[Samba] Continued Group Policy issues
rpenny at samba.org
Fri Jul 20 07:44:10 UTC 2018
On Fri, 20 Jul 2018 06:52:06 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> On Mon, 16 Jul 2018 17:37:21 +0530
> > Anantha Raghava via samba <samba at lists.samba.org> wrote:
> >> Hi,
> >> Thanks for clarification.
> >> However, we held back from implementing your suggestion and
> >> observed that after about 40 odd hours from the initial publishing
> >> of the policies, all clients connecting to any of the Domain
> >> Controllers started to get the policies. No client was throwing
> >> any error while applying the policies from any of the 4 Domain
> >> Controllers.
> > Good, but why the delay ?
> This is being investigated. Is it something to do with cache,
> wondering whether running "net cache flush" will help to get over
> this behavior.
Possibly, but I thought that the cache should be consulted first and if
the user isn't found, then via winbind, ask AD. Just a thought, is nscd
or similar running ?
> >> Does it mean that "idmap.ldb" is taking time to replicate
> >> automatically?
> > 'idmap.ldb' never replicates automatically, it must be done
> > manually.
> We will include this in our replication script.
> >> Or is it some other issue? Nothing interesting about
> >> this is logged in samba. Sysvol is getting replicated as soon as
> >> any policy is added or modified or deleted on the first domain
> >> controller.
> > How is 'sysvol' being replicated, this again is a manual procedure
> > on Samba AD DC's
> Yes, it is being synchronised using rsync. Basically, we are using
> "inotify" to watch for changes (add, modify & delete) in "sysvol" and
> push the changes to all other DCs. I will share our replication
> scripts here shortly.
I have been working on something similar, everytime I think I am
getting close, I think of another enhancement ;-)
> >> Basically we are implementing "Software While Listing" policies and
> >> these are defined as computer policies. The error started to show
> >> up once the policy was linked.
Surely, if it works without the policies, but doesn't with them, then
these could be the problem and deserve a good look at ?
> >> Any hints on this behavior?
> > No, but it might help if you post more info on your setup.
> What info you need? Find below the smb.conf. It is same on all Domain
> # Global parameters
> netbios name = PDC
> realm = ****.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = ****
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = No
> # Logs and events
> eventlog list = Security
> log level = 3
> log file = /var/log/samba/dc1.%T.log
> max log size = 1000000
> path = /usr/local/samba/var/locks/sysvol/****.com/scripts
> read only = No
> path = /usr/local/samba/var/locks/sysvol
> read only = No
The only thing wrong with that smb.conf is the netbios name, I take it
you didn't get the memo ;-)
There is no such thing as a PDC in AD, all DC's are equal, it is just
that some of them hold FSMO roles.
More information about the samba