[Samba] Rights issue on GPO

lingpanda101 at gmail.com lingpanda101 at gmail.com
Mon Jun 20 19:51:16 UTC 2016

On 6/20/2016 2:28 PM, Rowland penny wrote:
> On 20/06/16 19:17, lingpanda101 at gmail.com wrote:
>> On 6/20/2016 2:10 PM, Rowland penny wrote:
>>> On 20/06/16 18:49, lingpanda101 at gmail.com wrote:
>>>> On 6/20/2016 1:19 PM, lists wrote:
>>>>> Hi all,
>>>>> Following this thread with interest, as we are also having some 
>>>>> issues with GPO (they work on and off, unpredictably)
>>>>> We checked iddap.ldb on the DCs and noticed differences between DCs.
>>>>> We would like to ask some questions:
>>>>> On 10-6-2016 9:26, Rowland penny wrote:
>>>>>> Well, it is and it isn't, yes winbindd will display the user & group
>>>>>> names for sysvol, but sysvol still isn't replicated between DCs. 
>>>>>> I think
>>>>>> this means that when you sync sysvol manually, you will get the ID's
>>>>>> from the first DC applied to sysvol on the second DC and if there 
>>>>>> is a
>>>>>> difference in ID numbers between the DC's, you will either just 
>>>>>> get a
>>>>>> number or, even worse, a wrong name returned.
>>>>>> I could be wrong, but I still think you need to keep idmap.ldb in 
>>>>>> sync
>>>>>> on all DCs, if you are syncing sysvol.
>>>>> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is 
>>>>> running on DCs.
>>>>> We understand we need to keep idmap.ldb in sync. We did this in 
>>>>> the past, but it seems they have gotten out of sync again.
>>>>> One question: HOW OFTEN do we need to do manually sync the 
>>>>> imap.ldb files? After each and every regular user addition/deletion?
>>>>> We are currently on sernet-4.4.4 on the 3 DCs, but on our 
>>>>> fileserver we are still on samba 4.2.11 and sssd. Would that last 
>>>>> bit have any impact on the GPO situation..? (i don't think so, 
>>>>> because GPOs are on the DCs and not on the fileserver..?)
>>>>> Since our idmap.ldb differs per DC, HOW to choose which one to 
>>>>> copy to the other DCs? Choosing wrongly will probably have major 
>>>>> implications..?
>>>>> Sorry to ask so many questions, hopefully someone will answer.
>>>>> Best regards,
>>>>> MJ
>>>> Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no 
>>>> longer keep the idmap.ldb in sync as I thought this was no longer 
>>>> needed since version 4.2 or greater unless using winbind.
>>>> I also never would reset sysvol on the other DC's when replicating 
>>>> using rsync. I don't believe it was ever in the wiki. Clarification 
>>>> from someone would be helpful.
>>> If you use Samba < 4.2.0 with the 'winbind' part of the 'samba' 
>>> binary, then you had to, but if you use Samba >= 4.2.0, then this 
>>> uses the separate 'winbindd' binary and this will map the BUILTIN 
>>> users & groups correctly.
>>> Rowland
>> I completely missed the BUILTIN part. That explains my issue. That 
>> means for all other users idmap.ldb must be kept in sync?
> No, It seems that it now works similar to the 'rid' backend, if a user 
> connects to a share on the DC, that users username is used for any 
> files/directories created by the user.
> Rowland

I'm showing inconsistent xid mappings when using winbindd. That's why I 
figured I still needed to sync idmap.ldb.


More information about the samba mailing list