Web lists-archives.com

Re: [Samba] Sysvolreset




On Thu, 11 Jan 2018 17:42:19 +0100
Denis Cardon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Carlos,
> >
> > DC to DC2/DC3 ->
> >
> >  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root@samba-dc102:/opt/samba/var/locks/
> >
> >  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root@samba-dc102:/opt/samba/var/locks/
> 
> looking at your smb.conf file, you are using tdb idmap (default on
> DC). So the UID/SID mapping will be different on the different DC,
> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol
> are very important, otherwise GPO won't be applied.
> 
> So it is logic for you to have to apply sysvolreset after your rsync.
> 
> One way to avoid that would be to copy idmap.ldb from your first DC
> to the other two DCs. The other way would be to configure rfc2307,
> but I'd say it is too much of a hassle.

If you are going to configure rfc2307 (I take this to mean adding
uidNumber & gidNumber attributes to AD), do not give Domain Admins a
gidNumber, this will turn the group into just a group. This might seem
a strange thing to say, but Domain Admins is mapped to both a group
AND a user in idmap.ldb and the group needs to own GPOs in Sysvol and
it cannot if it is just a group.

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba