Min Wai Chan
2014-Oct-02 15:26 UTC
[Samba] Sysvol replication with Unison for more than 2 server.
Dear Louis, Just to check... Would it be possible to have more than 2 DC using Unison to sync? I was trying to make this to the samba wiki. But when reading the list I see Rowland talking about the SID and RID issue Because of built-in group SID is not sync across domain. Which I think samba should have their own way of dealing this or it will just be a mess in a long run. Did we have any trick to deal with this built-in group UID/RID temporary? I remember saw something like io notice/fam to monitor the sysvol and trigger unison when change happen. but I'm not sure how it would help when you have more than 3 server... Regards, Min Wai
Ryan Ashley
2014-Oct-02 15:31 UTC
[Samba] Sysvol replication with Unison for more than 2 server.
I have done this with Unison in a single environment and had no issues thus far. I am out sick today with a fever but can get the details next week. On 10/02/2014 11:26 AM, Min Wai Chan wrote:> Dear Louis, > > Just to check... > Would it be possible to have more than 2 DC using Unison to sync? > > I was trying to make this to the samba wiki. > > But when reading the list I see Rowland talking about the SID and RID issue > Because of built-in group SID is not sync across domain. > > Which I think samba should have their own way of dealing this or it will > just be a mess in a long run. > > Did we have any trick to deal with this built-in group UID/RID temporary? > > I remember saw something like io notice/fam to monitor the sysvol and > trigger unison when change happen. > > but I'm not sure how it would help when you have more than 3 server... > > Regards, > Min Wai
Rowland Penny
2014-Oct-02 17:07 UTC
[Samba] Sysvol replication with Unison for more than 2 server.
On 02/10/14 16:26, Min Wai Chan wrote:> Dear Louis, > > Just to check... > Would it be possible to have more than 2 DC using Unison to sync? > > I was trying to make this to the samba wiki. > > But when reading the list I see Rowland talking about the SID and RID > issue > Because of built-in group SID is not sync across domain.Ahh, I dropped a right clanger there, when I said SID I meant RID, it would seem that when you join a DC to a domain, idmap.ldb does not get replicated to the new DC and so the RID's could be and probably are different. This is not really a problem, just copy idmap.ldb from the original DC to the new one. Rowland> > Which I think samba should have their own way of dealing this or it > will just be a mess in a long run. > > Did we have any trick to deal with this built-in group UID/RID temporary? > > I remember saw something like io notice/fam to monitor the sysvol and > trigger unison when change happen. > > but I'm not sure how it would help when you have more than 3 server... > > Regards, > Min Wai
L.P.H. van Belle
2014-Oct-03 06:45 UTC
[Samba] Sysvol replication with Unison for more than 2 server.
Hello Min Wai, ? I havent tested it with more than 2 server but in my opionion it should work if you make sure you set gpo and work on 1 machine. for example. ? You work on the sysvol of DC1 only. then you can sync to unlimited DC's. you let DC1 do al the syncing. ( the cron job on this machine. ) ? With only 2 DC's you can work on both DC's, in this case sync both ways works ok, this i have tested. ? to overcome some of the rights issues.. The DC's only work as DC, just sysvol as shares ( and netlogon ) The 2 DC's i've running, will be accessed only from windows computers. and i have set the following. ? [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No ??????? acl_xattr:ignore system acl = yes???????????<==? http://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility. ? and in this case i set my rights from windows on the share, and i dont have any rights problems as far as i have seen. ? The acl_xattr is not really needed, but i noticed it made it more easy to setup, since you dont have to look at the linux rights in the background. ? Hope this?helps you out a but. ? Best regards, ? Louis ? ? ? Van: Min Wai Chan [mailto:dcmwai at gmail.com] Verzonden: donderdag 2 oktober 2014 17:26 Aan: Rowland Penny; L.P.H. van Belle; samba at lists.samba.org; steve Onderwerp: Sysvol replication with Unison for more than 2 server. Dear Louis, Just to check... Would it be possible to have more than 2 DC using Unison to sync? I was trying to make this to the samba wiki. But when reading the list I see Rowland talking about the SID and RID issue Because of built-in group SID is not sync across domain. Which I think samba should have their own way of dealing this or it will just be a mess in a long run. Did we have any trick to deal with this built-in group UID/RID temporary? I remember saw something like io notice/fam to monitor the sysvol and trigger unison when change happen. but I'm not sure how it would help when you have more than 3 server... Regards, Min Wai
L.P.H. van Belle
2014-Oct-03 07:16 UTC
[Samba] Sysvol replication with Unison for more than 2 server.
This idmap copy is really not needed IF you only use sysvol on the DC. and you obey the following. 1) You set you GPO as user Administrator 2) or if an other user you use, is member of "Domain\Domain Admins" ( but i did not test this ) The build-in group sid is the same on all servers. Administrators should be "SID: S-1-5-32-544" ...always. http://support2.microsoft.com/kb/243330 SID: S-1-5-32-544 Name: Administrators Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. All above does not work if you add you own groups etc on sysvol. I only use the defaults on it and i add user to the needed groups. If a "Admin2user" adds this to gpo of sysvol, yes then this user can have problems with IDMAP and RIDs. then a copy of idmap is needed. I overcome the sid/xid/rid problems by using only Administrator on the GPO/Sysvol work. Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: donderdag 2 oktober 2014 19:08 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Sysvol replication with Unison for more >than 2 server. > >On 02/10/14 16:26, Min Wai Chan wrote: >> Dear Louis, >> >> Just to check... >> Would it be possible to have more than 2 DC using Unison to sync? >> >> I was trying to make this to the samba wiki. >> >> But when reading the list I see Rowland talking about the >SID and RID >> issue >> Because of built-in group SID is not sync across domain. > >Ahh, I dropped a right clanger there, when I said SID I meant RID, it >would seem that when you join a DC to a domain, idmap.ldb does not get >replicated to the new DC and so the RID's could be and probably are >different. This is not really a problem, just copy idmap.ldb from the >original DC to the new one. > >Rowland > >> >> Which I think samba should have their own way of dealing this or it >> will just be a mess in a long run. >> >> Did we have any trick to deal with this built-in group >UID/RID temporary? >> >> I remember saw something like io notice/fam to monitor the >sysvol and >> trigger unison when change happen. >> >> but I'm not sure how it would help when you have more than 3 >server... >> >> Regards, >> Min Wai > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Bidirectional Rsync/Unison based SysVol replication workaround
- Update3: easy - automated setup : Debian Wheezy with sernet samba 4.1 : sysvol replication with unison.
- Bi-directional sync for Sysvol folder -- Osync?
- Bi-directional sync for Sysvol folder -- Osync?
- Bi-directional sync for Sysvol folder -- Osync?