[Samba] sysvolcheck on fresh samba 4.7 DCs
Andrew Bartlett
abartlet at samba.org
Thu Oct 26 09:56:29 UTC 2017
On Thu, 2017-10-26 at 11:38 +0200, mj via samba wrote:
> Hi,
>
> I joined a new samba-4.7 DC to our AD, replicated everything over, then
> turned off the old DCs, seized fsmo roles, and added two extra 4.7 DCs.
>
> Everything above succeeded without warnings, and everything seems to be
> running very well finally, except for the sysvolcheck / sysvolreset.
>
> We're on xfs, and the File System Support checks on the samba wiki page
> all pass, although at the time of the domain join, I had not yet
> installed acl / xattr / attr. Not sure if these are required at join
> time, but anyway, no warning was given during the join.
Yes, that is required at build and run time.
> I added those packages later, after discovering that "getfacl
> /var/lib/samba/sysvol" displayed no extended ACLs at all.
>
> Next I tried samba-tool ntacl sysvolcheck:
>
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
> > lp)
> > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
> > direct_db_access)
> > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1659, in check_gpos_acl
> > direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl
> > xattr.XATTR_NTACL_NAME)
>
> Thinking I had to perhaps do sysvolreset first, but:
>
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > lp_load_ex: refreshing parameters
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ldb_wrap open of idmap.ldb
> > ldb_wrap open of idmap.ldb
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > unpack_nt_owners: owner sid mapped to uid 0
> > unpack_nt_owners: group sid mapped to gid 3000000
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > Initialising custom vfs hooks from [dfs_samba4]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
> > ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.')
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
> > lp, use_ntvfs=use_ntvfs)
> > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
> > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
> > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
> > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
> > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
> > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
> > open: error=2 (No such file or directory)
>
> The idmap.ldb was NOT copied from the old DCs, but I kept the new
> default one instead, since all three DCs are new, this would be ok..?
That should be fine.
> This happens on all three new DCs, debian stretch, very basic smb.conf
> as generated by the samba-tool domain join:
>
> > # Global parameters
> > [global]
> > netbios name = DC6
> > realm = SAMBA.COMPANY.COM
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = WRKGRP
> > server role = active directory domain controller
> >
> > log level = 3
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/samba.company.com/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
>
> Could anyone tell me where to look for the problem, here?
I don't see any reference to TDB-based xattrs being used, but I suspect
things are not happy here. Check the build got extended attribute
support (I'm pretty sure it whines at you however) and re-join.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list