[Samba] Proper sysvol replication solution...

steve steve at steve-ss.com
Sat Aug 23 01:18:07 MDT 2014

On Sat, 2014-08-23 at 01:37 +0200, Achim Gottinger wrote:
> Am 23.08.2014 00:40, schrieb steve:
> Rowland
> >>>
> >> Well you talked about well known rid's earlier. The well known sid's are
> >> the same on all domains, rid's are always prefixed with the domain sid.
> >> To prove myself wrong, these do resolve well and cause no problems.
> >> As for the sid's (builtin/security) the only problem on the linux side
> >> is that they do not resolve at all to an gid. It is not necessary that
> >> they resolve to the same gid on every machine, they just must resolve to
> >> an number.
> > No. They must resolve to the same number. If it's 3000000 on DC1 and you
> > rsync it across to DC2 where the same group is mapped to 3000001, it is
> > a mess. Your GPOs will fail.
> If an group resolves to 3000000 on DC1 and to 3000001 on DC2 and you use 
> -o -g during rsync. an file owned by
> 3000000 will be owned by 3000001 after it got rsynced from dc1 to dc2.
> The gpo will continue to work.
But wouldn't it make it so much more user friendly if we didn't need to
remember all this stuff? 3000000 on DC1 is 3000000 on DC2? 
> >
> >>   If an group resolves to different gid's at two systems rsync
> >> will take care of the number replacement if not the gid will be the same.
> > rsync cannot map builtins because they are not available via nss!
> That is what i mean by they do not resolve.
OK. ATM they 'resolve' by maintaining a separate database containing
their sid and an id. All we're asking, is make that db contain the same
SIDs and ids on all DCs. Oh, and don't put any domain users in the same
database, because they too have their ids pulled from there if we do not
specify rfc2307. Maybe the new DC winbind will sort this out;)

> >
> >> achim~
> >>
> >>
> >

More information about the samba mailing list