Ubuntu14.04+Samba4.1.6 в качестве Backup DC (BDC)

[YOreG]

 Сделал по HOWTO (https://help.ubuntu.ru/wiki/samba4_as_dc_14.04) PDC, все работает, функционал удовлетворяет требованиям.
Но озадачился поднятием Backup DC и столкнулся с проблемой репликации групповых политик. На сколько мне известно их репликация происходит не по расписанию,  а при появлении новых. Новые создаю, репликация не происходит.
Возникает вопрос как проверить репликацию.

Вывод команды samba-tool drs showrepl на PDC

Код: [Выделить]

root@ubuntu:/home/yoreg# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ubuntu.samba.loc[,seal]
Default-First-Site-Name\UBUNTU
DSA Options: 0x00000001
DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
DSA invocationId: bc40ed18-32a9-4142-963c-ec67b045ab4c

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:29:01 2014 MSK failed, result 2 (WERR_BADFILE)
                72 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:29:01 2014 MSK failed, result 2 (WERR_BADFILE)
                72 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:29:01 2014 MSK failed, result 2 (WERR_BADFILE)
                72 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:29:01 2014 MSK failed, result 2 (WERR_BADFILE)
                72 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:29:01 2014 MSK failed, result 2 (WERR_BADFILE)
                72 consecutive failure(s).
                Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:32:18 2014 MSK failed, result 2 (WERR_BADFILE)
                1583 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:32:18 2014 MSK failed, result 2 (WERR_BADFILE)
                1583 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:32:18 2014 MSK failed, result 2 (WERR_BADFILE)
                1582 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:32:18 2014 MSK failed, result 2 (WERR_BADFILE)
                1582 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Thu Sep 25 15:32:18 2014 MSK failed, result 2 (WERR_BADFILE)
                1581 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 16334b7a-4620-4f4e-8ec2-ced04d84dcef
        Enabled        : TRUE
        Server DNS name : UBUNTUR.samba.loc
        Server DN name  : CN=NTDS Settings,CN=UBUNTUR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Та же команда на BDC

Код: [Выделить]

root@ubuntur:/home/yoreg#  samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ubuntur.samba.loc[,seal]
Server ldap/UBUNTUR.SAMBA.LOC@SAMBA.LOC is not registered with our KDC:  Miscellaneous failure (see text): Matching credential (ldap/UBUNTUR.SAMBA.LOC@SAMBA.LOC) not found
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Server ldap/ubuntur.samba.loc@SAMBA.LOC is not registered with our KDC:  Miscellaneous failure (see text): Matching credential (ldap/ubuntur.samba.loc@SAMBA.LOC) not found
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898205
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088205
Default-First-Site-Name\UBUNTUR
DSA Options: 0x00000001
DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
DSA invocationId: 55b18652-23b4-43b5-a278-cbb4d7f4ebab

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTU via RPC
                DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
                Last attempt @ Thu Sep 25 15:46:41 2014 MSK failed, result 2 (WERR_BADFILE)
                31 consecutive failure(s).
                Last success @ Thu Sep 25 13:20:02 2014 MSK

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTU via RPC
                DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
                Last attempt @ Thu Sep 25 15:46:41 2014 MSK failed, result 2 (WERR_BADFILE)
                31 consecutive failure(s).
                Last success @ Thu Sep 25 13:20:02 2014 MSK

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTU via RPC
                DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
                Last attempt @ Thu Sep 25 15:46:41 2014 MSK failed, result 2 (WERR_BADFILE)
                31 consecutive failure(s).
                Last success @ Thu Sep 25 13:20:02 2014 MSK

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTU via RPC
                DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
                Last attempt @ Thu Sep 25 15:46:41 2014 MSK failed, result 2 (WERR_BADFILE)
                31 consecutive failure(s).
                Last success @ Thu Sep 25 13:20:02 2014 MSK

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTU via RPC
                DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
                Last attempt @ Thu Sep 25 15:46:41 2014 MSK failed, result 2 (WERR_BADFILE)
                31 consecutive failure(s).
                Last success @ Thu Sep 25 13:20:02 2014 MSK

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 9b5278f2-c07c-4bab-8387-7484b300c066
        Enabled        : TRUE
        Server DNS name : ubuntu.samba.loc
        Server DN name  : CN=NTDS Settings,CN=UBUNTU,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
root@ubuntur:/home/yoreg#


Отключаю PDC, перезагружаю клиентскую машину, win7 при входе пишет:"База данных диспетчера учетных записей на сервере не содержит записи для регистрации компьютера через доверительные отношения с этой рабочей станции".
Получается не реплицируются и другие роли.
Как же настроить репликацию?

