[Samba] Continued Group Policy issues

Rowland Penny rpenny at samba.org
Fri Jul 20 07:44:10 UTC 2018 

On Fri, 20 Jul 2018 06:52:06 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> On Mon, 16 Jul 2018 17:37:21 +0530
> > Anantha Raghava via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> Thanks for clarification.
> >>
> >> However, we held back from implementing your suggestion and
> >> observed that after about 40 odd hours from the initial publishing
> >> of the policies, all clients connecting to any of the Domain
> >> Controllers started to get the policies. No client was throwing
> >> any error while applying the policies from any of the 4 Domain
> >> Controllers.
> > Good, but why the delay ?
> This is being investigated. Is it something to do with cache,
> wondering whether running "net cache flush" will help to get over
> this behavior.

Possibly, but I thought that the cache should be consulted first and if
the user isn't found, then via winbind, ask AD. Just a thought, is nscd
or similar running ?

> >
> >> Does it mean that "idmap.ldb" is taking time to replicate
> >> automatically?
> > 'idmap.ldb' never replicates automatically, it must be done
> > manually.
> We will include this in our replication script.
> >
> >> Or is it some other issue? Nothing interesting about
> >> this is logged in samba. Sysvol is getting replicated as soon as
> >> any policy is added or modified or deleted on the first domain
> >> controller.
> > How is 'sysvol' being replicated, this again is a manual procedure
> > on Samba AD DC's
> Yes, it is being synchronised using rsync. Basically, we are using 
> "inotify" to watch for changes (add, modify & delete) in "sysvol" and 
> push the changes to all other DCs. I will share our replication
> scripts here shortly.

I have been working on something similar, everytime I think I am
getting close, I think of another enhancement ;-)

> >
> >> Basically we are implementing "Software While Listing" policies and
> >> these are defined as computer policies. The error started to show
> >> up once the policy was linked.

Surely, if it works without the policies, but doesn't with them, then
these could be the problem and deserve a good look at ?

> >>
> >> Any hints on this behavior?
> >>
> > No, but it might help if you post more info on your setup.
> What info you need? Find below the smb.conf. It is same on all Domain 
> Controllers.
> 
> # Global parameters
> [global]
>          netbios name = PDC
>          realm = ****.COM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = ****
>          idmap_ldb:use rfc2307 = yes
>          ldap server require strong auth = No
> # Logs and events
>          eventlog list = Security
>          log level = 3
>          log file = /var/log/samba/dc1.%T.log
>          max log size = 1000000
> 
> [netlogon]
>      path = /usr/local/samba/var/locks/sysvol/****.com/scripts
>      read only = No
> 
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No

The only thing wrong with that smb.conf is the netbios name, I take it
you didn't get the memo ;-)

There is no such thing as a PDC in AD, all DC's are equal, it is just
that some of them hold FSMO roles.

Rowland

More information about the samba mailing list