Web lists-archives.com

Re: [Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs




Hi Rowland!

No, I haven't synced my SysVol yet. I was following the official tutorial here, https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory. This tutorial appears to suggest that idmap.ldb files should be synchronised first prior to setting up any rsync SysVol synchronisation.

Thanks
Stephen

On 26/03/2019 10:59, Rowland Penny via samba wrote:
On Tue, 26 Mar 2019 10:49:38 +0000
Stephen via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi everyone, I have two AD DCs that I am experimenting with,
hostnames ad1 and ad2 respectively. I am using Raspberry Pi hardware,
and accordingly I am using Samba 4.5.16-Debian on Raspbian Linux.
I have already had some success so far setting up a second AD DC,
ad2, and joining this to my existing Active Directory domain SAMDOM.
I have already verified that I can create new user accounts on both
ad1 and ad2, and have confirmed that these are replicated on the
other DC server as would be expected. So far so good!

The next stage in setting up my secondary backup DC is ensuring
SysVol replication across both DCs via rsync, to make sure Group
Policy objects replicate correctly. As a preliminary step to
achieving this, I am first attempting to manually synchronise the
idmap.ldb files on both my DCs to unify the group and user IDs. This
step is suggested in the official samba tutorial here:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
(within the section 'Built-in User & Group ID Mappings').

I am currently achieving replication of idmap.ldb file suggested by
the tutorial by executing the following bash script snippet below on
my ad2 server:

IDMAP_PATH=/var/lib/samba/private/idmap.ldb
ssh -t pi@$IP_ADDRESS_AD1 "sudo tdbbackup -s .bak $IDMAP_PATH; sudo
chown pi $IDMAP_PATH.bak; scp $IDMAP_PATH.bak
pi@$IP_ADDRESS_AD2:/home/pi/idmap.ldb.bak && rm $IDMAP_PATH.bak;"
sudo mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
sudo chown root /var/lib/samba/private/idmap.ldb
sudo samba-tool ntacl sysvolreset



pi@ad2:~ $ sudo samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
error') File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run return self.run(*args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 239, in run
      lp, use_ntvfs=use_ntvfs)
    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
passdb=passdb, service=SYSVOL_SERVICE)
    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in setntacl
      smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

Can anyone suggest a solution? I have included my smb.conf for ad2
below for additional scrutiny.

I will ask you the same question that I asked someone a few days ago,
have you synced Sysvol to the new DC ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba