[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs

Stephen stephen at ogdenradar.com
Tue Mar 26 11:07:55 UTC 2019

Hi Rowland!

No, I haven't synced my SysVol yet. I was following the official 
tutorial here, 
This tutorial appears to suggest that idmap.ldb files should be 
synchronised first prior to setting up any rsync SysVol synchronisation.


On 26/03/2019 10:59, Rowland Penny via samba wrote:
> On Tue, 26 Mar 2019 10:49:38 +0000
> Stephen via samba <samba at lists.samba.org> wrote:
>> Hi everyone, I have two AD DCs that I am experimenting with,
>> hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware,
>> and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux.
>> I have already had some success so far setting up a second AD DC,
>> ad2, and joining this to my existing Active Directory domain SAMDOM.
>> I have already verified that I can create new user accounts on both
>> ad1 and ad2, and have confirmed that these are replicated on the
>> other DC server as would be expected. So far so good!
>> The next stage in setting up my secondary backup DC is ensuring
>> SysVol replication across both DCs via rsync, to make sure Group
>> Policy objects replicate correctly. As a preliminary step to
>> achieving this, I am first attempting to manually synchronise the
>> idmap.ldb files on both my DCs to unify the group and user IDs. This
>> step is suggested in the official samba tutorial here:
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>> (within the section 'Built-in User & Group ID Mappings').
>> I am currently achieving replication of idmap.ldb file suggested by
>> the tutorial by executing the following bash script snippet below on
>> my ad2 server:
>> IDMAP_PATH=/var/lib/samba/private/idmap.ldb
>> ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo
>> chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak
>> pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
>> sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
>> sudo chown root /var/lib/samba/private/idmap.ldb
>> sudo samba-tool ntacl sysvolreset
>> pi at ad2:~ $ sudo samba-tool ntacl sysvolreset
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
>> error') File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 176, in _run return self.run(*args, **kwargs)
>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>> line 239, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>     File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>> passdb=passdb, service=SYSVOL_SERVICE)
>>     File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
>> in setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>> Can anyone suggest a solution? I have included my smb.conf for ad2
>> below for additional scrutiny.
> I will ask you the same question that I asked someone a few days ago,
> have you synced Sysvol to the new DC ?
> Rowland

More information about the samba mailing list