[Samba] Joining a new Samba AD DC

Rowland Penny rpenny at samba.org
Fri Jul 28 07:40:52 UTC 2023 


On 27/07/2023 23:03, Mark Foley via samba wrote:
> On Tue Jul 25 15:34:15 2023 Rowland Penny <rpenny at samba.org> wrote:
> 
>> On 25/07/2023 20:09, Mark Foley via samba wrote:
>>
>>> One of the recommended solutions was using rsync, similar to what I theorized.
>>> I'll try that and post back.
> 
> [deleted]
> 
> OK, I did the rsync method for SysVol replication. It appears to have worked and
> copied the ACLs as well.
> 
> I then ran the sysvolreset. It tool longer, but still gave some errors, though
> not as many:
> 
> # samba-tool ntacl sysvolreset
> set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
>    File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run
>      provision.setsysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
>      setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
>    File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl
>      smbd.set_nt_acl(
> 
> Is this ignorable? Fixable? It doesn't mean much to me.
> 
> Note that samba is not yet running, nor is the DNS working yet.
> 
> Thanks --Mark
> 

Samba stores the GPOs in sysvol and in AD. The way that sysvolreset 
works is, it reads the GPOs in AD and then uses this information to set 
the permissions for the GPOs on disk. It looks to me that you have more 
GPO's in AD than you have on disk, it is trying to set the permissions 
for a GPO that isn't on disk. I would compare sysvol on both machines.

Rowland

More information about the samba mailing list