[Samba] Keeping idmap in sync cross DC

Ian Coetzee samba at iancoetzee.za.net
Thu Nov 23 12:44:02 UTC 2017 

On 23 November 2017 at 14:16, Rowland Penny <rpenny at samba.org> wrote:

> On Thu, 23 Nov 2017 14:01:03 +0200
> Ian Coetzee via samba <samba at lists.samba.org> wrote:
>
> > On 22 November 2017 at 17:45, Rowland Penny <rpenny at samba.org> wrote:
> >
> > > On Wed, 22 Nov 2017 16:01:17 +0200
> > > Ian Coetzee via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi Guys,
> > > >
> > > > I have run into a very interesting problem using GPO's on our
> > > > DC's.
> > > >
> > > > As you may (or may not) know, we have migrated to a pure Samba4
> > > > (Git stable branch checkout) AD network. I can't be happier.
> > > > *Kudos to the Samba team*
> > > >
> > > > We are running to DC's, DC1 and DC2, both full fledged DC's, both
> > > > running CentOS 6.9, fully up to date.
> > > >
> > > > For the sysvol partition I decided to run a glusterfs between the
> > > > DC's. I started out with a unison sync, but being the impatient
> > > > person I am, I needed more real time.
> > > >
> > > > Now my problem is with the permissions in the sysvol folder
> > > > structure.
> > > >
> > >
> > > Sorry, but your problem is that you missed this:
> > >
> > > https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_
> > > based_SysVol_replication_workaround#FAQ
> > >
> > > Where it quite clearly says this:
> > >
> > >      Why can't I simply use a distributed filesystem like GlusterFS,
> > > Lustre, etc. for SysVol?
> > >         A cluster file system with Samba requires CTDB to be able
> > > to do it safely. And CTDB and AD DC are incompatible.
> > >
> > > Rowland
> > >
> >
> > Hi Rowland,
> >
> > Yes, you are right, I completely missed that part.
> >
> > I actually had the system set up using
> > https://wiki.samba.org/index.php/Bidirectional_Rsync/
> Unison_based_SysVol_replication_workaround
> >
> > But then I decided to become creative with a glusterfs setup.
> >
> > I now have a Osync set up (much easier IMO), but the permissions are
> > still not quite right, bringing me back to my idmap syncing question.
> >
> > Kind regards
>
> There are instructions here:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory#Built-in_Groups_GID_Mappings
>
>
Hi Rowland,

I followed that howto
> I copied the idmap.tdb.bak from dc1 to dc2 and restarted samba on dc2,
but a getfacl on the sysvol directory gives me the wrong mappings.

My issue is with AD groups on the permissions of the Policies

Should I make a nightly backup of the idmap.tdb on dc1 and sync it to dc2
perhaps?

Kind regards

More information about the samba mailing list