[Samba] preparing for a new site with an extra domain controller

Stefan G. Weichinger lists at xunil.at
Tue Dec 17 08:01:55 UTC 2024


Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> On Mon, 16 Dec 2024 10:33:59 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

>> 1) sync it at first
>> 2) do not sync it every time with sysvol
>> 3) sync it periodically
> 
> I am now not entirely convinced that '3' is required if you only use
> the DC in the recommended way, that is only for authentication and no
> shares other than sysvol & netlogon.

I run them this way.

> The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a first
> come basis and because the AD admin users & groups generally do not get
> the same IDs on all DCs, then you need to ensure that these users &
> groups have the same IDs on all DCs. The way to do this is to sync
> idmap.ldb from the DC that holds the 'main' Sysvol to all others. Now,
> as the users that you want to have the same IDs on all DCs only get
> their ID once, it doesn't really matter that your main users have
> different IDs, they aren't really used on the DCs, Windows and Unix
> domain members ensure they are known on those machines.

Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the 
users?

If I don't resync it I assume it is updated by the ad-replication within 
samba, right? Otherwise new users wouldn't be distributed.

(just wondering)

OK, I will start that third DC as I did start the second: run steps 1) 
and 2)

thanks!




More information about the samba mailing list