[Samba] Script to sync xID/idmap.ldb, some questions...

Marco Gaiarin gaio at sv.lnf.it
Fri Sep 20 13:41:20 UTC 2019 

I reply to myself.

> 1) because i've just in place the sysvol replica, i've thinked of
>  copying the 'idmap.ldb.bak' file on sysvol share (in debian,
> /var/lib/samba/sysvol/), so the file get simply replicated between DC.
> It is forbidden/not good policy/... to have ''extraneous'' files on
> sysvol?

My domain survive to 2-days presence of an ''extraneous'' file in
sysvol, so i suppose does not hurt. ;-)


> 2) looking at wiki (above link) seems to me that, to restore the DB on
>  other dc it suffices to copy the db over the existant and do:
> 	net cache flush

Done on a DC, i've not seen errors in logs or something like this; DC
works as expected and so effectively seems that a samba restart is not
needed.
Still i'm a bit scared to do this 'automatically' in the domain...



Also, a note. To verify ACL i've run:

	getfacl -R /var/lib/samba/sysvol/

and found:

a) some ACL that seems not mapped:

# file: var/lib/samba/sysvol//ad.fvg.lnf.it
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

(eg, group:3000002 and group:3000003)

Ah! Wait! They are listed in 'user' and 'group' contextes, and so they
are probably 'ID_BOTH' identifiers, that clearly cannot be mapped to
user *and* group...


b) a flood of these errors in /var/log/samba/log.winbindd:

[2019/09/20 15:15:52.727890,  0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
  Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains!


This on 'ALL' DCs...



Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list