[Samba] Sysvolreset
Rowland Penny
rpenny at samba.org
Thu Jan 11 21:52:33 UTC 2018
On Thu, 11 Jan 2018 17:42:19 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Carlos,
> >
> > DC to DC2/DC3 ->
> >
> > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root at samba-dc102:/opt/samba/var/locks/
> >
> > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root at samba-dc102:/opt/samba/var/locks/
>
> looking at your smb.conf file, you are using tdb idmap (default on
> DC). So the UID/SID mapping will be different on the different DC,
> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol
> are very important, otherwise GPO won't be applied.
>
> So it is logic for you to have to apply sysvolreset after your rsync.
>
> One way to avoid that would be to copy idmap.ldb from your first DC
> to the other two DCs. The other way would be to configure rfc2307,
> but I'd say it is too much of a hassle.
If you are going to configure rfc2307 (I take this to mean adding
uidNumber & gidNumber attributes to AD), do not give Domain Admins a
gidNumber, this will turn the group into just a group. This might seem
a strange thing to say, but Domain Admins is mapped to both a group
AND a user in idmap.ldb and the group needs to own GPOs in Sysvol and
it cannot if it is just a group.
Rowland
More information about the samba
mailing list