[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8
Kukreja H.Kukreja
h.kukreja at ium.edu.na
Fri Oct 27 16:24:50 UTC 2017
I do have GPO directories under sysvol which I have copied using rsync to
the new DC and when I run samba-tool ntacl sysvolreset command is failing
on the new DC.
I am not sure what do I call the main DC thats why I use PDC.
I have removed the unnecessary lines from smb.conf
Please let me know what do I have to do now. I want to migrate the old DC
running on Ubuntu 12.04 to the new DC on Ubuntu 16.04.
Thanks
Harsh
Sent from my iPhone
On 27 Oct 2017, at 5:06 PM, Rowland Penny via samba <samba at lists.samba.org>
wrote:
On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:
Hi
I have created a new DC on the Ubuntu 16.04 with the latest sernet
samba 4.7.0 package. After joining to the PDC running 4.6.8 package I
backed up the idmap.ldb file and copied to the new DC. When I run the
samba-tool ntacl sysvolreset command on the new DC to replicate GID
Mappings it fails with the below error:
open: error=2 (No such file or directory) ERROR(runtime): uncaught
exception - (-1073741823, '{Operation Failed} The requested operation
was unsuccessful.') File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run return self.run(*args, **kwargs) File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,
in run lp, use_ntvfs=use_ntvfs) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
passdb=passdb, service=SYSVOL_SERVICE) File
"/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)
Have you any GPOs other than the default ones ?
Also on the PDC the INBOUND KCC is failing from the new DC:
You do not have a PDC, you have a DC.
==== INBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
Default-First-Site-Name\IUMSVRPDC via RPC
DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,
result 1225 (WERR_CONNECTION_REFUSED)
28 consecutive failure(s).
Last success @ NTTIME(0)
Here is the smb.conf from both the servers:
*PDC*
Did I mention you do not have a PDC ? :-)
# Global parameters
[global]
workgroup = IUMNET
realm = IUMNET.EDU.NA
netbios name = IUMDCDP01
server role = active directory domain controller
dns forwarder = 172.16.10.254
domain master = yes
preferred master = yes
server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
password server = 172.16.10.5
allow dns updates = nonsecure and secure
# lanman auth = Yes
# client lanman auth = Yes
ntlm auth = yes
client use spnego = no
client ldap sasl wrapping = sign
# ldap ssl ads = yes
# ldap ssl = start tls
ldap server require strong auth = no
# wins server = iumnet.edu.na
# wins support = Yes
time server = Yes
template shell = /bin/bash
template homedir = /home/%U
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = connect disconnect
*ADC new DC*
# Global parameters
[global]
netbios name = IUMSVRPDC
realm = IUMNET.EDU.NA
workgroup = IUMNET
server role = active directory domain controller
dns forwarder = 172.16.10.254
server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
You should remove the above line, you definitely do not need it.
allow dns updates = nonsecure and secure
ntlm auth = yes
ldap server require strong auth = no
time server = Yes
template shell = /bin/bash
template homedir = /home/%U
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
Remove the above two line, they have no place on a DC.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list