[Samba] Rights issue on GPO
lists at merit.unu.edu
Mon Jun 20 17:19:16 UTC 2016
Following this thread with interest, as we are also having some issues
with GPO (they work on and off, unpredictably)
We checked iddap.ldb on the DCs and noticed differences between DCs.
We would like to ask some questions:
On 10-6-2016 9:26, Rowland penny wrote:
> Well, it is and it isn't, yes winbindd will display the user & group
> names for sysvol, but sysvol still isn't replicated between DCs. I think
> this means that when you sync sysvol manually, you will get the ID's
> from the first DC applied to sysvol on the second DC and if there is a
> difference in ID numbers between the DC's, you will either just get a
> number or, even worse, a wrong name returned.
> I could be wrong, but I still think you need to keep idmap.ldb in sync
> on all DCs, if you are syncing sysvol.
We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is running on
We understand we need to keep idmap.ldb in sync. We did this in the
past, but it seems they have gotten out of sync again.
One question: HOW OFTEN do we need to do manually sync the imap.ldb
files? After each and every regular user addition/deletion?
We are currently on sernet-4.4.4 on the 3 DCs, but on our fileserver we
are still on samba 4.2.11 and sssd. Would that last bit have any impact
on the GPO situation..? (i don't think so, because GPOs are on the DCs
and not on the fileserver..?)
Since our idmap.ldb differs per DC, HOW to choose which one to copy to
the other DCs? Choosing wrongly will probably have major implications..?
Sorry to ask so many questions, hopefully someone will answer.
More information about the samba