[Samba] Sysvol Replication workaround seems not work

Thomas Kempf listen at hueper.de
Fri Jul 30 08:29:14 UTC 2021

Hi Rowland,
Am 30.07.2021 um 09:54 schrieb Rowland Penny via samba:
 > On Fri, 2021-07-30 at 08:29 +0200, Thomas Kempf via samba wrote:
 >> Hello all,
 >> i'm in a network with about 40 OSX-Clients, a couple of Linux and
 >> Freebsd Servers and a growing number of win10 machines. I have two
 >> Samba
 >> Servers 4.9.5.-Debian on Debian-Buster running as DCs. For ID-
 >> Mapping
 > Can I suggest you have a look here: https://apt.van-belle.nl/
 > 4.9.5 is really old
ok, until now i still hesitated leaving the debian packages repo, but 
i'll definitely check this out

 >> i'm using the RFC-2307 ad.
 >> I set up  the bidirectional sysvol Replication as documented in the
 >> Wiki
 >> with unison/rsync workaround.
 >> As samba-tool complained about some sysvol permissions error, i've
 >> done
 >> a sysvolreset as advised in the wiki
 >> https://wiki.samba.org/index.php/Sysvolreset. because my Domain
 >> Admins
 >> group had a gidNumber.
 > Can I suggest you create another group and use that instead of Domain
 > Admins.

This is what already i did this morning.I created a new admin group 
using the same gidNumber as Domain Admins
had before and removed the gidNumber from Domain Admins. After that i
resynchronized idmap.ldb to the second DC. including net cache flush on 
both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs 
configuration and restarted them.

 >> The Sysvol seems ok on the machine to which i connected, but the
 >> ACL-changes during the sysvolreset don't get synchronized to the
 >> other DC.
 > That is correct, you also need to sync idmap.ldb from the DC with the
 > PDC_Emulator FSMO role to all other DC's.
Does this mean, i alwys have to do a manual full resync to my second DC 
when i only change ACL on the Policys ?

More information about the samba mailing list