[Samba] sysvol permission errors on newly joined DC
Carlos Gardel
carlosito2021 at outlook.com
Fri Mar 18 21:10:04 UTC 2022
Good evening list,
I host a small samba AD domain with three DC:s (DC1, DC2 and DC3).
DC1 and DC2 are running on CentOS 6 with samba 4.9.8, so quite old.
Beginning of january this year I set up a new DC (DC3) on CentOS 8 with samba 4.15.3 which i joined to the existing domain (following the guide at https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory). Domain join etc went fine and replication has been working without problems. Sysvol is syncing from DC1 (rsync).
When going through the logs on the new DC3 (/var/log/messages) the other day I noticed the following entries, which seems to have been showing up for quite some time (the following are just a few examples):
Mar 18 15:22:14 dc3 smbd[1141366]: [2022/03/18 15:22:14.540124, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 15:22:14 dc3 smbd[1141366]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30500, gid=20513, 8 groups: 20513 3000016 3000021 3000012 3000013 3000003 3000008 3000015
Mar 18 15:22:25 dc3 smbd[1141366]: [2022/03/18 15:22:25.184581, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 15:22:25 dc3 smbd[1141366]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30500, gid=20513, 8 groups: 20513 3000016 3000021 3000012 3000013 3000003 3000008 3000015
Mar 18 15:24:34 dc3 smbd[1141394]: [2022/03/18 15:24:34.431021, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 16:34:24 dc3 smbd[1142706]: [2022/03/18 16:34:24.254799, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 16:34:24 dc3 smbd[1142706]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30521, gid=20513, 6 groups: 20513 3000012 3000013 3000003 3000008 3000015
Mar 18 16:34:34 dc3 smbd[1142706]: [2022/03/18 16:34:34.934111, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 16:34:34 dc3 smbd[1142706]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30521, gid=20513, 6 groups: 20513 3000012 3000013 3000003 3000008 3000015
Mar 18 20:44:47 dc3 smbd[1147430]: [2022/03/18 20:44:47.046280, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 20:44:47 dc3 smbd[1147430]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30506, gid=20513, 8 groups: 20513 3000021 3000016 3000012 3000013 3000003 3000008 3000015
Mar 18 20:44:57 dc3 smbd[1147430]: [2022/03/18 20:44:57.668028, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Mar 18 20:44:57 dc3 smbd[1147430]: chdir_current_service: vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current token: uid=30506, gid=20513, 8 groups: 20513 3000021 3000016 3000012 3000013 3000003 3000008 3000015
The UID:s and GID (20513) in the lines above are for various domain users and the ”domain users” group.
Following the thread at https://lists.samba.org/archive/samba/2020-October/232743.html I have checked that the permissions of the sysvol directory is identical for DC1 (FSMO role holder) and the new DC3. I have also tried running samba-tool ntacl sysvolreset on DC3 which did not help (since the above log entries kept showing up).
If anyone could provide some thoughts on this I would be very grateful.
Kind regards,
Carlos
More information about the samba
mailing list