[Samba] Continued Group Policy issues
Anantha Raghava
raghav at exzatechconsulting.com
Fri Jul 20 01:22:06 UTC 2018
Hi,
On Mon, 16 Jul 2018 17:37:21 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Thanks for clarification.
>>
>> However, we held back from implementing your suggestion and observed
>> that after about 40 odd hours from the initial publishing of the
>> policies, all clients connecting to any of the Domain Controllers
>> started to get the policies. No client was throwing any error while
>> applying the policies from any of the 4 Domain Controllers.
> Good, but why the delay ?
This is being investigated. Is it something to do with cache, wondering
whether running "net cache flush" will help to get over this behavior.
>
>> Does it mean that "idmap.ldb" is taking time to replicate
>> automatically?
> 'idmap.ldb' never replicates automatically, it must be done manually.
We will include this in our replication script.
>
>> Or is it some other issue? Nothing interesting about
>> this is logged in samba. Sysvol is getting replicated as soon as any
>> policy is added or modified or deleted on the first domain controller.
> How is 'sysvol' being replicated, this again is a manual procedure on
> Samba AD DC's
Yes, it is being synchronised using rsync. Basically, we are using
"inotify" to watch for changes (add, modify & delete) in "sysvol" and
push the changes to all other DCs. I will share our replication scripts
here shortly.
>
>> Basically we are implementing "Software While Listing" policies and
>> these are defined as computer policies. The error started to show up
>> once the policy was linked.
>>
>> Any hints on this behavior?
>>
> No, but it might help if you post more info on your setup.
What info you need? Find below the smb.conf. It is same on all Domain
Controllers.
# Global parameters
[global]
netbios name = PDC
realm = ****.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = ****
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = No
# Logs and events
eventlog list = Security
log level = 3
log file = /var/log/samba/dc1.%T.log
max log size = 1000000
[netlogon]
path = /usr/local/samba/var/locks/sysvol/****.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
>
> Rowland
>
More information about the samba
mailing list