[Samba] GID mappings of built-in groups when addin additional dc

[Achim Gottinger]

Am 02.10.2016 um 12:44 schrieb Achim Gottinger via samba:
>
>
> Am 02.10.2016 um 12:24 schrieb Rowland Penny via samba:
>> On Sun, 2 Oct 2016 11:45:15 +0200
>> Achim Gottinger via samba <samba at lists.samba.org> wrote:
>>
>>>
>>> Am 02.10.2016 um 08:20 schrieb Trenta sis via samba:
>>>> Hi,
>>>>
>>>> I have a samba 4.4.5 AD domain and is working perfect, but now I
>>>> need to add a second samba 4 AD, I have found that in
>>>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory 
>>>>
>>>> is detailed the correct steps, my question is about step related
>>>> with winbind (tdbbackup) builtin groups, appears a message "*NOTE:
>>>> Only do this if you are running a version of Samba before 4.2.0 or
>>>> are using the built-in winbind.*" but I'm not sure if in my
>>>> environment I have to make this step.
>>>>
>>>> I have installed and configured samba 4.4.5 from sources and only
>>>> added
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind 
>>>>
>>>> https://wiki.samba.org/index.php/Libnss_winbind_links
>>>>
>>>> In my environment is needed tdbbackup when you adds second dc?
>>>>
>>>> Thanks
>>> The step "GID mapping of build-in groups" is still required with
>>> 4.4.5, no matter if you use winbind or winbindd.
>>>
>> This is no longer required on any supported version of Samba, you just
>> need to run 'samba-tool ntacl sysvolreset'
>>
>> Rowland
> We discussed this a while back, back then you did not have the time to 
> compare your rsync setup.
>
> It is still required if you do not want to run sysvolreset after each 
> rsync of the sysvol folders
If the mappings in idmap.tdb are not the same there will always be an 
small timeframe with incorrect access rights on sysvol.
If an clients connects in this timeframe it may not have access to gpo's 
and scripts. Or even worse an attacker may have unwanted access rights 
on the sysvol share.