[Samba] preparing for a new site with an extra domain controller
Luis Peromarta
lperoma at icloud.com
Tue Dec 17 10:03:44 UTC 2024
This is how I do it.
http://samba.bigbird.es/doku.php?id=samba:sync-idmap.ldb
On Dec 17, 2024 at 09:02 +0100, Stefan G. Weichinger via samba <samba at lists.samba.org>, wrote:
> Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> > On Mon, 16 Dec 2024 10:33:59 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
> > > 1) sync it at first
> > > 2) do not sync it every time with sysvol
> > > 3) sync it periodically
> >
> > I am now not entirely convinced that '3' is required if you only use
> > the DC in the recommended way, that is only for authentication and no
> > shares other than sysvol & netlogon.
>
> I run them this way.
>
> > The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a first
> > come basis and because the AD admin users & groups generally do not get
> > the same IDs on all DCs, then you need to ensure that these users &
> > groups have the same IDs on all DCs. The way to do this is to sync
> > idmap.ldb from the DC that holds the 'main' Sysvol to all others. Now,
> > as the users that you want to have the same IDs on all DCs only get
> > their ID once, it doesn't really matter that your main users have
> > different IDs, they aren't really used on the DCs, Windows and Unix
> > domain members ensure they are known on those machines.
>
> Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the
> users?
>
> If I don't resync it I assume it is updated by the ad-replication within
> samba, right? Otherwise new users wouldn't be distributed.
>
> (just wondering)
>
> OK, I will start that third DC as I did start the second: run steps 1)
> and 2)
>
> thanks!
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list