Web lists-archives.com

[Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8




Hi

I have created a new DC on the Ubuntu 16.04 with the latest sernet samba
4.7.0 package. After joining to the PDC running 4.6.8 package I backed up
the idmap.ldb file and copied to the new DC. When I run the samba-tool
ntacl sysvolreset command on the new DC to replicate GID Mappings it fails
with the below error:

open: error=2 (No such file or directory) ERROR(runtime): uncaught
exception - (-1073741823, '{Operation Failed} The requested operation was
unsuccessful.') File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in
_run return self.run(*args, **kwargs) File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
lp, use_ntvfs=use_ntvfs) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609,
in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb,
lp, use_ntvfs, passdb=s4_passdb) File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502,
in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
passdb=passdb, service=SYSVOL_SERVICE) File
"/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Also on the PDC the INBOUND KCC is failing from the new DC:
==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMSVRPDC via RPC
                DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed, result
1225 (WERR_CONNECTION_REFUSED)
                28 consecutive failure(s).
                Last success @ NTTIME(0)
Here is the smb.conf from both the servers:

*PDC*
# Global parameters
[global]
        workgroup = IUMNET
        realm = IUMNET.EDU.NA
        netbios name = IUMDCDP01
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        domain master = yes
        preferred master = yes
        server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        password server = 172.16.10.5
        allow dns updates = nonsecure and secure
#       lanman auth = Yes
#       client lanman auth = Yes
        ntlm auth = yes
        client use spnego = no
        client ldap sasl wrapping = sign
#       ldap ssl ads = yes
#       ldap ssl = start tls
        ldap server require strong auth = no
#       wins server = iumnet.edu.na
#       wins support = Yes
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
        idmap config * : backend = tdb
        idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect

*ADC new DC*
# Global parameters
[global]
        netbios name = IUMSVRPDC
        realm = IUMNET.EDU.NA
        workgroup = IUMNET
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        allow dns updates = nonsecure and secure
        ntlm auth = yes
        ldap server require strong auth = no
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
        idmap config * : backend = tdb
        idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect

The purpose of creating new DC is to transfer FSMO roles from current PDC
which is running on old Ubuntu 12.04 and shut it down. Please assist to
resolve the problem.

Thanks n Regards

*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba