[Samba] SysVol permission error on newly joined DV
Rowland Penny
rpenny at samba.org
Wed Mar 5 11:24:46 UTC 2025
On Wed, 5 Mar 2025 16:15:18 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> Hello Team,
>
> We are currently running with 8 Samba-AD servers in our domain,
> Initially we had 5, looking at the load and the DC - DR needs, we
> added 3 more to have 4 Domain Controllers in DC and 4 Domain
> Controllers in DR.
>
> Original 5 servers are having no issues and same version (4.19.5) is
> working without any issues. However, the 3 new servers, we observe
> that authentication or DNS queries or all other operations are
> working fine, except the below issue:
>
> "Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: [2025/03/04
> 13:46:42.911111, 0]
> ../../source3/smbd/smb2_service.c:120(chdir_current_service)
> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: chdir_current_service:
> vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission
> denied. Current tok>
> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: [2025/03/04
> 13:46:42.914143, 0]
> ../../source3/smbd/smb2_service.c:120(chdir_current_service)
> Mar 04 13:46:42 dc5.xxxxxx.com smbd[97680]: chdir_current_service:
> vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission
> denied. Current tok>"
>
> The folder idmap.ldb is copied from the server holding the PDC
> Emulator FSMO role. The folder /usr/local/samba/var/locks/sysvol has
> the same same permissions - root:3000000 and 770, as in all other
> servers. On the host, selinux is disabled.
>
> smb.conf:
>
> # Global parameters [global] netbios name = dc6 realm = xxxxxxx.COM
> server role = active directory domain controller workgroup = xxxxxxx
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dns, dnsupdate workgroup = xxxxxxxx
> idmap_ldb:use rfc2307 = yes ldap server require strong auth = No
> allow dns updates = nonsecure tls priority =
> NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 log level = 1 auth_audit:0
> auth_json_audit:3 dsdb_json_audit:5 log file = /var/log/samba/dc6.log
> max log size = 1000000000 [sysvol] path =
> /usr/local/samba/var/locks/sysvol read only = No [netlogon] path =
> /usr/local/samba/var/locks/sysvol/xxxxxxx.com/scripts read only =
> NoAbove error is filling up our logs rapidly. We look forward for
> help & guidance from the community to fix this error. Thanks &
> regards, Raghav
After unpicking the above mess, I find that you have 'workgroup' twice,
now that might not be a problem (last one wins) except that they might
be different, you have sanitised the workgroup name with 'x's and the
last workgroup has one more 'x', is this a typo or are they different ?
I know you have copied idmap.ldb, but did you follow the instructions
from here:
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
Rowland
More information about the samba
mailing list