[Samba] Vampire

[Marc Muehlfeld]

Am 24.10.2014 um 00:18 schrieb Christian Huldt:
>> What kind of oddities have you encountered? Maybe it's something that
>> can be fixed.
> 
> GPO's stopped working, ...

Can you
https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
Reset the SysVol ACLs on every DC.

Also consider upgrading to a recent version of Samba. The early 4.0
releases had some issues about ACLs, etc. I think it was fixed in 4.0.5
already, but I'm not sure any more. And a recent version isn't bad if
you're having problems. Maybe some (other) problems are gone than, too.





> ... and the two dcs have different uidNumber and
> gidNumber for users - and we never managed to get those consistent om
> memberservers.

Where do the DCs get the UIDs/GIDs from? RFC2307? Then it should be the
same on all DCs, if the way it's configured to retrive the IDs uses the
IDs from the directory. If it's sssd or winbind, configured to create
their own (local) IDs, then it's normal that they differ on each host.

This might be interesting for you:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC


Can you check
* if the users/groups have a uidNumber/gidNumber attribute?

* if winbind/sssd/nslcd is used to retrieve the accounts on the
DC/Member and post the corresponding config?





>> Depending on the size of your environment (users, groups, machine
>> accounts, etc.) it's worth to start from scratch.
> 
> That seems to be plan so far...
> 
> I plan to see what happens if I join a new dc and remove the old ones,
> but need to have a plan B...

If your IDs are not stored in the AD, then they will still be different.

And even if you want to demote the old DCs, you will slip into a further
problem: You have to transfer the FSMO roles first to the new one and
then demote the old. But not everything is transfered and you can't
demote the DC(s) which owned the FSMO roles.



Regards,
Marc