Web lists-archives.com

[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs

Hi everyone, I have two AD DCs that I am experimenting with, hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware, and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux. I have already had some success so far setting up a second AD DC, ad2, and joining this to my existing Active Directory domain SAMDOM. I have already verified that I can create new user accounts on both ad1 and ad2, and have confirmed that these are replicated on the other DC server as would be expected. So far so good!

The next stage in setting up my secondary backup DC is ensuring SysVol replication across both DCs via rsync, to make sure Group Policy objects replicate correctly. As a preliminary step to achieving this, I am first attempting to manually synchronise the idmap.ldb files on both my DCs to unify the group and user IDs. This step is suggested in the official samba tutorial here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory (within the section 'Built-in User & Group ID Mappings').

I am currently achieving replication of idmap.ldb file suggested by the tutorial by executing the following bash script snippet below on my ad2 server:

ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
sudo chown root /var/lib/samba/private/idmap.ldb
sudo samba-tool ntacl sysvolreset

As far as I can tell this is correctly replicating the steps in the described tutorial. To demonstrate that idmap.ldb is updated on ad2 I include the output of ls command below. Hopefully this demonstrates to everyone here that idmap.ldb has updated as expected. Please verify that the permissions are set correctly and that the date is changed to reflect the file modification.

pi@ad2:~ $ ls -al /var/lib/samba/private
total 10124
drwxr-xr-x 7 root root    4096 Mar 26 10:35 .
drwxr-xr-x 8 root root    4096 Mar 26 10:09 ..
-rw------- 1 root root    2069 Mar 25 16:43 dns_update_cache
-rw-r--r-- 1 root root    3663 Mar 25 16:42 dns_update_list
-rw------- 1 root root 1286144 Mar 25 16:42 hklm.ldb
-rw------- 1 root pi     61440 Mar 26 09:57 idmap.ldb
-rw-r--r-- 1 root root      99 Mar 25 16:42 krb5.conf
srwxrwxrwx 1 root root       0 Mar 26 10:09 ldapi
drwxr-x--- 2 root root    4096 Mar 26 10:09 ldap_priv
drwx------ 2 root root    4096 Mar 26 10:34 msg.sock
-r--r--r-- 1 root root     300 Mar 25 16:43 named.conf.update
-rw------- 1 root root     696 Mar 26 10:09 netlogon_creds_cli.tdb
-rw------- 1 root root  421888 Mar 25 16:42 passdb.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 privilege.ldb
-rw------- 1 root root 4247552 Mar 25 16:43 sam.ldb
drwx------ 2 root root    4096 Mar 25 16:43 sam.ldb.d
-rw------- 1 root root     696 Mar 26 10:08 schannel_store.tdb
-rw------- 1 root root    1182 Mar 25 16:43 secrets.keytab
-rw------- 1 root root 1286144 Mar 25 16:43 secrets.ldb
-rw------- 1 root root  430080 Mar 25 16:43 secrets.tdb
-rw------- 1 root root 1286144 Mar 25 16:42 share.ldb
drwxr-xr-x 2 root root    4096 Mar 25 16:43 smbd.tmp
-rw-r--r-- 1 root root     955 Mar 25 16:42 spn_update_list
drwx------ 2 root root    4096 Mar 25 16:44 tls

The problem I am having occurs when I attempt to perform the final sysvolreset step suggested in the tutorial and included in my script snippet previously. When I try this I get an unexpected error which I have no idea how to fix.

pi@ad2:~ $ sudo samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Can anyone suggest a solution? I have included my smb.conf for ad2 below for additional scrutiny.

pi@ad2:~ $ cat /etc/samba/smb.conf
# Global parameters
        netbios name = AD2
        realm = SAMDOM.EXAMPLE.COM
        workgroup = SAMDOM
        dns forwarder =
        server role = active directory domain controller
        idmap_ldb:use rfc2307  = yes

        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

Kind Regards
Stephen Ellwood

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba