[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
Rowland Penny
rpenny at samba.org
Fri Oct 27 14:59:03 UTC 2017
On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:
> Hi
>
> I have created a new DC on the Ubuntu 16.04 with the latest sernet
> samba 4.7.0 package. After joining to the PDC running 4.6.8 package I
> backed up the idmap.ldb file and copied to the new DC. When I run the
> samba-tool ntacl sysvolreset command on the new DC to replicate GID
> Mappings it fails with the below error:
>
> open: error=2 (No such file or directory) ERROR(runtime): uncaught
> exception - (-1073741823, '{Operation Failed} The requested operation
> was unsuccessful.') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,
> in run lp, use_ntvfs=use_ntvfs) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
Have you any GPOs other than the default ones ?
>
> Also on the PDC the INBOUND KCC is failing from the new DC:
You do not have a PDC, you have a DC.
> ==== INBOUND NEIGHBORS ====
>
> CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMSVRPDC via RPC
> DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
> Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,
> result 1225 (WERR_CONNECTION_REFUSED)
> 28 consecutive failure(s).
> Last success @ NTTIME(0)
> Here is the smb.conf from both the servers:
>
> *PDC*
Did I mention you do not have a PDC ? :-)
> # Global parameters
> [global]
> workgroup = IUMNET
> realm = IUMNET.EDU.NA
> netbios name = IUMDCDP01
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> domain master = yes
> preferred master = yes
> server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
> password server = 172.16.10.5
> allow dns updates = nonsecure and secure
> # lanman auth = Yes
> # client lanman auth = Yes
> ntlm auth = yes
> client use spnego = no
> client ldap sasl wrapping = sign
> # ldap ssl ads = yes
> # ldap ssl = start tls
> ldap server require strong auth = no
> # wins server = iumnet.edu.na
> # wins support = Yes
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config *:range = 50000-1000000
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
>
> *ADC new DC*
> # Global parameters
> [global]
> netbios name = IUMSVRPDC
> realm = IUMNET.EDU.NA
> workgroup = IUMNET
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
You should remove the above line, you definitely do not need it.
> allow dns updates = nonsecure and secure
> ntlm auth = yes
> ldap server require strong auth = no
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config *:range = 50000-1000000
Remove the above two line, they have no place on a DC.
Rowland
More information about the samba
mailing list