Thought I'd come back and update our status on this. Dolanj00's suggested script fix was spot on to correct the ad-migrate script (giving it the target language/engine to use).
I ended up disabling the AD service on the Windows 2008 server and adding a second Zentyal system ("pluto") as a BDC. This has stabilised most of the authentication issues we had experienced, but it is by no means a fully resolved situation, as some Windows server-based authentication processes will still fail.
The two problem areas I've discovered so far have been;
- Trying to launch a Hyper-V machine console (from the Hyper-V admin window on my local PC) will fail to authenticate the user login for the connection, even with the domain administrator credentials. Launching the Hyper-V virtual console directly on the Hyper-V host (via an RDP session) does still work.
- Launching Visual Studio with a project that is under Team Foundation Services (TFS) source code control. The TFS server (a Windows 2008 server) fails to authenticate my domain credentials - yet it manages to "see" enough to be able to lock my account if I keep trying .
Weirdly, using Remote Desktop (RDP) from my PC to the Hyper-V VM's still works fine (thankfully).
Looking at the Windows server error logs, the Hyper-V issue seem to relate to the Group Policy folders not being present in the Zentyal version of the Sysvol path - that is, \\[domain]\pdc\[domain]\sysvol\Policies (actual error Event ID 1096). Some folks suggested setting a local machine policy to override the domain policy to allow the supplied credentials to work - but when trying to apply the change using "gpupdate /force", the system errors out reporting the lack of the sysvol policy folder (which seems a rather circular problem).
I managed to get a copy of the Policies folder and it's content (GUID-named sub-folders) from the Windows server ("neptune"), but I cannot copy these to the Zentyal sysvol area - the system tells me I don't have permission (I've got domain admins membership). This permission setting may be by intentional design of how sysvol operates, but I don't know.
I have recently found several other Zentyal forum posts that touch on the same "sysvol" issue, dating back a few years - so this is (sadly) not a new problem:
https://forum.zentyal.org/index.php?topic=22923.0 (The noted summary in this matches almost exactly with the start of the issues I observed on our systems)
https://forum.zentyal.org/index.php?topic=30507.0https://forum.zentyal.org/index.php/topic,23116.msg89031.html#msg89031Following some of the suggested tests/resolution steps posted by Zentyal staff in the last linked page, the samba-tools are returning python script errors.
On the PDC ("titan"), command:
sudo samba-tool ntacl sysvolcheck
Gives the following (note the "ERROR" after opening the idmap data file):
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[homes]"
Processing section "[IT]"
Processing section "[ScanArchive]"
Processing section "[COPEDocs]"
Processing section "[MedicallyConfidential]"
Processing section "[Public]"
Processing section "[WPT]"
Processing section "[HP_Scans]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1714, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl
xattr.XATTR_NTACL_NAME)
Checking replication status - and I expect the Neptune server synch to fail as I've turned off the AD service on it:
sudo samba-tool drs showrepl
Gives:
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:titan.copeohs.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name titan.copeohs.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name titan.copeohs.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name titan.copeohs.com<0x20>
HeadOffice\TITAN
DSA Options: 0x00000001
DSA object GUID: 5f9f0c17-282e-47b2-ac00-40edb9d29b74
DSA invocationId: 87a25fb1-187b-48dd-b885-a2fd93d8e6ee
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=copeohs,DC=com
HeadOffice\NEPTUNE via RPC
DSA object GUID: 24e8a117-37b2-4146-9474-da7c45278313
Last attempt @ Wed Sep 20 11:40:29 2017 BST failed, result 1234 (WERR_PORT_UNREACHABLE)
5514 consecutive failure(s).
Last success @ Fri Sep 1 08:11:45 2017 BST
DC=DomainDnsZones,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ Wed Sep 20 11:40:29 2017 BST was successful
0 consecutive failure(s).
Last success @ Wed Sep 20 11:40:29 2017 BST
CN=Configuration,DC=copeohs,DC=com
HeadOffice\NEPTUNE via RPC
DSA object GUID: 24e8a117-37b2-4146-9474-da7c45278313
Last attempt @ Wed Sep 20 11:40:29 2017 BST failed, result 1234 (WERR_PORT_UNREACHABLE)
5515 consecutive failure(s).
Last success @ Fri Sep 1 08:11:45 2017 BST
CN=Configuration,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ Wed Sep 20 11:40:29 2017 BST was successful
0 consecutive failure(s).
