[Samba] several offices: home dirs, local resources, ...

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 22 19:53:53 UTC 2022 

On 22-11-2022 20:36, Michael Tokarev via samba wrote:
> 22.11.2022 21:59, cn--- via samba wrote:
>> Sorry for top posting.
>
> That's entirely okay, thank you!
>
>> To say it is  try to answer your questions.
>>
>> Why not to use a dc as file server:
>>
>> It is slower. Because e. g. All the traffic is signed.
>> Because every DC uses its own idmap file you have to keep that in 
>> sync and use the AD idmap backend. Rid for example does not work I 
>> think.
>> The Fileserver on a DC behaves differently with regards to 
>> Administrator mappings.
>
> Yeah. All this seems to be irrelevant in context of a domain-level 
> MSDFS root shares,
> which only purpose is to give connecting client a referral, - where to 
> find the actual
> data (server/share), and clients even cache this info.
>
> idmap needs to be syncronized anyway, or else sysvol permissions can't 
> be syncronized properly.
> Yes, idmap_rid doesn't work, actually whole idmap config* is ignored, 
> winbind in ad uses
> its own way for idmapping.
>
>> As for the DNS:
>>
>> It does work to use another DNS Server. However, this is a lot of 
>> manual labor and if it does not work, folks here are likely to say it 
>> is your DNS.
>
> The second part is very much understandable, I faced it already 
> several times :)
>
> For the first, it is not difficult at all, - grabbing dns_update_cache 
> files from
> servers (much easier when all of them are containers on the same 
> server so directly
> accessible from the host filesystem) to a host which manages dns, and 
> converting
> them into regular dns zone format with a trivial 3-line shell 
> fragment, -- it is
> all set up in some 10 minutes, especially if config syncronization is 
> already
> working between the offices.  And once any file changes, zone is 
> regenerated
> and signed automatically, and downstream resolvers are notified and 
> updates the
> zone content.
>
>> As for your roaming profile question:
>> You can specify a GPO to a site. That should help you if I understood 
>> your question right.
>
> Can you give an example please? I can't find a way to map home/profile 
> path to
> a site-specific name, - be the GPO itself site-specific or not. It 
> smells like
> GPO can be used there, but I can't find a way to do that.
>
Indeed you can link a GPO to a site instead of an OU.
Additionally you can filter it to a group. That way only group-members 
within the linked-object (site) get the GPO applied.
> Thank you very much Christian!
>
> Your reply makes me hope (just a little bit), maybe my questions 
> aren't completely
> stupid after all.. :)
>
> /mjt
>

More information about the samba mailing list