[Samba] strange gpo behaviour

Sérgio Basto sergio at serjux.com
Thu Apr 18 01:04:27 UTC 2019


On Wed, 2019-04-17 at 18:56 +0100, Rowland Penny via samba wrote:
> On Wed, 17 Apr 2019 18:29:19 +0100
> Sérgio Basto via samba <samba at lists.samba.org> wrote:
> 
> > My experience was :
> > 
> > 1. Mit kbr doesn't support it, we need to use the old kbr system.
> 
> Do not use MIT, it is, at best, experimental.
> 
> > 2. We need disable selinux , selinux permissive is not enough to
> > allow
> > to write on shared folder sysvol. it cause crashes on windows.
> 
> Selinux is not part of Samba, perhaps asking Fedora about this.
> 
> > 3. When we have 2 or more DC(s) we need to force client tools like
> > RAST only write in the first DC because "Samba in its current state
> > doesn't support SysVol replication" [1], if RAST write randomly on
> > DC(s) we may have errors like: samba-tool ntacl sysvolreset, -
> > open:
> > error=2 (No such file or directory) [2]
> 
> This is mis-configuration of your DC's. Yes, Sysvol isn't replicated
> (yet) but there are ways around this.


As far as I can tell and in my experience the replications methods that
we find in wiki fail in be bi-directional. So to workaround we may
force just write POL(s) in just one DC and sync it to the other. 



> > 4. With an efficient replication and writing POL(s) just in first
> > DC ,
> > seems that works well.
> 
> Provide you use some form of two way sync, you should be able to
> create
> GPO's on any Samba AD DC, but it is probably best practice to just
> create them on the PDC-Emulator DC.
>  
> Rowland
> 
> 
-- 
Sérgio M. B.




More information about the samba mailing list