[Samba] strange gpo behaviour
Sérgio Basto
sergio at serjux.com
Thu Apr 18 01:04:27 UTC 2019
On Wed, 2019-04-17 at 18:56 +0100, Rowland Penny via samba wrote:
> On Wed, 17 Apr 2019 18:29:19 +0100
> Sérgio Basto via samba <samba at lists.samba.org> wrote:
>
> > My experience was :
> >
> > 1. Mit kbr doesn't support it, we need to use the old kbr system.
>
> Do not use MIT, it is, at best, experimental.
>
> > 2. We need disable selinux , selinux permissive is not enough to
> > allow
> > to write on shared folder sysvol. it cause crashes on windows.
>
> Selinux is not part of Samba, perhaps asking Fedora about this.
>
> > 3. When we have 2 or more DC(s) we need to force client tools like
> > RAST only write in the first DC because "Samba in its current state
> > doesn't support SysVol replication" [1], if RAST write randomly on
> > DC(s) we may have errors like: samba-tool ntacl sysvolreset, -
> > open:
> > error=2 (No such file or directory) [2]
>
> This is mis-configuration of your DC's. Yes, Sysvol isn't replicated
> (yet) but there are ways around this.
As far as I can tell and in my experience the replications methods that
we find in wiki fail in be bi-directional. So to workaround we may
force just write POL(s) in just one DC and sync it to the other.
> > 4. With an efficient replication and writing POL(s) just in first
> > DC ,
> > seems that works well.
>
> Provide you use some form of two way sync, you should be able to
> create
> GPO's on any Samba AD DC, but it is probably best practice to just
> create them on the PDC-Emulator DC.
>
> Rowland
>
>
--
Sérgio M. B.
More information about the samba
mailing list