[Samba] sysvolcheck on fresh samba 4.7 DCs

Andrew Bartlett abartlet at samba.org
Thu Oct 26 09:56:29 UTC 2017 

On Thu, 2017-10-26 at 11:38 +0200, mj via samba wrote:
> Hi,
> 
> I joined a new samba-4.7 DC to our AD, replicated everything over, then 
> turned off the old DCs, seized fsmo roles, and added two extra 4.7 DCs.
> 
> Everything above succeeded without warnings, and everything seems to be 
> running very well finally, except for the sysvolcheck / sysvolreset.
> 
> We're on xfs, and the File System Support checks on the samba wiki page 
> all pass, although at the time of the domain join, I had not yet 
> installed acl / xattr / attr. Not sure if these are required at join 
> time, but anyway, no warning was given during the join.

Yes, that is required at build and run time. 

> I added those packages later, after discovering that "getfacl 
> /var/lib/samba/sysvol" displayed no extended ACLs at all.
> 
> Next I tried samba-tool ntacl sysvolcheck:
> 
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
> >     lp)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
> >     direct_db_access)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1659, in check_gpos_acl
> >     direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl
> >     xattr.XATTR_NTACL_NAME)
> 
> Thinking I had to perhaps do sysvolreset first, but:
> 
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ldb_wrap open of idmap.ldb
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.')
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
> >     lp, use_ntvfs=use_ntvfs)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
> >     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
> >     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
> >     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
> > open: error=2 (No such file or directory)
> 
> The idmap.ldb was NOT copied from the old DCs, but I kept the new 
> default one instead, since all three DCs are new, this would be ok..?

That should be fine. 

> This happens on all three new DCs, debian stretch, very basic smb.conf 
> as generated by the samba-tool domain join:
> 
> > # Global parameters
> > [global]
> > 	netbios name = DC6
> > 	realm = SAMBA.COMPANY.COM
> > 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > 	workgroup = WRKGRP
> > 	server role = active directory domain controller
> > 
> > 	log level = 3
> > 
> > [netlogon]
> > 	path = /var/lib/samba/sysvol/samba.company.com/scripts
> > 	read only = No
> > 
> > [sysvol]
> > 	path = /var/lib/samba/sysvol
> > 	read only = No
> 
> Could anyone tell me where to look for the problem, here?

I don't see any reference to TDB-based xattrs being used, but I suspect
things are not happy here.  Check the build got extended attribute
support (I'm pretty sure it whines at you however) and re-join. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list