[Samba] Sysvol Replication workaround seems not work

[Thomas Kempf]

Am 30.07.2021 um 10:51 schrieb Rowland Penny via samba:
> On Fri, 2021-07-30 at 10:29 +0200, Thomas Kempf via samba wrote:
>> Hi Rowland,
>>
>> ok, until now i still hesitated leaving the debian packages repo,
>> but
>> i'll definitely check this out
> 
> I suppose that I should mention that Louis is a Samba team member and
> lots of people (including myself) use his repo
> 
>>
>>
>>
>> This is what already i did this morning.I created a new admin group
>> using the same gidNumber as Domain Admins
>> had before and removed the gidNumber from Domain Admins. After that i
>> resynchronized idmap.ldb to the second DC. including net cache flush
>> on
>> both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs
>> configuration and restarted them.
> 
> You didn't need to do both, not having 'idmap_ldb:use rfc2307 = yes' on
> a DC means 'do not use any rfc2307 attributes on this DC', so the
> Domain Admins gidNumber would be ignored. If you only use a DC for
> authentication, you do not need the line.
ok, i understand.
>>
>>   >>
>>   >> The Sysvol seems ok on the machine to which i connected, but the
>>   >> ACL-changes during the sysvolreset don't get synchronized to the
>>   >> other DC.
> 
> You have to run sysvolreset on all DC's
can i do this safely now having removed the gidNUmber from Domain Admins?

> 
>>   >
>>   > That is correct, you also need to sync idmap.ldb from the DC with
>> the
>>   > PDC_Emulator FSMO role to all other DC's.
>> Does this mean, i alwys have to do a manual full resync to my second
>> DC
>> when i only change ACL on the Policys ?
> 
> Any time you alter Sysvol, you need to sync it to the other DC's, but
> this doesn't mean that you need to sync idmap.ldb, only if you have
> made user or group changes.
ok, but shouldn't this be done automagically by the implemented 
"Bidirectional Rsync/Unison based SysVol replication workaround" ?