[Samba] Rights issue on GPO
Sébastien Le Ray
sebastien-samba at orniz.org
Fri Jun 10 08:10:43 UTC 2016
Le 10/06/2016 à 09:26, Rowland penny a écrit :
> On 10/06/16 07:52, Sébastien Le Ray wrote:
>> Wasn't this supposed to be solved in 4.2?
>> The wiki seems to say that Builtin xID are now replicated but there
>> is no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping
>> will be stored in 4.2 winbind? What happens when you upgrade the 4.1
>> to 4.2?)
> Well, it is and it isn't, yes winbindd will display the user & group
> names for sysvol, but sysvol still isn't replicated between DCs. I
> think this means that when you sync sysvol manually, you will get the
> ID's from the first DC applied to sysvol on the second DC and if there
> is a difference in ID numbers between the DC's, you will either just
> get a number or, even worse, a wrong name returned.
> I could be wrong, but I still think you need to keep idmap.ldb in sync
> on all DCs, if you are syncing sysvol.
OK got it, the main difference is that ids => name mapping /is active/
on DC. So you can avoid idmap.ldb syncing if you don't use --numeric-ids
in your rsync command… as long as receiving DC "knows" the group (name
will be resolved to ID so id mismatch doesn't matter).
I think the wiki could be updated to completly remove the 4.2 statement
if my assumption is correct because if receiving DC never "saw" the
BUILTIN group owning a file it'll still be mapped to the same id as the
sender… which let us in a inconsistent state
More information about the samba