On Sun, 27 Aug 2017 21:40:55 -0400 (EDT)
Tom Diehl via samba <samba at lists.samba.org> wrote:
> Hi,
>
> In reading this list I see a lot of talk about samba-tool ntacl
> sysvolreset actually breaking things. Given the above How do I
> properly configure a 2nd AD DC or setup sysvol replication?
>
> For instance If I were to follow
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> In the Built-in Groups GID Mappings section the last thing it says to
> do is run samba-tool ntacl sysvolreset. If I skip that step will the
> replication still work?
>
> On
>
https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround
> they actually recommend running samba-tool ntacl sysvolreset every
> time osync runs. If I skip the steps that say to reset the sysvol is
> that going to cause problems?
>
> If resetting the sysvol is required, how do I keep it from causing
> problems?
>
> FWIW, I am testing self compiled 4.7.0 rc4 AD controllers and
> samba-4.6.2-8.el7.x86_64 for the file servers.
>
> Regards,
>
OK, sysvolreset is broken in two ways, the first is that it doesn't
actually set the ACLs that Windows does and whilst trying to fix this,
I found that the underlying 'C' code doesn't set the ACEs it is told
to.
Samba doesn't replicate sysvol, so you can run sysvolreset on a new
DC, just don't run it again.
This leads to Osync, provided you are using the same idmap.ldb on each
DC, Osync should sync an exact copy of sysvol from the first DC to the
second and you shouldn't need to run sysvolreset, I seem to remember
the 'REMOTE_RUN_AFTER_CMD' was added as a 'belt and braces'
approach,
only it doesn't work. I am fairly sure you don't need the
'REMOTE_RUN_AFTER_CMD'
Rowland