[satch]

Server ldap/UBUNTUR.SAMBA.LOC@SAMBA.LOC is not registered with our KDC:  Miscellaneous failure (see text): Matching credential (ldap/UBUNTUR.SAMBA.LOC@SAMBA.LOC) not found

вы его вводили в домен как второй контроллер домена?

[YOreG]

BDC вводил в домен с помощью samba-tool join as DC, все прошло без ошибок.

Еще раз с нуля создаю резервный DC.

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool domain join samba.loc DC -Uadministrator --realm=samba.loc --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'samba.loc'
Found DC ubuntu.samba.loc
Password for [WORKGROUP\administrator]:
workgroup is SAMBA
realm is samba.loc
checking sAMAccountName
Adding CN=UBUNTUR2,OU=Domain Controllers,DC=samba,DC=loc
Adding CN=UBUNTUR2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
Adding CN=NTDS Settings,CN=UBUNTUR2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
Adding SPNs to CN=UBUNTUR2,OU=Domain Controllers,DC=samba,DC=loc
Setting account password for UBUNTUR2$
Enabling account
Adding DNS account CN=dns-UBUNTUR2,CN=Users,DC=samba,DC=loc with dns/ SPN
Setting account password for dns-UBUNTUR2
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samba,DC=loc
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=loc] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=loc] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=loc] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=loc] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samba,DC=loc] objects[402/1621] linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=loc] objects[804/1621] linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=loc] objects[1206/1621] linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=loc] objects[1608/1621] linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=loc] objects[1621/1621] linked_values[38/0]
Replicating critical objects from the base DN of the domain
Partition[DC=samba,DC=loc] objects[99/99] linked_values[23/0]
Partition[DC=samba,DC=loc] objects[390/291] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samba,DC=loc
Partition[DC=DomainDnsZones,DC=samba,DC=loc] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samba,DC=loc
Partition[DC=ForestDnsZones,DC=samba,DC=loc] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=samba,DC=loc] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMBA (SID S-1-5-21-3446375138-2056471720-4042780873) as a DC
root@ubuntur2:/home/yoreg#
Добавляю A запись в DNS:

Код: [Выделить]

root@ubuntur2:~# host -t A ubuntur2.samba.loc
Host ubuntur2.samba.loc not found: 3(NXDOMAIN)
root@ubuntur2:~# samba-tool dns add 192.168.1.1 samba.loc ubuntur2 A 192.168.1.3 -Uadministrator
Password for [SAMBA\administrator]:
Record added successfully
root@ubuntur2:~# host -t A ubuntur2.samba.loc                                   
ubuntur2.samba.loc has address 192.168.1.3
root@ubuntur2:~#
А дальше вот так:

Код: [Выделить]

root@ubuntur2:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/usr/local/samba/private/sam.ldb'
Failed to connect to '/usr/local/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/usr/local/samba/private/sam.ldb'
Failed to connect to /usr/local/samba/private/sam.ldb - Unable to open tdb '/usr/local/samba/private/sam.ldb'
root@ubuntur2:~#

[satch]

А дальше вот так:

Код: [Выделить]

root@ubuntur2:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/usr/local/samba/private/sam.ldb'
Failed to connect to '/usr/local/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/usr/local/samba/private/sam.ldb'
Failed to connect to /usr/local/samba/private/sam.ldb - Unable to open tdb '/usr/local/samba/private/sam.ldb'
root@ubuntur2:~#

Почему вы указываете /usr/local/samba/private/sam.ldb ?
По этому пути у вас не должно быть базы, если вы ставили по моей статье. Вам надо указывать путь /var/lib/samba/private/sam.ldb
Попробуйте команду ldbsearch -H /var/lib/samba/private/sam.ldb (invocationid=*)' --cross-ncs objectguid

[YOreG]

Почему вы указываете /usr/local/samba/private/sam.ldb ?
По этому пути у вас не должно быть базы, если вы ставили по моей статье. Вам надо указывать путь /var/lib/samba/private/sam.ldb
Попробуйте команду ldbsearch -H /var/lib/samba/private/sam.ldb (invocationid=*)' --cross-ncs objectguid

Спасибо за дельное замечание.
Теперь получаю то что надо:

Код: [Выделить]

root@ubuntur2:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=UBUNTUR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
objectGUID: e768aace-9e19-4d68-bfed-7d030f87a800

# record 2
dn: CN=NTDS Settings,CN=UBUNTUR2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
objectGUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb

# record 3
dn: CN=NTDS Settings,CN=UBUNTU,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
objectGUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088

