[Samba] GPOs, sysvol and such related plumbing

Sérgio Basto sergio at serjux.com
Sat Apr 13 22:52:02 UTC 2019

On Sat, 2019-04-13 at 20:40 +0100, miguel medalha via samba wrote:
> Who am I to say this? I am only a lowly user and would-be admin, but
> it 
> seems to me that one of the most useful features of an AD
> environment, 
> GPOs, is not fully trust-able under Samba because of instability and 
> ensuing fear, before and after each update, related to sysvol and
> who 
> knows what.

My experience was :

1. Mit kbr doesn't support it, we need to use the old kbr system.
2. We need disable selinux , selinux permissive is not enough to allow
to write on shared folder sysvol. it cause crashes on windows.
3. When we have 2 or more DC(s) we need to force client tools like RAST
only write in the first DC because "Samba in its current state doesn't
support SysVol replication" [1], if RAST write randomly on DC(s) we may
have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No
such file or directory) [2]
4. With an efficient replication and writing POL(s) just in first DC ,
seems that works well.

Best Regards,

[2] https://lists.samba.org/archive/samba/2018-September/218137.html

Sérgio M. B.

More information about the samba mailing list