[Samba] Continued Group Policy issues

Anantha Raghava raghav at exzatechconsulting.com
Fri Jul 20 09:52:31 UTC 2018

> On Fri, 20 Jul 2018 06:52:06 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>> Hi,
>> On Mon, 16 Jul 2018 17:37:21 +0530
>>> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>>>> Hi,
>>>> Thanks for clarification.
>>>> However, we held back from implementing your suggestion and
>>>> observed that after about 40 odd hours from the initial publishing
>>>> of the policies, all clients connecting to any of the Domain
>>>> Controllers started to get the policies. No client was throwing
>>>> any error while applying the policies from any of the 4 Domain
>>>> Controllers.
>>> Good, but why the delay ?
>> This is being investigated. Is it something to do with cache,
>> wondering whether running "net cache flush" will help to get over
>> this behavior.
> Possibly, but I thought that the cache should be consulted first and if
> the user isn't found, then via winbind, ask AD. Just a thought, is nscd
> or similar running ?
Just to clarify, nscd or similar daemons are not running in our 
environment. We use CentOS 7.5 minimal installation.
Coming to using only "net cache flush", we will test it in our 
environment and report back here.
>>>> Does it mean that "idmap.ldb" is taking time to replicate
>>>> automatically?
>>> 'idmap.ldb' never replicates automatically, it must be done
>>> manually.
>> We will include this in our replication script.
>>>> Or is it some other issue? Nothing interesting about
>>>> this is logged in samba. Sysvol is getting replicated as soon as
>>>> any policy is added or modified or deleted on the first domain
>>>> controller.
>>> How is 'sysvol' being replicated, this again is a manual procedure
>>> on Samba AD DC's
>> Yes, it is being synchronised using rsync. Basically, we are using
>> "inotify" to watch for changes (add, modify & delete) in "sysvol" and
>> push the changes to all other DCs. I will share our replication
>> scripts here shortly.
> I have been working on something similar, everytime I think I am
> getting close, I think of another enhancement ;-)
Find the sample script below. We add other DCs as needed to the same 
script. To include, "net cache flush", we will have to modify this 
script that runs on first DC or (DC1 or PDC ;-)

inotifywait -m -r -e moved_to -e modify -e delete -e create "$DIR" | 
while read f
     echo $f
     if [[ $f = *.* ]]; then
export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH
samba-tool ntacl sysvolreset &> /dev/null
sleep 5
rsync -XAavz --delete-after /usr/local/samba/var/locks/sysvol/ 

>>>> Basically we are implementing "Software While Listing" policies and
>>>> these are defined as computer policies. The error started to show
>>>> up once the policy was linked.
> Surely, if it works without the policies, but doesn't with them, then
> these could be the problem and deserve a good look at ?
>>>> Any hints on this behavior?
>>> No, but it might help if you post more info on your setup.
>> What info you need? Find below the smb.conf. It is same on all Domain
>> Controllers.
>> # Global parameters
>> [global]
>>           netbios name = PDC
>>           realm = ****.COM
>>           server role = active directory domain controller
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = ****
>>           idmap_ldb:use rfc2307 = yes
>>           ldap server require strong auth = No
>> # Logs and events
>>           eventlog list = Security
>>           log level = 3
>>           log file = /var/log/samba/dc1.%T.log
>>           max log size = 1000000
>> [netlogon]
>>       path = /usr/local/samba/var/locks/sysvol/****.com/scripts
>>       read only = No
>> [sysvol]
>>        path = /usr/local/samba/var/locks/sysvol
>>        read only = No
> The only thing wrong with that smb.conf is the netbios name, I take it
> you didn't get the memo ;-)
> There is no such thing as a PDC in AD, all DC's are equal, it is just
> that some of them hold FSMO roles.
> Rowland
I understand, there is no such thing as PDC. Server is just named that 
way as it handles PDC Emulator role. :-)

Thanks & regards,
Anantha Raghava

More information about the samba mailing list