[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs

Rowland Penny rpenny at samba.org
Tue Mar 26 10:59:32 UTC 2019

On Tue, 26 Mar 2019 10:49:38 +0000
Stephen via samba <samba at lists.samba.org> wrote:

> Hi everyone, I have two AD DCs that I am experimenting with,
> hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware,
> and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux.
> I have already had some success so far setting up a second AD DC,
> ad2, and joining this to my existing Active Directory domain SAMDOM.
> I have already verified that I can create new user accounts on both
> ad1 and ad2, and have confirmed that these are replicated on the
> other DC server as would be expected. So far so good!
> The next stage in setting up my secondary backup DC is ensuring
> SysVol replication across both DCs via rsync, to make sure Group
> Policy objects replicate correctly. As a preliminary step to
> achieving this, I am first attempting to manually synchronise the
> idmap.ldb files on both my DCs to unify the group and user IDs. This
> step is suggested in the official samba tutorial here: 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
> (within the section 'Built-in User & Group ID Mappings').
> I am currently achieving replication of idmap.ldb file suggested by
> the tutorial by executing the following bash script snippet below on
> my ad2 server:
> IDMAP_PATH=/var/lib/samba/private/idmap.ldb
> ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo 
> chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak 
> pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
> sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
> sudo chown root /var/lib/samba/private/idmap.ldb
> sudo samba-tool ntacl sysvolreset
> pi at ad2:~ $ sudo samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
> in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> Can anyone suggest a solution? I have included my smb.conf for ad2
> below for additional scrutiny.

I will ask you the same question that I asked someone a few days ago,
have you synced Sysvol to the new DC ?


More information about the samba mailing list