# returned 3 records
# 3 entries
# 0 referrals
root@ubuntur2:~#

Итак теперь "samba-tool drs showrepl" на PDC выглядит так(ubuntur я пока отключил):

Код: [Выделить]

root@ubuntu:/home/yoreg# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ubuntu.samba.loc[,seal]
Default-First-Site-Name\UBUNTU
DSA Options: 0x00000001
DSA object GUID: 5dc0559b-d4a3-4207-9620-6b8d2a210088
DSA invocationId: bc40ed18-32a9-4142-963c-ec67b045ab4c

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK failed, result 2 (WERR_BADFILE)
                1021 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK was successful
                0 consecutive failure(s).
                Last success @ Mon Sep 29 13:27:33 2014 MSK

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK failed, result 2 (WERR_BADFILE)
                1021 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK was successful
                0 consecutive failure(s).
                Last success @ Mon Sep 29 13:27:33 2014 MSK

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK failed, result 2 (WERR_BADFILE)
                1021 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK was successful
                0 consecutive failure(s).
                Last success @ Mon Sep 29 13:27:33 2014 MSK

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:27:33 2014 MSK failed, result 2 (WERR_BADFILE)
                1021 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ Mon Sep 29 13:27:34 2014 MSK was successful
                0 consecutive failure(s).
                Last success @ Mon Sep 29 13:27:34 2014 MSK

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:27:34 2014 MSK failed, result 2 (WERR_BADFILE)
                1021 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ Mon Sep 29 13:27:34 2014 MSK was successful
                0 consecutive failure(s).
                Last success @ Mon Sep 29 13:27:34 2014 MSK

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:28:23 2014 MSK failed, result 2 (WERR_BADFILE)
                58253 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:28:23 2014 MSK failed, result 2 (WERR_BADFILE)
                58242 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:28:23 2014 MSK failed, result 2 (WERR_BADFILE)
                58230 consecutive failure(s).
                Last success @ NTTIME(0)

DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:28:23 2014 MSK failed, result 2 (WERR_BADFILE)
                58221 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR via RPC
                DSA object GUID: e768aace-9e19-4d68-bfed-7d030f87a800
                Last attempt @ Mon Sep 29 13:28:23 2014 MSK failed, result 2 (WERR_BADFILE)
                58200 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=samba,DC=loc
        Default-First-Site-Name\UBUNTUR2 via RPC
                DSA object GUID: d2138503-4e95-4a8e-96c7-5d8284ecdccb
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 16334b7a-4620-4f4e-8ec2-ced04d84dcef
        Enabled        : TRUE
        Server DNS name : UBUNTUR.samba.loc
        Server DN name  : CN=NTDS Settings,CN=UBUNTUR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: da46e834-73a1-455c-a091-fdbdb98180ff
        Enabled        : TRUE
        Server DNS name : UBUNTUR2.samba.loc
        Server DN name  : CN=NTDS Settings,CN=UBUNTUR2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=loc
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
root@ubuntu:/home/yoreg#
Возникает желание проверить репликацию смоделировав отключение Главного контроллера. Насколько это правильно и целесообразно? Может стоить еще какие-нибудь проверки провести?

[ArcFi]

Может стоить еще какие-нибудь проверки провести?

Код: [Выделить]

samba_dnsupdate --verbose
samba-tool testparm --suppress-prompt
samba-tool drs kcc
samba-tool ntacl sysvolcheck

[YOreG]

Код: [Выделить]

samba_dnsupdate --verbose
samba-tool testparm --suppress-prompt
samba-tool drs kcc
samba-tool ntacl sysvolcheck

Теперь самое интересное, выводы результатов:

