[Samba] Joined a second DC, some glitches...
Rowland Penny
rpenny at samba.org
Thu Oct 26 11:18:45 UTC 2017
On Thu, 26 Oct 2017 12:41:11 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> I've setup my second DC, following the samba wiki, without major
> trouble.
>
> Only three notes:
>
> a) i've followed the suggestion to move idmap.ldb from the first DC to
> the second (Rowland! Clap me! I've not sayed 'primary' and
> 'secondary'! ;-).
>
> After that, as suggested by the wiki, i've done a 'samba-tool ntacl
> sysvolreset' but:
>
> root at vdcpp1:~# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,
> in run lp, use_ntvfs=use_ntvfs) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
> gogling around seems that even root cannot handle wrong ACLs (and they
> are wrong, because i've just changed the xID).
>
> I've simply copied (via rsync) the sysvol from the first DC and after
> that 'samba-tool ntacl sysvolreset' worked as expected.
>
> I supposed this have to be added to the wiki...
>
>
> b) after configuring the second DC, and on the second DC only, i'm
> getting on logs:
>
> Oct 26 11:15:22 vdcpp1 samba[1257]: [2017/10/26 11:15:22.069206,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]: /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.090246,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]: /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.111456,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]: /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.133550,
> 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) Oct 26
> 11:15:22 vdcpp1 samba[1257]: /usr/sbin/samba_dnsupdate: response to
> GSS-TSIG query was unsuccessful Oct 26 11:15:22 vdcpp1 samba[1257]:
> [2017/10/26 11:15:22.153213,
> 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Oct 26 11:15:22 vdcpp1
> samba[1257]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS
> update - with error code 26
>
> but i've not enabled DDNS! Or at least i've not configured it both on
> first and on second DC... Why?
If you look carefully, it is '/usr/sbin/samba_dnsupdate' that is
logging and this is run at samba startup and then regularly.
if you run 'samba_dnsupdate --help' and amongst the output is
'--use-samba-tool', you can add 'dns update command
= /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool' to smb.conf
on the DC, this should fix this problem.
>
>
> c) why, on the first DC, /etc/samba/smb.conf created by 'samba-tool
> domain provision' have:
> idmap_ldb:use rfc2307 = yes
>
> while the second, created with 'samba-tool domain join' have not? I've
> to add it?
Good question, when you join a new DC, there doesn't seem to be a good
way to find out if the line is required, so it isn't added, so you need
to add it manually.
Rowland
More information about the samba
mailing list