[Samba] Sysvolreset

Carlos carlos.hollow at gmail.com
Sat Jan 13 13:37:37 UTC 2018 

Hello!

I'll try that.
Done with result.


Regards,


On 11-01-2018 20:45, Kacper Wirski via samba wrote:
> Hello,
>
> copying idmap is fairly straightforward.
>
> 1) on your first DC (that one that has PDC FSMO, and is the source for 
> rsync) create backup of idmap.ldb
>
> tdbbackup -s .bak /path/to/samba/private/idmap.ldb
>
> it will create idmap.ldb.bak
>
> 2) stop samba service on second DC
>
> 3) copy idmap.ldb.bak from first dc to second dc, lose the .bak suffix 
> and just copy it over idmap.ldb on second dc
>
> 4) start samba on second dc
>
> I'm not sure if it's necessery, but you can flush winbindd cache:
>
> net cache flush
>
> and that's it
>
> No problems occured for me, when I did that.
>
>
> W dniu 11.01.2018 o 18:50, Carlos via samba pisze:
>> Hi,
>>
>> how do I do that ?
>> And what would be the possible problems? (Both are in production)
>>
>> "One way to avoid that would be to copy idmap.ldb from your first DC 
>> to the other two DCs."
>>
>> Regards;
>>
>>
>> On 11-01-2018 14:42, Denis Cardon wrote:
>>> Hi Carlos,
>>>>
>>>> DC to DC2/DC3 ->
>>>>
>>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>> root at samba-dc102:/opt/samba/var/locks/
>>>>
>>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>> root at samba-dc102:/opt/samba/var/locks/
>>>
>>> looking at your smb.conf file, you are using tdb idmap (default on 
>>> DC). So the UID/SID mapping will be different on the different DC, 
>>> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol 
>>> are very important, otherwise GPO won't be applied.
>>>
>>> So it is logic for you to have to apply sysvolreset after your rsync.
>>>
>>> One way to avoid that would be to copy idmap.ldb from your first DC 
>>> to the other two DCs. The other way would be to configure rfc2307, 
>>> but I'd say it is too much of a hassle.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>>
>>>> Regards
>>>>
>>>>
>>>> On 10-01-2018 11:59, Carlos wrote:
>>>>> Hi!
>>>>>
>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>
>>>>> All is ok, but GPO in DC3, with erro the permission, with dont 
>>>>> load in
>>>>> windows(gpresult /force).
>>>>>
>>>>>
>>>>> My smb.conf all samba server DC.
>>>>>
>>>>>
>>>>> [global]
>>>>>         netbios name = SAMBA-DC103
>>>>>         realm = <DOMAIN>
>>>>>         server role = active directory domain controller
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>         workgroup = XXXXXXX
>>>>>
>>>>>         ldap server require strong auth = no
>>>>>
>>>>> [netlogon]
>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>         read only = No
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
>>>>> not good ideia..(
>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>
>>>>>
>>>>> Any ?
>>>>>
>>>>>
>>>>> Regards;
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>

More information about the samba mailing list