[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Stephen
stephen at ogdenradar.com
Tue Mar 26 10:49:38 UTC 2019
Hi everyone, I have two AD DCs that I am experimenting with, hostnames
ad1 and ad2 respectively. I am using Raspberry Pi hardware, and
accordingly I am using Samba 4.5.16-Debian on Raspbian Linux.
I have already had some success so far setting up a second AD DC, ad2,
and joining this to my existing Active Directory domain SAMDOM. I have
already verified that I can create new user accounts on both ad1 and
ad2, and have confirmed that these are replicated on the other DC server
as would be expected. So far so good!
The next stage in setting up my secondary backup DC is ensuring SysVol
replication across both DCs via rsync, to make sure Group Policy objects
replicate correctly. As a preliminary step to achieving this, I am first
attempting to manually synchronise the idmap.ldb files on both my DCs to
unify the group and user IDs. This step is suggested in the official
samba tutorial here:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
(within the section 'Built-in User & Group ID Mappings').
I am currently achieving replication of idmap.ldb file suggested by the
tutorial by executing the following bash script snippet below on my ad2
server:
IDMAP_PATH=/var/lib/samba/private/idmap.ldb
ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo
chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak
pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
sudo chown root /var/lib/samba/private/idmap.ldb
sudo samba-tool ntacl sysvolreset
As far as I can tell this is correctly replicating the steps in the
described tutorial. To demonstrate that idmap.ldb is updated on ad2 I
include the output of ls command below. Hopefully this demonstrates to
everyone here that idmap.ldb has updated as expected. Please verify that
the permissions are set correctly and that the date is changed to
reflect the file modification.
pi at ad2:~ $ ls -al /var/lib/samba/private
total 10124
drwxr-xr-x 7 root root 4096 Mar 26 10:35 .
drwxr-xr-x 8 root root 4096 Mar 26 10:09 ..
-rw------- 1 root root 2069 Mar 25 16:43 dns_update_cache
-rw-r--r-- 1 root root 3663 Mar 25 16:42 dns_update_list
-rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb
-rw------- 1 root pi 61440 Mar 26 09:57 idmap.ldb
-rw-r--r-- 1 root root 99 Mar 25 16:42 krb5.conf
srwxrwxrwx 1 root root 0 Mar 26 10:09 ldapi
drwxr-x--- 2 root root 4096 Mar 26 10:09 ldap_priv
drwx------ 2 root root 4096 Mar 26 10:34 msg.sock
-r--r--r-- 1 root root 300 Mar 25 16:43 named.conf.update
-rw------- 1 root root 696 Mar 26 10:09 netlogon_creds_cli.tdb
-rw------- 1 root root 421888 Mar 25 16:42 passdb.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb
-rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb
drwx------ 2 root root 4096 Mar 25 16:43 sam.ldb.d
-rw------- 1 root root 696 Mar 26 10:08 schannel_store.tdb
-rw------- 1 root root 1182 Mar 25 16:43 secrets.keytab
-rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb
-rw------- 1 root root 430080 Mar 25 16:43 secrets.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 share.ldb
drwxr-xr-x 2 root root 4096 Mar 25 16:43 smbd.tmp
-rw-r--r-- 1 root root 955 Mar 25 16:42 spn_update_list
drwx------ 2 root root 4096 Mar 25 16:44 tls
The problem I am having occurs when I attempt to perform the final
sysvolreset step suggested in the tutorial and included in my script
snippet previously. When I try this I get an unexpected error which I
have no idea how to fix.
pi at ad2:~ $ sudo samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
Can anyone suggest a solution? I have included my smb.conf for ad2 below
for additional scrutiny.
pi at ad2:~ $ cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD2
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 88.215.63.255 88.215.61.255 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Kind Regards
Stephen Ellwood
More information about the samba
mailing list