[Samba] Proper sysvol replication solution...

steve steve at steve-ss.com
Sat Aug 23 07:20:21 MDT 2014 

On Sat, 2014-08-23 at 13:59 +0100, Rowland Penny wrote:
> On 23/08/14 13:41, Achim Gottinger wrote:
> > Am 23.08.2014 09:18, schrieb steve:
> >> On Sat, 2014-08-23 at 01:37 +0200, Achim Gottinger wrote:
> >>> Am 23.08.2014 00:40, schrieb steve:
> >>> Rowland
> >>>>> Well you talked about well known rid's earlier. The well known 
> >>>>> sid's are
> >>>>> the same on all domains, rid's are always prefixed with the domain 
> >>>>> sid.
> >>>>> To prove myself wrong, these do resolve well and cause no problems.
> >>>>> As for the sid's (builtin/security) the only problem on the linux 
> >>>>> side
> >>>>> is that they do not resolve at all to an gid. It is not necessary 
> >>>>> that
> >>>>> they resolve to the same gid on every machine, they just must 
> >>>>> resolve to
> >>>>> an number.
> >>>> No. They must resolve to the same number. If it's 3000000 on DC1 
> >>>> and you
> >>>> rsync it across to DC2 where the same group is mapped to 3000001, 
> >>>> it is
> >>>> a mess. Your GPOs will fail.
> >>> If an group resolves to 3000000 on DC1 and to 3000001 on DC2 and you 
> >>> use
> >>> -o -g during rsync. an file owned by
> >>> 3000000 will be owned by 3000001 after it got rsynced from dc1 to dc2.
> >>> The gpo will continue to work.
> >> But wouldn't it make it so much more user friendly if we didn't need to
> >> remember all this stuff? 3000000 on DC1 is 3000000 on DC2?
> > I assume in 4.2 we can use the idmap_rid for BUILTIN and NT AUTHORITY 
> > groups and this way archive identical id's on all samba servers.
> 
> This is what I am hoping will happen.
> 
> > Otherwise you'd have to store the id's somewhere in active directory 
> > and become incompatible with windows.
> >>>>>    If an group resolves to different gid's at two systems rsync
> >>>>> will take care of the number replacement if not the gid will be 
> >>>>> the same.
> >>>> rsync cannot map builtins because they are not available via nss!
> >>> That is what i mean by they do not resolve.
> >> OK. ATM they 'resolve' by maintaining a separate database containing
> >> their sid and an id. All we're asking, is make that db contain the same
> >> SIDs and ids on all DCs. Oh, and don't put any domain users in the same
> >> database, because they too have their ids pulled from there if we do not
> >> specify rfc2307. Maybe the new DC winbind will sort this out;)
> > The mappings for BUILTIN and other local groups/users from idmap.ldb 
> > is only used inside samba. nss_winbind only shows the domain 
> > user/group mappings eighter pulled from active directory or idmap.ldb 
> > depending on the rfc2307 settings. :-)
> 
> The BUILTIN mappings need to able to be used by Unix, so that getfacl 
> gets easier to use, this would then allow the creation of shares to be 
> all done on the S4 AD DC without having to recourse to using ADUC etc to 
> set the required permissions.

Hi
We'd like to be able to set up shares on the file server too without
having to use a windows box.
Cheers,

More information about the samba mailing list