[Samba] Sysvol access after running osync

Bob Thomas bthomas at cybernetics.com
Tue Oct 4 14:44:07 UTC 2016

Hey Samba team - Thanks for all your work

I have three production samba 4 DCs 2 running on Ubuntu 16.04 (Samba 
4.4.5 and 4.4.4) and one on 14.04 (Samba 4.3.3) all working well for the 
most part.  However to keep everything in sync I setup osync for syncing 
Sysvol.  As recent conversations on the list indicate following the sync 
operation I lose access to sysvol until I run 'samba-tool ntacl 
sysvolreset' - thats not my concern.

While looking into the issue, I have found that the three 
/var/lib/samba/private/idmap.ldp files are drastically different between 
the three controllers with the first DC having the most complete.

So my first question is, can I simply copy the first DC's idmap.ldp to 
the other DCs to get them the same?

My second question is, based on Rowland's repeated  advice about 
smb.conf -  Should I remove the idmap config lines from the DC's, and if 
so will it have any impact on their operation?

All three smb.conf files are the same except for "netbios name":

         netbios name = CY-DC2
         realm = CY.DOMAIN.COM
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = CY
         server role = active directory domain controller
         server services = -dns
         ldap server require strong auth = no
         allow dns updates = nonsecure and secure
         idmap_ldb:use rfc2307 = yes
         log level = 3

    # Default idmap config used for BUILTIN and local accounts/groups
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999

    # idmap config for domain CY
         idmap config CY : backend = ad
         idmap config CY : range = 10000-99999

         winbind nss info = rfc2307

         path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No


Thanks again,

Bob Thomas

More information about the samba mailing list