[Samba] Rights issue on GPO
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Mon Jun 20 19:51:16 UTC 2016
On 6/20/2016 2:28 PM, Rowland penny wrote:
> On 20/06/16 19:17, lingpanda101 at gmail.com wrote:
>> On 6/20/2016 2:10 PM, Rowland penny wrote:
>>> On 20/06/16 18:49, lingpanda101 at gmail.com wrote:
>>>> On 6/20/2016 1:19 PM, lists wrote:
>>>>> Hi all,
>>>>>
>>>>> Following this thread with interest, as we are also having some
>>>>> issues with GPO (they work on and off, unpredictably)
>>>>> We checked iddap.ldb on the DCs and noticed differences between DCs.
>>>>>
>>>>> We would like to ask some questions:
>>>>>
>>>>> On 10-6-2016 9:26, Rowland penny wrote:
>>>>>> Well, it is and it isn't, yes winbindd will display the user & group
>>>>>> names for sysvol, but sysvol still isn't replicated between DCs.
>>>>>> I think
>>>>>> this means that when you sync sysvol manually, you will get the ID's
>>>>>> from the first DC applied to sysvol on the second DC and if there
>>>>>> is a
>>>>>> difference in ID numbers between the DC's, you will either just
>>>>>> get a
>>>>>> number or, even worse, a wrong name returned.
>>>>>>
>>>>>> I could be wrong, but I still think you need to keep idmap.ldb in
>>>>>> sync
>>>>>> on all DCs, if you are syncing sysvol.
>>>>>
>>>>> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is
>>>>> running on DCs.
>>>>>
>>>>> We understand we need to keep idmap.ldb in sync. We did this in
>>>>> the past, but it seems they have gotten out of sync again.
>>>>> One question: HOW OFTEN do we need to do manually sync the
>>>>> imap.ldb files? After each and every regular user addition/deletion?
>>>>>
>>>>> We are currently on sernet-4.4.4 on the 3 DCs, but on our
>>>>> fileserver we are still on samba 4.2.11 and sssd. Would that last
>>>>> bit have any impact on the GPO situation..? (i don't think so,
>>>>> because GPOs are on the DCs and not on the fileserver..?)
>>>>>
>>>>> Since our idmap.ldb differs per DC, HOW to choose which one to
>>>>> copy to the other DCs? Choosing wrongly will probably have major
>>>>> implications..?
>>>>>
>>>>> Sorry to ask so many questions, hopefully someone will answer.
>>>>>
>>>>> Best regards,
>>>>> MJ
>>>>>
>>>>
>>>> Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no
>>>> longer keep the idmap.ldb in sync as I thought this was no longer
>>>> needed since version 4.2 or greater unless using winbind.
>>>>
>>>> I also never would reset sysvol on the other DC's when replicating
>>>> using rsync. I don't believe it was ever in the wiki. Clarification
>>>> from someone would be helpful.
>>>>
>>>
>>> If you use Samba < 4.2.0 with the 'winbind' part of the 'samba'
>>> binary, then you had to, but if you use Samba >= 4.2.0, then this
>>> uses the separate 'winbindd' binary and this will map the BUILTIN
>>> users & groups correctly.
>>>
>>> Rowland
>>>
>>>
>> I completely missed the BUILTIN part. That explains my issue. That
>> means for all other users idmap.ldb must be kept in sync?
>>
>>
>
> No, It seems that it now works similar to the 'rid' backend, if a user
> connects to a share on the DC, that users username is used for any
> files/directories created by the user.
>
> Rowland
>
>
I'm showing inconsistent xid mappings when using winbindd. That's why I
figured I still needed to sync idmap.ldb.
--
-James
More information about the samba
mailing list