[Samba] Proper sysvol replication solution...

Achim Gottinger achim at ag-web.biz
Sat Aug 23 06:41:48 MDT 2014


Am 23.08.2014 09:18, schrieb steve:
> On Sat, 2014-08-23 at 01:37 +0200, Achim Gottinger wrote:
>> Am 23.08.2014 00:40, schrieb steve:
>> Rowland
>>>> Well you talked about well known rid's earlier. The well known sid's are
>>>> the same on all domains, rid's are always prefixed with the domain sid.
>>>> To prove myself wrong, these do resolve well and cause no problems.
>>>> As for the sid's (builtin/security) the only problem on the linux side
>>>> is that they do not resolve at all to an gid. It is not necessary that
>>>> they resolve to the same gid on every machine, they just must resolve to
>>>> an number.
>>> No. They must resolve to the same number. If it's 3000000 on DC1 and you
>>> rsync it across to DC2 where the same group is mapped to 3000001, it is
>>> a mess. Your GPOs will fail.
>> If an group resolves to 3000000 on DC1 and to 3000001 on DC2 and you use
>> -o -g during rsync. an file owned by
>> 3000000 will be owned by 3000001 after it got rsynced from dc1 to dc2.
>> The gpo will continue to work.
> But wouldn't it make it so much more user friendly if we didn't need to
> remember all this stuff? 3000000 on DC1 is 3000000 on DC2?
I assume in 4.2 we can use the idmap_rid for BUILTIN and NT AUTHORITY 
groups and this way archive identical id's on all samba servers.
Otherwise you'd have to store the id's somewhere in active directory and 
become incompatible with windows.
>>>>    If an group resolves to different gid's at two systems rsync
>>>> will take care of the number replacement if not the gid will be the same.
>>> rsync cannot map builtins because they are not available via nss!
>> That is what i mean by they do not resolve.
> OK. ATM they 'resolve' by maintaining a separate database containing
> their sid and an id. All we're asking, is make that db contain the same
> SIDs and ids on all DCs. Oh, and don't put any domain users in the same
> database, because they too have their ids pulled from there if we do not
> specify rfc2307. Maybe the new DC winbind will sort this out;)
The mappings for BUILTIN and other local groups/users from idmap.ldb is 
only used inside samba. nss_winbind only shows the domain user/group 
mappings eighter pulled from active directory or idmap.ldb depending on 
the rfc2307 settings. :-)

>
>    
>>>> achim~
>>>>
>>>>
>



More information about the samba mailing list