[Samba] sysvol maintenance/fix
d tbsky
tbskyd at gmail.com
Tue May 23 15:26:55 UTC 2023
Rowland Penny via samba <samba at lists.samba.org>
> So how does 'sysvolreset' know how many GPO's there should be, well, it
> doesn't, it gets that information from AD, where the GPO's are also
> stored. Using the information it gets from AD, sysvolreset 'walks' the
> path of each GPO resetting the permissions on disk.
> If a GPO exists in AD, but isn't on disk, you will get an error, if a
> GPO exists on disk but not in AD (unlikely) you will get an error.
> This is why you must ensure that sysvol on one DC is kept in sync with
> all other DC's. The other thing to consider is idmap.ldb, this is where
> the DC user and group ID's are stored and these are allocated on a first
> come basis, this means that you can never be certain that a user or
> group will have the same ID on different DC's, that is unless you use
> the 'ad' idmap backend. This however has dangers on DC, because Domain
> Admins should never be given a gidNumber attribute with 'idmap_ldb:use
> rfc2307 = yes' set in a DC's smb.conf.
Thanks for the detailed explanation.
I run "sysvolreset" and indeed the directories acl were fixed.
I run "sysvolcheck" and now it reports no errors.
group policies are still working fine.
Thanks again for your help!
Regards,
tbskyd
More information about the samba
mailing list