[Samba] Error running samba-tool dbtool --reset-well-known-acls

[Achim Gottinger]

Hi,

I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run
debian wheezy and the add was created at the beginning of the year with
an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
few errors about missong members in computer groups whom where fixable
with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.

>samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)

>samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs:
at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID
Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!")
Checked 336 objects (1 errors)


This is the global section of my smb.conf on DC1. Only netbios name and
dns forwarder are different on DC2.


# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no

I connected to both DC's with ADSI and checked rIDNextRID

DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 0

DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local => not
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local => 6714

Unfortunately i was not able to change that attribute from undefined to
0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate
suggestions.

Thanks in advance
achim~




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Achim Gottinger]

Hi again,
So far this error does not seem to cause any trouble in the domain. DC1
is my rid Master.
When I try to move the rid role to DC2 i get the follwoing error:

samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!

Afterwards the role is assigned to DC2 in samba-tool fsmo show.
I get the same error when i try to move the role back to DC1.

Does anyone have an clue what is going wrong here?

Thanks in advance,
Achim

[Achim Gottinger]

Ok, seize was nor a good choice tried
samba-tool fsmo transfer--role=rid instead, which works without errors,
but it does not fix the rIDNextRID issue.

[Andrew Bartlett]

The attached patch should resolve this issue. Let me know if it helps.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz

[Achim Gottinger]

Am 05.08.2013 06:52, schrieb Andrew Bartlett
Thank you very much, applied the patch to sernet-samba 4.0.8 sources and
deployed packages, now
samba-tool dbcheck reported an error but did not break. Afterwards
samba-tool dbcheck --fix also managed to fix the rid issue.

Achim Gottinger

> The attached patch should resolve this issue. Let me know if it helps.
>
> Thanks,
>
> Andrew Bartlett
>

--