Web lists-archives.com

Re: [Samba] Keeping idmap in sync cross DC




On Thu, 23 Nov 2017 14:44:02 +0200
Ian Coetzee via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On 23 November 2017 at 14:16, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> 
> > On Thu, 23 Nov 2017 14:01:03 +0200
> > Ian Coetzee via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On 22 November 2017 at 17:45, Rowland Penny <rpenny@xxxxxxxxx>
> > > wrote:
> > >
> > > > On Wed, 22 Nov 2017 16:01:17 +0200
> > > > Ian Coetzee via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > >
> > > > > Hi Guys,
> > > > >
> > > > > I have run into a very interesting problem using GPO's on our
> > > > > DC's.
> > > > >
> > > > > As you may (or may not) know, we have migrated to a pure
> > > > > Samba4 (Git stable branch checkout) AD network. I can't be
> > > > > happier. *Kudos to the Samba team*
> > > > >
> > > > > We are running to DC's, DC1 and DC2, both full fledged DC's,
> > > > > both running CentOS 6.9, fully up to date.
> > > > >
> > > > > For the sysvol partition I decided to run a glusterfs between
> > > > > the DC's. I started out with a unison sync, but being the
> > > > > impatient person I am, I needed more real time.
> > > > >
> > > > > Now my problem is with the permissions in the sysvol folder
> > > > > structure.
> > > > >
> > > >
> > > > Sorry, but your problem is that you missed this:
> > > >
> > > > https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_
> > > > based_SysVol_replication_workaround#FAQ
> > > >
> > > > Where it quite clearly says this:
> > > >
> > > >      Why can't I simply use a distributed filesystem like
> > > > GlusterFS, Lustre, etc. for SysVol?
> > > >         A cluster file system with Samba requires CTDB to be
> > > > able to do it safely. And CTDB and AD DC are incompatible.
> > > >
> > > > Rowland
> > > >
> > >
> > > Hi Rowland,
> > >
> > > Yes, you are right, I completely missed that part.
> > >
> > > I actually had the system set up using
> > > https://wiki.samba.org/index.php/Bidirectional_Rsync/
> > Unison_based_SysVol_replication_workaround
> > >
> > > But then I decided to become creative with a glusterfs setup.
> > >
> > > I now have a Osync set up (much easier IMO), but the permissions
> > > are still not quite right, bringing me back to my idmap syncing
> > > question.
> > >
> > > Kind regards
> >
> > There are instructions here:
> >
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > Existing_Active_Directory#Built-in_Groups_GID_Mappings
> >
> >
> Hi Rowland,
> 
> I followed that howto
> > I copied the idmap.tdb.bak from dc1 to dc2 and restarted samba on
> > dc2,
> but a getfacl on the sysvol directory gives me the wrong mappings.
> 
> My issue is with AD groups on the permissions of the Policies
> 
> Should I make a nightly backup of the idmap.tdb on dc1 and sync it to
> dc2 perhaps?

You shouldn't have to, idmap.ldb works on a 'first come' basis and as
Samba becomes aware of a user or group, it is given the next available
xidNumber and then stored in idmap.ldb. This means that because you can
never be absolutely certain in which order users or groups will
connect, you cannot be certain which xidNumber is used for which user
or group.

However, when you sync idmap.ldb to the other DCs, you should get the
same IDs for the Well known Sids. What can be a problem is the normal
AD users and groups, but for Sysvol this problem shouldn't really
exist, because you would normally connect as a Well Know Sid e.g.
Domain Users

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba