[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8

Kukreja H.Kukreja h.kukreja at ium.edu.na
Fri Oct 27 16:24:50 UTC 2017


I do have GPO directories under sysvol which I have copied using rsync to
the new DC and when I run samba-tool ntacl sysvolreset command is failing
on the new DC.

I am not sure what do I call the main DC thats why I use PDC.

I have removed the unnecessary lines from smb.conf

Please let me know what do I have to do now. I want to migrate the old DC
running on Ubuntu 12.04 to the new DC on Ubuntu 16.04.


Thanks

Harsh
Sent from my iPhone

On 27 Oct 2017, at 5:06 PM, Rowland Penny via samba <samba at lists.samba.org>
wrote:

On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:

Hi


I have created a new DC on the Ubuntu 16.04 with the latest sernet

samba 4.7.0 package. After joining to the PDC running 4.6.8 package I

backed up the idmap.ldb file and copied to the new DC. When I run the

samba-tool ntacl sysvolreset command on the new DC to replicate GID

Mappings it fails with the below error:


open: error=2 (No such file or directory) ERROR(runtime): uncaught

exception - (-1073741823, '{Operation Failed} The requested operation

was unsuccessful.') File

"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line

176, in _run return self.run(*args, **kwargs) File

"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,

in run lp, use_ntvfs=use_ntvfs) File

"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line

1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,

domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File

"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line

1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,

passdb=passdb, service=SYSVOL_SERVICE) File

"/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in

setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |

security.SECINFO_GROUP | security.SECINFO_DACL |

security.SECINFO_SACL, sd, service=service)


Have you any GPOs other than the default ones ?


Also on the PDC the INBOUND KCC is failing from the new DC:


You do not have a PDC, you have a DC.

==== INBOUND NEIGHBORS ====


CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na

       Default-First-Site-Name\IUMSVRPDC via RPC

               DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311

               Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,

result 1225 (WERR_CONNECTION_REFUSED)

               28 consecutive failure(s).

               Last success @ NTTIME(0)

Here is the smb.conf from both the servers:


*PDC*


Did I mention you do not have a PDC ? :-)

# Global parameters

[global]

       workgroup = IUMNET

       realm = IUMNET.EDU.NA

       netbios name = IUMDCDP01

       server role = active directory domain controller

       dns forwarder = 172.16.10.254

       domain master = yes

       preferred master = yes

       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap

       password server = 172.16.10.5

       allow dns updates = nonsecure and secure

#       lanman auth = Yes

#       client lanman auth = Yes

       ntlm auth = yes

       client use spnego = no

       client ldap sasl wrapping = sign

#       ldap ssl ads = yes

#       ldap ssl = start tls

       ldap server require strong auth = no

#       wins server = iumnet.edu.na

#       wins support = Yes

       time server = Yes

       template shell = /bin/bash

       template homedir = /home/%U

       idmap config * : backend = tdb

       idmap config *:range = 50000-1000000

       full_audit:prefix = %u|%I|%m|%S

       full_audit:failure = connect

       full_audit:success = connect disconnect


*ADC new DC*

# Global parameters

[global]

       netbios name = IUMSVRPDC

       realm = IUMNET.EDU.NA

       workgroup = IUMNET

       server role = active directory domain controller

       dns forwarder = 172.16.10.254

       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap


You should remove the above line, you definitely do not need it.

       allow dns updates = nonsecure and secure

       ntlm auth = yes

       ldap server require strong auth = no

       time server = Yes

       template shell = /bin/bash

       template homedir = /home/%U

       idmap config * : backend = tdb

       idmap config *:range = 50000-1000000


Remove the above two line, they have no place on a DC.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list