[Samba] Sysvol Replication workaround seems not work

Rowland Penny rpenny at samba.org
Fri Jul 30 08:51:19 UTC 2021

On Fri, 2021-07-30 at 10:29 +0200, Thomas Kempf via samba wrote:
> Hi Rowland,
> ok, until now i still hesitated leaving the debian packages repo,
> but 
> i'll definitely check this out

I suppose that I should mention that Louis is a Samba team member and
lots of people (including myself) use his repo

> This is what already i did this morning.I created a new admin group 
> using the same gidNumber as Domain Admins
> had before and removed the gidNumber from Domain Admins. After that i
> resynchronized idmap.ldb to the second DC. including net cache flush
> on 
> both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs 
> configuration and restarted them.

You didn't need to do both, not having 'idmap_ldb:use rfc2307 = yes' on
a DC means 'do not use any rfc2307 attributes on this DC', so the
Domain Admins gidNumber would be ignored. If you only use a DC for
authentication, you do not need the line.
>  >>
>  >> The Sysvol seems ok on the machine to which i connected, but the
>  >> ACL-changes during the sysvolreset don't get synchronized to the
>  >> other DC.

You have to run sysvolreset on all DC's

>  >
>  > That is correct, you also need to sync idmap.ldb from the DC with
> the
>  > PDC_Emulator FSMO role to all other DC's.
> Does this mean, i alwys have to do a manual full resync to my second
> DC 
> when i only change ACL on the Policys ?

Any time you alter Sysvol, you need to sync it to the other DC's, but
this doesn't mean that you need to sync idmap.ldb, only if you have
made user or group changes.

More information about the samba mailing list