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba_dnsupdate --verbose
IPs: ['192.168.1.3']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC
Looking for DNS entry A samba.loc 192.168.1.3 as samba.loc.
Failed to find matching DNS entry A samba.loc 192.168.1.3
Looking for DNS entry A ubuntur2.samba.loc 192.168.1.3 as ubuntur2.samba.loc.
Looking for DNS entry A gc._msdcs.samba.loc 192.168.1.3 as gc._msdcs.samba.loc.
Failed to find matching DNS entry A gc._msdcs.samba.loc 192.168.1.3
Looking for DNS entry CNAME d2138503-4e95-4a8e-96c7-5d8284ecdccb._msdcs.samba.loc ubuntur2.samba.loc as d2138503-4e95-4a8e-96c7-5d8284ecdccb._msdcs.samba.loc.
Looking for DNS entry SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464 as _kpasswd._tcp.samba.loc.
Checking 0 100 464 ubuntu.samba.loc. against SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464
Failed to find matching DNS entry SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464
Looking for DNS entry SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464 as _kpasswd._udp.samba.loc.
Checking 0 100 464 ubuntu.samba.loc. against SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464
Failed to find matching DNS entry SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464
Looking for DNS entry SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.dc._msdcs.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.default-first-site-name._sites.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._udp.samba.loc ubuntur2.samba.loc 88 as _kerberos._udp.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._udp.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._udp.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _ldap._tcp.samba.loc ubuntur2.samba.loc 389 as _ldap._tcp.samba.loc.
Checking 0 100 389 ubuntu.samba.loc. against SRV _ldap._tcp.samba.loc ubuntur2.samba.loc 389
Failed to find matching DNS entry SRV _ldap._tcp.samba.loc ubuntur2.samba.loc 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 389 as _ldap._tcp.dc._msdcs.samba.loc.
Checking 0 100 389 ubuntu.samba.loc. against SRV _ldap._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Failed to find matching DNS entry SRV _ldap._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.samba.loc ubuntur2.samba.loc 3268 as _ldap._tcp.gc._msdcs.samba.loc.
Checking 0 100 3268 ubuntu.samba.loc. against SRV _ldap._tcp.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Failed to find matching DNS entry SRV _ldap._tcp.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 389 as _ldap._tcp.default-first-site-name._sites.samba.loc.
Checking 0 100 389 ubuntu.samba.loc. against SRV _ldap._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 389
Failed to find matching DNS entry SRV _ldap._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc.
Checking 0 100 389 ubuntu.samba.loc. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Failed to find matching DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc ubuntur2.samba.loc 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc.
Checking 0 100 3268 ubuntu.samba.loc. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Failed to find matching DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Looking for DNS entry SRV _ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc ubuntur2.samba.loc 389 as _ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc.
Checking 0 100 389 ubuntu.samba.loc. against SRV _ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc ubuntur2.samba.loc 389
Failed to find matching DNS entry SRV _ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc ubuntur2.samba.loc 389
Looking for DNS entry SRV _gc._tcp.samba.loc ubuntur2.samba.loc 3268 as _gc._tcp.samba.loc.
Checking 0 100 3268 ubuntu.samba.loc. against SRV _gc._tcp.samba.loc ubuntur2.samba.loc 3268
Failed to find matching DNS entry SRV _gc._tcp.samba.loc ubuntur2.samba.loc 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 3268 as _gc._tcp.default-first-site-name._sites.samba.loc.
Checking 0 100 3268 ubuntu.samba.loc. against SRV _gc._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 3268
Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 3268
Calling nsupdate for A samba.loc 192.168.1.3
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba.loc.              900     IN      A       192.168.1.3

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for A gc._msdcs.samba.loc 192.168.1.3
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.samba.loc.    900     IN      A       192.168.1.3

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.samba.loc. 900    IN      SRV     0 100 464 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.samba.loc. 900    IN      SRV     0 100 464 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.samba.loc. 900   IN      SRV     0 100 88 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.samba.loc. 900 IN SRV  0 100 88 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.samba.loc. 900 IN SRV 0 100 88 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.samba.loc. 900 IN SRV 0 100 88 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._udp.samba.loc ubuntur2.samba.loc 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.samba.loc. 900   IN      SRV     0 100 88 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.samba.loc ubuntur2.samba.loc 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.samba.loc.   900     IN      SRV     0 100 389 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.samba.loc. 900 IN  SRV     0 100 389 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.samba.loc. 900 IN  SRV     0 100 3268 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.samba.loc. 900 IN SRV 0 100 389 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc ubuntur2.samba.loc 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.samba.loc. 900 IN SRV 0 100 389 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc ubuntur2.samba.loc 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.samba.loc. 900 IN SRV 0 100 3268 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc ubuntur2.samba.loc 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.383e9c78-d454-4393-8bd8-60848fe89a97.domains._msdcs.samba.loc. 900 IN SRV 0 100 389 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.samba.loc ubuntur2.samba.loc 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.samba.loc.     900     IN      SRV     0 100 3268 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samba.loc. 900 IN SRV 0 100 3268 ubuntur2.samba.loc.

response to GSS-TSIG query was unsuccessful
Failed nsupdate: 1
Failed update of 18 entries
root@ubuntur2:/home/yoreg#
  Делаю вывод, что надо сделать отсутствующие записи в DNS для резервного DC идентичные с главным DC?


