[Samba] Replication problem when adding new DC member

Mon Mar 25 14:28:52 UTC 2019

Hi all,

So we have a single AD-DC master, and I'm trying to join a fresh new DC 
(DOMAIN-ad.DOMAIN.intranet, 192.168.0.11) to the master 
(ad.DOMAIN.intranet, 192.168.0.17), and I'm using the HOWTO here: 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
and I've hit a problem in the section "Built-in User & Group ID 
Mappings" - when doing the following after copying over the idmap.ldb 
manually (note, ntacls.py was modified to output the file the script is 
trying to open):

samba-tool ntacl sysvolreset

I get:

root at DOMAIN-ad:/var/lib/samba/private# samba-tool ntacl sysvolreset
 >>>>>>>>>>> /var/lib/samba/sysvol
 >>>>>>>>>>> /var/lib/samba/sysvol/DOMAIN.intranet/scripts
 >>>>>>>>>>> /var/lib/samba/sysvol/DOMAIN.intranet
 >>>>>>>>>>> /var/lib/samba/sysvol/DOMAIN.intranet/Policies
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
239, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 163, in 
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

So I try to check the replication status but as the samba service isn't 
currently running (as per HOWTO) it unsurprisingly fails:

root at DOMAIN-ad:/var/lib/samba/sysvol/DOMAIN.intranet# samba-tool drs 
showrepl
Failed to connect host 192.168.0.11 on port 135 - 
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.11 (DOMAIN-ad.DOMAIN.intranet) on port 
135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to 
DOMAIN-ad.DOMAIN.intranet failed - drsException: DRS connection to 
DOMAIN-ad.DOMAIN.intranet failed: (-1073741258, 'The connection was 
refused')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, 
in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = 
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, 
in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))

How do I fix this issue please?  Both servers are running the exact same 
version of Debian 9, Samba updated to version 4.5.16-Debian.

Many thanks for your time!

With kind regards - Piers