(runtime): uncaught exception - (-1073741823,
> '{Operation Failed} The requested operation was unsuccessful.')
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
> > lp, use_ntvfs=use_ntvfs)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1609, in setsysvolacl
> > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
> samdb, lp, use_ntvfs, passdb=s4_passdb)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1502, in set_gpos_acl
> > use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
> > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> line 162, in setntacl
> > smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> > open: error=2 (No such file or directory)
>
> The idmap.ldb was NOT copied from the old DCs, but I kept the new
> default one instead, since all three DCs are new, this would be ok..?
>
> This happens on all three new DCs, debian stretch, very basic
> smb.conf
> as generated by the samba-tool domain join:
>
> > # Global parameters
> > [global]
> > netbios name = DC6
> > realm = SAMBA.COMPANY.COM
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = WRKGRP
> > server role = active directory domain controller
> >
> > log level = 3
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/samba.company.com/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
>
> Could anyone tell me where to look for the problem, here?
>
> MJ
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list