[Samba] several offices: home dirs, local resources, ...

Michael Tokarev mjt at tls.msk.ru
Tue Nov 22 19:36:04 UTC 2022 

22.11.2022 21:59, cn--- via samba wrote:
> Sorry for top posting.

That's entirely okay, thank you!

> To say it is  try to answer your questions.
> 
> Why not to use a dc as file server:
> 
> It is slower. Because e. g. All the traffic is signed.
> Because every DC uses its own idmap file you have to keep that in sync and use the AD idmap backend. Rid for example does not work I think.
> The Fileserver on a DC behaves differently with regards to Administrator mappings.

Yeah. All this seems to be irrelevant in context of a domain-level MSDFS root shares,
which only purpose is to give connecting client a referral, - where to find the actual
data (server/share), and clients even cache this info.

idmap needs to be syncronized anyway, or else sysvol permissions can't be syncronized properly.
Yes, idmap_rid doesn't work, actually whole idmap config* is ignored, winbind in ad uses
its own way for idmapping.

> As for the DNS:
> 
> It does work to use another DNS Server. However, this is a lot of manual labor and if it does not work, folks here are likely to say it is your DNS.

The second part is very much understandable, I faced it already several times :)

For the first, it is not difficult at all, - grabbing dns_update_cache files from
servers (much easier when all of them are containers on the same server so directly
accessible from the host filesystem) to a host which manages dns, and converting
them into regular dns zone format with a trivial 3-line shell fragment, -- it is
all set up in some 10 minutes, especially if config syncronization is already
working between the offices.  And once any file changes, zone is regenerated
and signed automatically, and downstream resolvers are notified and updates the
zone content.

> As for your roaming profile question:
> You can specify a GPO to a site. That should help you if I understood your question right.

Can you give an example please? I can't find a way to map home/profile path to
a site-specific name, - be the GPO itself site-specific or not.  It smells like
GPO can be used there, but I can't find a way to do that.

Thank you very much Christian!

Your reply makes me hope (just a little bit), maybe my questions aren't completely
stupid after all.. :)

/mjt

More information about the samba mailing list