samba - Nov 2015 - Join Samba without GC role

Thanks for the answer!

Is that true if we have Subdomains, Samba write to DB information only about
join-domain?

And what option --domain-critical-only do? I did not see the difference -  with
or without.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Saturday, October 31, 2015 12:14 PM
To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
Subject: Re: [Samba] Join Samba without GC role

On Fri, 2015-10-30 at 06:27 +0000, Luchko Dmitriy wrote:
> Hi Andrew!
> 
> I notice, when we have a lot of domain Samba replicate object from all 
> domain - it's too long for us (GC about 16gb).
> I going to use --domain-critical-only, and after join disable GC on 
> Samba.
Samba replicates no additional information to be the GC, so it won't help. 
In Samba, the GC port is just another view of the main databse.

The Global Catalog would only be different if we supported sub-domains, which we
don't.

If there is 16GB of data, then Samba simply won't be able to hold it, no
matter what, due to the TDB limits (let alone the structural limits that blow up
well before then).

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Mon, 2015-11-02 at 13:07 +0000, Luchko Dmitriy wrote:
> Thanks for the answer!
> 
> Is that true if we have Subdomains, Samba write to DB information
> only about join-domain?
Operation in the presence of subdomains is not supported.  When we do
add it, we will attempt to be a GC and replicate the GC partitions for
the whole forest.  This information is critical to the correct
operation of the DsCrackNames interface.
> And what option --domain-critical-only do? I did not see the
> difference -  with or without.
A smaller set of objects is replicated initially, but the whole domain
is replicated once Samba starts.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

It's strange. We have root domain and a lot subdomain. We try to join Samba
to one of subdomain.
Active Directory DB (NTDS.dit) without GC = 1.2 Gb, with GC=16 Gb. When we try
to join Samba we have samba DB limit 4Gb.
We see that samba replicate information about all domains in forest:

descriptor_sd_propagation_recursive:
DC=DomainDnsZones,DC=domain1,DC=oao,DC=company not found under
DC=domain1,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID 3c4005a3-6aa9-4776-a23a-d0f632d6ebd8 - using
CN=DOMAIN6-DC-02,OU=Domain Controllers,DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID 5cefb527-31c5-45b3-98e1-473e54b75ac8 - using
CN=DOMAIN6-DC-01,OU=Domain Controllers,DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID 29d15948-c550-43ec-91bc-9eea9516197e - using
DC=domain6,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID 01a7952b-a4e1-4e91-b3cd-74b34307a019 - using
DC=domain2,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID c9686534-1edb-48ae-8f2d-808320512b71 - using
DC=domain3,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID f45fa54a-8512-4af0-9aab-b24b0ae4b868 - using
DC=domain4,DC=oao,DC=company
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:5568: WARNING: Failed to
re-resolve GUID 580df24f-20ba-4cc5-8c51-f95e4fe08d6e - using
DC=domain5,DC=oao,DC=company

Can we disable GC in Samba before join?

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, November 02, 2015 9:50 PM
To: Luchko Dmitriy <Luchko.D at digdes.com>; samba at lists.samba.org
Subject: Re: [Samba] Join Samba without GC role

On Mon, 2015-11-02 at 13:07 +0000, Luchko Dmitriy wrote:
> Thanks for the answer!
> 
> Is that true if we have Subdomains, Samba write to DB information only 
> about join-domain?
Operation in the presence of subdomains is not supported.  When we do add it, we
will attempt to be a GC and replicate the GC partitions for the whole forest. 
This information is critical to the correct operation of the DsCrackNames
interface.
> And what option --domain-critical-only do? I did not see the 
> difference -  with or without.
A smaller set of objects is replicated initially, but the whole domain is
replicated once Samba starts.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba