[Samba] Rights issue on GPO

[lists]

Hi all,

Following this thread with interest, as we are also having some issues 
with GPO (they work on and off, unpredictably)
We checked iddap.ldb on the DCs and noticed differences between DCs.

We would like to ask some questions:

On 10-6-2016 9:26, Rowland penny wrote:
> Well, it is and it isn't, yes winbindd will display the user & group
> names for sysvol, but sysvol still isn't replicated between DCs. I think
> this means that when you sync sysvol manually, you will get the ID's
> from the first DC applied to sysvol on the second DC and if there is a
> difference in ID numbers between the DC's, you will either just get a
> number or, even worse, a wrong name returned.
>
> I could be wrong, but I still think you need to keep idmap.ldb in sync
> on all DCs, if you are syncing sysvol.

We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is running on 
DCs.

We understand we need to keep idmap.ldb in sync. We did this in the 
past, but it seems they have gotten out of sync again.
One question: HOW OFTEN do we need to do manually sync the imap.ldb 
files? After each and every regular user addition/deletion?

We are currently on sernet-4.4.4 on the 3 DCs, but on our fileserver we 
are still on samba 4.2.11 and sssd. Would that last bit have any impact 
on the GPO situation..? (i don't think so, because GPOs are on the DCs 
and not on the fileserver..?)

Since our idmap.ldb differs per DC, HOW to choose which one to copy to 
the other DCs? Choosing wrongly will probably have major implications..?

Sorry to ask so many questions, hopefully someone will answer.

Best regards,
MJ