[Samba] Script to sync xID/idmap.ldb, some questions...

L.P.H. van Belle belle at bazuin.nl
Fri Sep 20 14:01:30 UTC 2019


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 20 september 2019 15:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Script to sync xID/idmap.ldb, some questions...
> 
> 
> I reply to myself.
> 
> > 1) because i've just in place the sysvol replica, i've thinked of
> >  copying the 'idmap.ldb.bak' file on sysvol share (in debian,
> > /var/lib/samba/sysvol/), so the file get simply replicated 
> between DC.
> > It is forbidden/not good policy/... to have ''extraneous'' files on
> > sysvol?
> 
> My domain survive to 2-days presence of an ''extraneous'' file in
> sysvol, so i suppose does not hurt. ;-)

No, but its prone to more risk on problem. 

Just setup an extra (hidden) share on the DC, and use that. 
I do the same, works fine. 

> 
> 
> > 2) looking at wiki (above link) seems to me that, to 
> restore the DB on
> >  other dc it suffices to copy the db over the existant and do:
> > 	net cache flush
> 
> Done on a DC, i've not seen errors in logs or something like this; DC
> works as expected and so effectively seems that a samba restart is not
> needed.
> Still i'm a bit scared to do this 'automatically' in the domain...
> 
> 
> 
> Also, a note. To verify ACL i've run:
> 
> 	getfacl -R /var/lib/samba/sysvol/
> 
> and found:
> 
> a) some ACL that seems not mapped:
> 
> # file: var/lib/samba/sysvol//ad.fvg.lnf.it
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> (eg, group:3000002 and group:3000003)
> 
> Ah! Wait! They are listed in 'user' and 'group' contextes, and so they
> are probably 'ID_BOTH' identifiers, that clearly cannot be mapped to
> user *and* group...

Correct..

See : https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh 
Lines 101-144  ;-)  The checkup parts. 

> 
> 
> b) a flood of these errors in /var/log/samba/log.winbindd:
> 
> [2019/09/20 15:15:52.727890,  0] 
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
>   Failed to find domain 'NT AUTHORITY'. Check connection to 
> trusted domains!

That should work and you should not havae a flood if these messages. 
... Well you know what i want to know if this server ;-) 


> 
> 
> This on 'ALL' DCs...
> 
Ok, on ALL DC's. ..you made the this problem appear on all DC's ... 
That not nice ;-)  hehe.. 

Greetz, 

Louis


 




More information about the samba mailing list