Остальные проверочные команды:

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool testparm --suppress-prompt
# Global parameters
[global]
        workgroup = SAMBA
        realm = samba.loc
        netbios name = UBUNTUR2
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /var/lib/samba/sysvol/samba.loc/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
root@ubuntur2:/home/yoreg#

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool drs kcc
Consistency check on ubuntur2.samba.loc successful.
root@ubuntur2:/home/yoreg#

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1686, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in getntacl
    xattr.XATTR_NTACL_NAME)
root@ubuntur2:/home/yoreg#

[ArcFi]

Делаю вывод, что надо сделать отсутствующие записи в DNS для резервного DC идентичные с главным DC?

Ага, а потом повторить и убедиться, что никаких "Failed" больше не осталось.

root@ubuntur2:/home/yoreg# samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available')
[…]

Гугл говорит, что это бага и она уже должна быть исправлена:
https://bugzilla.samba.org/show_bug.cgi?id=9202

Какая у вас версия самбы:

Код: [Выделить]

samba-tool -V?

Попробуйте из GPMC подключиться напрямую к этому DC и внести изменения в политику.
И ещё для восстановления прав доступа можно попробовать:

Код: [Выделить]

samba-tool ntacl sysvolreset
Пишут, что если sysvolcheck не работает, то надо выполнить sysvolreset, а потом повторить sysvolcheck:
http://www.spinics.net/lists/samba/msg118448.html

[YOreG]

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool -V
4.1.6-Ubuntu
root@ubuntur2:/home/yoreg#

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 218, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
root@ubuntur2:/home/yoreg#

С попыткой добавить в рукопашную DNS записи проблема:

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba-tool dns add 192.168.1.1 samba.loc gc._msdcs.samba.loc A 192.168.1.3 -Uadministrator
Password for [SAMBA\administrator]:
Password for [SAMBA\administrator]:
ERROR: Record already exists
root@ubuntur2:/home/yoreg#
Я её пытаюсь добавить второй раз, а при "samba_dnsupdate --verbose" появляется ошибка:

Код: [Выделить]

root@ubuntur2:/home/yoreg# samba_dnsupdate --verbose
IPs: ['192.168.1.3']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC
Looking for DNS entry A samba.loc 192.168.1.3 as samba.loc.
Looking for DNS entry A ubuntur2.samba.loc 192.168.1.3 as ubuntur2.samba.loc.
Looking for DNS entry A gc._msdcs.samba.loc 192.168.1.3 as gc._msdcs.samba.loc.
Failed to find matching DNS entry A gc._msdcs.samba.loc 192.168.1.3
Looking for DNS entry CNAME d2138503-4e95-4a8e-96c7-5d8284ecdccb._msdcs.samba.loc ubuntur2.samba.loc as d2138503-4e95-4a8e-96c7-5d8284ecdccb._msdcs.samba.loc.
Looking for DNS entry SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464 as _kpasswd._tcp.samba.loc.
Checking 0 100 464 ubuntu.samba.loc. against SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464
Failed to find matching DNS entry SRV _kpasswd._tcp.samba.loc ubuntur2.samba.loc 464
Looking for DNS entry SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464 as _kpasswd._udp.samba.loc.
Checking 0 100 464 ubuntu.samba.loc. against SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464
Failed to find matching DNS entry SRV _kpasswd._udp.samba.loc ubuntur2.samba.loc 464
Looking for DNS entry SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.dc._msdcs.samba.loc.
Checking 0 100 88 ubuntu.samba.loc. against SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Failed to find matching DNS entry SRV _kerberos._tcp.dc._msdcs.samba.loc ubuntur2.samba.loc 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.samba.loc ubuntur2.samba.loc 88 as _kerberos._tcp.default-first-site-name._sites.samba.loc. .............

[creat!ve]

YOreG,
У меня такая же проблема. Вы нашли решение?

[YOreG]

creat!ve,
К сожалению, проект не был реализован, появились другие задачи. Планирую вернуться к экспериментам этим летом.

[ArcFi]

creat!ve, решение зависит от используемых платформы и бэкендов.
К примеру, у меня все нужные DNS-записи прописаны в dnsmasq руками, зато оно работает.

[creat!ve]

У меня проблема с sysvol. Не реплицируются политики. Делал по вот этой статье:

(Нажмите, чтобы показать/скрыть)

http://bender.kz/index.php/servera/4-ustanovka-kontrollera-domena-na-samba-4-1-centos-6-5

с некоторыми доработками и на centos 7. Кстати введенный в домен 3-й контроллер на zentyal 4.0 работает и политики реплицируются.
Изначально делал на ubuntu. Проблема всегда возникает при добавлении второго контроллера. Так все работает без проблем.