[Samba] Continued Group Policy issues

Anantha Raghava raghav at exzatechconsulting.com
Fri Jul 20 01:22:06 UTC 2018


On Mon, 16 Jul 2018 17:37:21 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>> Hi,
>> Thanks for clarification.
>> However, we held back from implementing your suggestion and observed
>> that after about 40 odd hours from the initial publishing of the
>> policies, all clients connecting to any of the Domain Controllers
>> started to get the policies. No client was throwing any error while
>> applying the policies from any of the 4 Domain Controllers.
> Good, but why the delay ?
This is being investigated. Is it something to do with cache, wondering 
whether running "net cache flush" will help to get over this behavior.
>> Does it mean that "idmap.ldb" is taking time to replicate
>> automatically?
> 'idmap.ldb' never replicates automatically, it must be done manually.
We will include this in our replication script.
>> Or is it some other issue? Nothing interesting about
>> this is logged in samba. Sysvol is getting replicated as soon as any
>> policy is added or modified or deleted on the first domain controller.
> How is 'sysvol' being replicated, this again is a manual procedure on
> Samba AD DC's
Yes, it is being synchronised using rsync. Basically, we are using 
"inotify" to watch for changes (add, modify & delete) in "sysvol" and 
push the changes to all other DCs. I will share our replication scripts 
here shortly.
>> Basically we are implementing "Software While Listing" policies and
>> these are defined as computer policies. The error started to show up
>> once the policy was linked.
>> Any hints on this behavior?
> No, but it might help if you post more info on your setup.
What info you need? Find below the smb.conf. It is same on all Domain 

# Global parameters
         netbios name = PDC
         realm = ****.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = ****
         idmap_ldb:use rfc2307 = yes
         ldap server require strong auth = No
# Logs and events
         eventlog list = Security
         log level = 3
         log file = /var/log/samba/dc1.%T.log
         max log size = 1000000

     path = /usr/local/samba/var/locks/sysvol/****.com/scripts
     read only = No

      path = /usr/local/samba/var/locks/sysvol
      read only = No
> Rowland

More information about the samba mailing list