[Samba] GPOs, sysvol and such related plumbing
Sérgio Basto
sergio at serjux.com
Sat Apr 13 22:52:02 UTC 2019
On Sat, 2019-04-13 at 20:40 +0100, miguel medalha via samba wrote:
> Who am I to say this? I am only a lowly user and would-be admin, but
> it
> seems to me that one of the most useful features of an AD
> environment,
> GPOs, is not fully trust-able under Samba because of instability and
> ensuing fear, before and after each update, related to sysvol and
> who
> knows what.
My experience was :
1. Mit kbr doesn't support it, we need to use the old kbr system.
2. We need disable selinux , selinux permissive is not enough to allow
to write on shared folder sysvol. it cause crashes on windows.
3. When we have 2 or more DC(s) we need to force client tools like RAST
only write in the first DC because "Samba in its current state doesn't
support SysVol replication" [1], if RAST write randomly on DC(s) we may
have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No
such file or directory) [2]
4. With an efficient replication and writing POL(s) just in first DC ,
seems that works well.
Best Regards,
[1]
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
https://www.tecmint.com/samba4-ad-dc-sysvol-replication/
[2] https://lists.samba.org/archive/samba/2018-September/218137.html
--
Sérgio M. B.
More information about the samba
mailing list