[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Mon Jun 20 18:28:05 UTC 2016

On 20/06/16 19:17, lingpanda101 at gmail.com wrote:
> On 6/20/2016 2:10 PM, Rowland penny wrote:
>> On 20/06/16 18:49, lingpanda101 at gmail.com wrote:
>>> On 6/20/2016 1:19 PM, lists wrote:
>>>> Hi all,
>>>> Following this thread with interest, as we are also having some 
>>>> issues with GPO (they work on and off, unpredictably)
>>>> We checked iddap.ldb on the DCs and noticed differences between DCs.
>>>> We would like to ask some questions:
>>>> On 10-6-2016 9:26, Rowland penny wrote:
>>>>> Well, it is and it isn't, yes winbindd will display the user & group
>>>>> names for sysvol, but sysvol still isn't replicated between DCs. I 
>>>>> think
>>>>> this means that when you sync sysvol manually, you will get the ID's
>>>>> from the first DC applied to sysvol on the second DC and if there 
>>>>> is a
>>>>> difference in ID numbers between the DC's, you will either just get a
>>>>> number or, even worse, a wrong name returned.
>>>>> I could be wrong, but I still think you need to keep idmap.ldb in 
>>>>> sync
>>>>> on all DCs, if you are syncing sysvol.
>>>> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is 
>>>> running on DCs.
>>>> We understand we need to keep idmap.ldb in sync. We did this in the 
>>>> past, but it seems they have gotten out of sync again.
>>>> One question: HOW OFTEN do we need to do manually sync the imap.ldb 
>>>> files? After each and every regular user addition/deletion?
>>>> We are currently on sernet-4.4.4 on the 3 DCs, but on our 
>>>> fileserver we are still on samba 4.2.11 and sssd. Would that last 
>>>> bit have any impact on the GPO situation..? (i don't think so, 
>>>> because GPOs are on the DCs and not on the fileserver..?)
>>>> Since our idmap.ldb differs per DC, HOW to choose which one to copy 
>>>> to the other DCs? Choosing wrongly will probably have major 
>>>> implications..?
>>>> Sorry to ask so many questions, hopefully someone will answer.
>>>> Best regards,
>>>> MJ
>>> Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no 
>>> longer keep the idmap.ldb in sync as I thought this was no longer 
>>> needed since version 4.2 or greater unless using winbind.
>>> I also never would reset sysvol on the other DC's when replicating 
>>> using rsync. I don't believe it was ever in the wiki. Clarification 
>>> from someone would be helpful.
>> If you use Samba < 4.2.0 with the 'winbind' part of the 'samba' 
>> binary, then you had to, but if you use Samba >= 4.2.0, then this 
>> uses the separate 'winbindd' binary and this will map the BUILTIN 
>> users & groups correctly.
>> Rowland
> I completely missed the BUILTIN part. That explains my issue. That 
> means for all other users idmap.ldb must be kept in sync?

No, It seems that it now works similar to the 'rid' backend, if a user 
connects to a share on the DC, that users username is used for any 
files/directories created by the user.


More information about the samba mailing list