[Samba] Sysvol access after running osync
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Tue Oct 4 16:09:52 UTC 2016
On 10/4/2016 11:54 AM, Rowland Penny wrote:
> On Tue, 4 Oct 2016 11:43:45 -0400
> lingpanda101--- via samba <samba at lists.samba.org> wrote:
>> On 10/4/2016 11:22 AM, Rowland Penny via samba wrote:
>>> See inline comments:
>>> On Tue, 4 Oct 2016 10:44:07 -0400
>>> Bob Thomas via samba <samba at lists.samba.org> wrote:
>>>> Hey Samba team - Thanks for all your work
>>>> I have three production samba 4 DCs 2 running on Ubuntu 16.04
>>>> (Samba 4.4.5 and 4.4.4) and one on 14.04 (Samba 4.3.3) all working
>>>> well for the most part. However to keep everything in sync I
>>>> setup osync for syncing Sysvol. As recent conversations on the
>>>> list indicate following the sync operation I lose access to sysvol
>>>> until I run 'samba-tool ntacl sysvolreset' - thats not my concern.
>>>> While looking into the issue, I have found that the three
>>>> /var/lib/samba/private/idmap.ldp files are drastically different
>>>> between the three controllers with the first DC having the most
>>> Yes they are very likely to be different, but it doesn't matter if
>>> you are using 'winbindd' on the DCs, it knows what number is who.
>>> All you need to do is run 'sysvolreset' after the sync and osync
>>> can be set to do this for you.
>>>> So my first question is, can I simply copy the first DC's idmap.ldp
>>>> to the other DCs to get them the same?
>>> You can if you want to, but you would also have to keep syncing it,
>>> you would have to stop Samba before you backed idmap.ldb before
>>> copying it.
>>>> My second question is, based on Rowland's repeated advice about
>>>> smb.conf - Should I remove the idmap config lines from the DC's,
>>>> and if so will it have any impact on their operation?
>>> The idmap config lines do nothing on a DC, it will either use the
>>> xidNumbers found in idmap.ldb or be overidden by any uidNumbers
>>> found in AD.
>>> You don't have to remove them, Samba will just ignore them.
>> My understanding (someone please correct me if I am wrong) is if you
>> use RFC2307 and provide each user and group a UID and GID, you do not
>> need to sync idmap.ldb. If not you will need to sync idmap.ldb
>> because Samba uses XID's for mapping. This is only relevant if you
>> have users or computers that are accessing services being served from
>> a Linux device. Windows users and computers use SID's and RID's which
>> are synced automatically by Samba across all DC's.
> You don't have to sync idmap.ldb at all, just use sysvolreset after
> after each sysvol sync (this is provided you are using winbindd)
> Your last sentence explains why.
I thought sysvolreset and winbindd was only applicable to builtin
groups. Manually created users and groups must still be kept in sync.
More information about the samba