[Samba] Joined a second DC, some glitches...

Marco Gaiarin gaio at sv.lnf.it
Thu Oct 26 10:41:11 UTC 2017 

I've setup my second DC, following the samba wiki, without major
trouble.

Only three notes:

a) i've followed the suggestion to move idmap.ldb from the first DC to
 the second (Rowland! Clap me! I've not sayed 'primary' and
'secondary'! ;-).

After that, as suggested by the wiki, i've done a 'samba-tool ntacl
sysvolreset' but:

 root at vdcpp1:~# samba-tool ntacl sysvolreset
 open: error=2 (No such file or directory)
 ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

gogling around seems that even root cannot handle wrong ACLs (and they
are wrong, because i've just changed the xID).

I've simply copied (via rsync) the sysvol from the first DC and after
that 'samba-tool ntacl sysvolreset' worked as expected.

I supposed this have to be added to the wiki...


b) after configuring the second DC, and on the second DC only, i'm getting on logs:

 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.069206,  0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.090246,  0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.111456,  0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.133550,  0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
 Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.153213,  0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
 Oct 26 11:15:22 vdcpp1 samba[1257]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 26

but i've not enabled DDNS! Or at least i've not configured it both on
first and on second DC... Why?


c) why, on the first DC, /etc/samba/smb.conf created by 'samba-tool domain
provision' have:
	idmap_ldb:use rfc2307 = yes

while the second, created with 'samba-tool domain join' have not? I've
to add it?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list