[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Fri Jul 28 18:04:04 UTC 2023 

On Fri Jul 28 03:41:45 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 27/07/2023 23:03, Mark Foley via samba wrote:
> > On Tue Jul 25 15:34:15 2023 Rowland Penny <rpenny at samba.org> wrote:
> > 
> >> On 25/07/2023 20:09, Mark Foley via samba wrote:
> >>
> >>> One of the recommended solutions was using rsync, similar to what I theorized.
> >>> I'll try that and post back.
> > 
> > [deleted]
> > 
> > OK, I did the rsync method for SysVol replication. It appears to have worked and
> > copied the ACLs as well.
> > 
> > I then ran the sysvolreset. It tool longer, but still gave some errors, though
> > not as many:
> > 
> > # samba-tool ntacl sysvolreset
> > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> > ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
> >    File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run
> >      return self.run(*args, **kwargs)
> >    File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run
> >      provision.setsysvolacl(samdb, netlogon, sysvol,
> >    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
> >      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
> >    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
> >      setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
> >    File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl
> >      smbd.set_nt_acl(
> > 
> > Is this ignorable? Fixable? It doesn't mean much to me.
> > 
> > Note that samba is not yet running, nor is the DNS working yet.
> > 
> > Thanks --Mark
> > 
>
> Samba stores the GPOs in sysvol and in AD. The way that sysvolreset 
> works is, it reads the GPOs in AD and then uses this information to set 
> the permissions for the GPOs on disk. It looks to me that you have more 
> GPO's in AD than you have on disk, it is trying to set the permissions 
> for a GPO that isn't on disk. I would compare sysvol on both machines.
>
> Rowland

After checking with the previous run, these sysvolreset errors are the same as
before, so syncing the sysvol didn't make any different. 

You wrote: "It looks to me that you have more GPO's in AD than you have on 
disk, ...". So, where are the "AD" versus "on disk" GPOs located? Is one of
these locations /var/lib/samba/sysvol/hprs.local/policies/? I've rsync'ed the
sysvol again. They are identical between the machines. 

Is this error possibly ignorable? I've checked and the rsync did copy the ACL
attributes to the sysvol files and folders, so maybe this "ntacl sysvolreset"
isn't really making any changes?

Thanks --Mark

More information about the samba mailing list