[Samba] Script to sync xID/idmap.ldb, some questions...
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 20 14:01:30 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: vrijdag 20 september 2019 15:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Script to sync xID/idmap.ldb, some questions...
>
>
> I reply to myself.
>
> > 1) because i've just in place the sysvol replica, i've thinked of
> > copying the 'idmap.ldb.bak' file on sysvol share (in debian,
> > /var/lib/samba/sysvol/), so the file get simply replicated
> between DC.
> > It is forbidden/not good policy/... to have ''extraneous'' files on
> > sysvol?
>
> My domain survive to 2-days presence of an ''extraneous'' file in
> sysvol, so i suppose does not hurt. ;-)
No, but its prone to more risk on problem.
Just setup an extra (hidden) share on the DC, and use that.
I do the same, works fine.
>
>
> > 2) looking at wiki (above link) seems to me that, to
> restore the DB on
> > other dc it suffices to copy the db over the existant and do:
> > net cache flush
>
> Done on a DC, i've not seen errors in logs or something like this; DC
> works as expected and so effectively seems that a samba restart is not
> needed.
> Still i'm a bit scared to do this 'automatically' in the domain...
>
>
>
> Also, a note. To verify ACL i've run:
>
> getfacl -R /var/lib/samba/sysvol/
>
> and found:
>
> a) some ACL that seems not mapped:
>
> # file: var/lib/samba/sysvol//ad.fvg.lnf.it
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> (eg, group:3000002 and group:3000003)
>
> Ah! Wait! They are listed in 'user' and 'group' contextes, and so they
> are probably 'ID_BOTH' identifiers, that clearly cannot be mapped to
> user *and* group...
Correct..
See : https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
Lines 101-144 ;-) The checkup parts.
>
>
> b) a flood of these errors in /var/log/samba/log.winbindd:
>
> [2019/09/20 15:15:52.727890, 0]
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> Failed to find domain 'NT AUTHORITY'. Check connection to
> trusted domains!
That should work and you should not havae a flood if these messages.
... Well you know what i want to know if this server ;-)
>
>
> This on 'ALL' DCs...
>
Ok, on ALL DC's. ..you made the this problem appear on all DC's ...
That not nice ;-) hehe..
Greetz,
Louis
More information about the samba
mailing list