[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs

Stephen stephen at ogdenradar.com
Tue Mar 26 10:49:38 UTC 2019 

Hi everyone, I have two AD DCs that I am experimenting with, hostnames 
ad1 and ad2 respectively. I am using Raspberry Pi hardware, and 
accordingly I am using Samba 4.5.16-Debian on Raspbian Linux.
I have already had some success so far setting up a second AD DC, ad2, 
and joining this to my existing Active Directory domain SAMDOM. I have 
already verified that I can create new user accounts on both ad1 and 
ad2, and have confirmed that these are replicated on the other DC server 
as would be expected. So far so good!

The next stage in setting up my secondary backup DC is ensuring SysVol 
replication across both DCs via rsync, to make sure Group Policy objects 
replicate correctly. As a preliminary step to achieving this, I am first 
attempting to manually synchronise the idmap.ldb files on both my DCs to 
unify the group and user IDs. This step is suggested in the official 
samba tutorial here: 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
(within the section 'Built-in User & Group ID Mappings').

I am currently achieving replication of idmap.ldb file suggested by the 
tutorial by executing the following bash script snippet below on my ad2 
server:

IDMAP_PATH=/var/lib/samba/private/idmap.ldb
ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo 
chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak 
pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
sudo chown root /var/lib/samba/private/idmap.ldb
sudo samba-tool ntacl sysvolreset

As far as I can tell this is correctly replicating the steps in the 
described tutorial. To demonstrate that idmap.ldb is updated on ad2 I 
include the output of ls command below. Hopefully this demonstrates to 
everyone here that idmap.ldb has updated as expected. Please verify that 
the permissions are set correctly and that the date is changed to 
reflect the file modification.

pi at ad2:~ $ ls -al /var/lib/samba/private
total 10124
drwxr-xr-x 7 root root    4096 Mar 26 10:35 .
drwxr-xr-x 8 root root    4096 Mar 26 10:09 ..
-rw------- 1 root root    2069 Mar 25 16:43 dns_update_cache
-rw-r--r-- 1 root root    3663 Mar 25 16:42 dns_update_list
-rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb
-rw------- 1 root pi     61440 Mar 26 09:57 idmap.ldb
-rw-r--r-- 1 root root      99 Mar 25 16:42 krb5.conf
srwxrwxrwx 1 root root       0 Mar 26 10:09 ldapi
drwxr-x--- 2 root root    4096 Mar 26 10:09 ldap_priv
drwx------ 2 root root    4096 Mar 26 10:34 msg.sock
-r--r--r-- 1 root root     300 Mar 25 16:43 named.conf.update
-rw------- 1 root root     696 Mar 26 10:09 netlogon_creds_cli.tdb
-rw------- 1 root root  421888 Mar 25 16:42 passdb.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb
-rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb
drwx------ 2 root root    4096 Mar 25 16:43 sam.ldb.d
-rw------- 1 root root     696 Mar 26 10:08 schannel_store.tdb
-rw------- 1 root root    1182 Mar 25 16:43 secrets.keytab
-rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb
-rw------- 1 root root  430080 Mar 25 16:43 secrets.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 share.ldb
drwxr-xr-x 2 root root    4096 Mar 25 16:43 smbd.tmp
-rw-r--r-- 1 root root     955 Mar 25 16:42 spn_update_list
drwx------ 2 root root    4096 Mar 25 16:44 tls

The problem I am having occurs when I attempt to perform the final 
sysvolreset step suggested in the tutorial and included in my script 
snippet previously. When I try this I get an unexpected error which I 
have no idea how to fix.

pi at ad2:~ $ sudo samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
239, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in 
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

Can anyone suggest a solution? I have included my smb.conf for ad2 below 
for additional scrutiny.

pi at ad2:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
         netbios name = AD2
         realm = SAMDOM.EXAMPLE.COM
         workgroup = SAMDOM
         dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8
         server role = active directory domain controller
         idmap_ldb:use rfc2307  = yes

[netlogon]
         path = /var/lib/samba/sysvol/samdom.example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

Kind Regards
Stephen Ellwood

More information about the samba mailing list