Last success @ Wed Sep 20 11:40:29 2017 BST
CN=Schema,CN=Configuration,DC=copeohs,DC=com
HeadOffice\NEPTUNE via RPC
DSA object GUID: 24e8a117-37b2-4146-9474-da7c45278313
Last attempt @ Wed Sep 20 11:40:29 2017 BST failed, result 1234 (WERR_PORT_UNREACHABLE)
5514 consecutive failure(s).
Last success @ Fri Sep 1 08:11:45 2017 BST
CN=Schema,CN=Configuration,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ Wed Sep 20 11:40:29 2017 BST was successful
0 consecutive failure(s).
Last success @ Wed Sep 20 11:40:29 2017 BST
DC=ForestDnsZones,DC=copeohs,DC=com
HeadOffice\NEPTUNE via RPC
DSA object GUID: 24e8a117-37b2-4146-9474-da7c45278313
Last attempt @ Wed Sep 20 11:40:29 2017 BST failed, result 1234 (WERR_PORT_UNREACHABLE)
5514 consecutive failure(s).
Last success @ Fri Sep 1 08:11:45 2017 BST
DC=ForestDnsZones,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ Wed Sep 20 11:40:29 2017 BST was successful
0 consecutive failure(s).
Last success @ Wed Sep 20 11:40:29 2017 BST
DC=copeohs,DC=com
HeadOffice\NEPTUNE via RPC
DSA object GUID: 24e8a117-37b2-4146-9474-da7c45278313
Last attempt @ Wed Sep 20 11:40:30 2017 BST failed, result 1234 (WERR_PORT_UNREACHABLE)
5513 consecutive failure(s).
Last success @ Fri Sep 1 08:12:56 2017 BST
DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ Wed Sep 20 11:40:30 2017 BST was successful
0 consecutive failure(s).
Last success @ Wed Sep 20 11:40:30 2017 BST
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=copeohs,DC=com
HeadOffice\PLUTO via RPC
DSA object GUID: ac19e956-ee12-4a4c-943d-3b0883f33c74
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6f8dd7a5-2ad2-4354-a5a9-099fd08bf301
Enabled : TRUE
Server DNS name : pluto.copeohs.com
Server DN name : CN=NTDS Settings,CN=PLUTO,CN=Servers,CN=HeadOffice,CN=Sites,CN=Configuration,DC=copeohs,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: f3671125-06e5-464f-8cd3-57313e483a20
Enabled : TRUE
Server DNS name : Neptune.copeohs.com
Server DN name : CN=NTDS Settings,CN=NEPTUNE,CN=Servers,CN=HeadOffice,CN=Sites,CN=Configuration,DC=copeohs,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I have not yet been brave enough to try the
samba-tools ntacl sysvolreset command.
Additionally, I have tried to run DCPROMO on neptune to demote it - but due to the status it thinks its under (FSMO master but not verified - which I couldn't even correct by forced seizing) this fails. Trying to delete it from the Windows domain admin tools fails with a "script not present" error.
Would greatly appreciate feedback on what I should try next....
EDITFound another posted thread
https://forum.zentyal.org/index.php?topic=23892.0 where the Group Policy problem was mentioned again...
This also mentioned running the sysvolreset samba command, so I have now tried this - but again there are Python script errors reported (scroll to bottom of output for this):
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[homes]"
Processing section "[IT]"
Processing section "[ScanArchive]"
Processing section "[COPEDocs]"
Processing section "[MedicallyConfidential]"
Processing section "[Public]"
Processing section "[WPT]"
Processing section "[HP_Scans]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[homes]"
Processing section "[IT]"
Processing section "[ScanArchive]"
Processing section "[COPEDocs]"
Processing section "[MedicallyConfidential]"
Processing section "[Public]"
Processing section "[WPT]"
Processing section "[HP_Scans]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[homes]"
Processing section "[IT]"
Processing section "[ScanArchive]"
Processing section "[COPEDocs]"
Processing section "[MedicallyConfidential]"
Processing section "[Public]"
Processing section "[WPT]"
Processing section "[HP_Scans]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
set_nt_acl: chown /var/lib/samba/sysvol. uid = 0, gid = 4.
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
set_nt_acl: chown /var/lib/samba/sysvol/copeohs.com/scripts. uid = 0, gid = 4.
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
set_nt_acl: chown /var/lib/samba/sysvol/copeohs.com. uid = 0, gid = 4.
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)