Web lists-archives.com

Re: [Samba] ADC 4.7.0 KCC replication failing with PDC 4.6.8




On Fri, 27 Oct 2017 16:28:40 +0200
Harsh Kukreja via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi
> 
> I have created a new DC on the Ubuntu 16.04 with the latest sernet
> samba 4.7.0 package. After joining to the PDC running 4.6.8 package I
> backed up the idmap.ldb file and copied to the new DC. When I run the
> samba-tool ntacl sysvolreset command on the new DC to replicate GID
> Mappings it fails with the below error:
> 
> open: error=2 (No such file or directory) ERROR(runtime): uncaught
> exception - (-1073741823, '{Operation Failed} The requested operation
> was unsuccessful.') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,
> in run lp, use_ntvfs=use_ntvfs) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)

Have you any GPOs other than the default ones ?
 
> 
> Also on the PDC the INBOUND KCC is failing from the new DC:

You do not have a PDC, you have a DC.

> ==== INBOUND NEIGHBORS ====
> 
> CN=Schema,CN=Configuration,DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Fri Oct 27 16:03:15 2017 WAST failed,
> result 1225 (WERR_CONNECTION_REFUSED)
>                 28 consecutive failure(s).
>                 Last success @ NTTIME(0)
> Here is the smb.conf from both the servers:
> 
> *PDC*

Did I mention you do not have a PDC ? :-)

> # Global parameters
> [global]
>         workgroup = IUMNET
>         realm = IUMNET.EDU.NA
>         netbios name = IUMDCDP01
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
>         domain master = yes
>         preferred master = yes
>         server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>         password server = 172.16.10.5
>         allow dns updates = nonsecure and secure
> #       lanman auth = Yes
> #       client lanman auth = Yes
>         ntlm auth = yes
>         client use spnego = no
>         client ldap sasl wrapping = sign
> #       ldap ssl ads = yes
> #       ldap ssl = start tls
>         ldap server require strong auth = no
> #       wins server = iumnet.edu.na
> #       wins support = Yes
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         idmap config * : backend = tdb
>         idmap config *:range = 50000-1000000
>         full_audit:prefix = %u|%I|%m|%S
>         full_audit:failure = connect
>         full_audit:success = connect disconnect
> 
> *ADC new DC*
> # Global parameters
> [global]
>         netbios name = IUMSVRPDC
>         realm = IUMNET.EDU.NA
>         workgroup = IUMNET
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
>         server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap

You should remove the above line, you definitely do not need it.

>         allow dns updates = nonsecure and secure
>         ntlm auth = yes
>         ldap server require strong auth = no
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         idmap config * : backend = tdb
>         idmap config *:range = 50000-1000000

Remove the above two line, they have no place on a DC.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba