samba - Jul 2018 - Continued Group Policy issues

Hi,

But, all user/groups should have the same ids on all DCs right? That's 
what we had thought all these days? Suppose we sync the idmap.ldb along 
with sysvol, will it not call for restart of Samba-ad-dc service every 
time the changes to GPs are made?

-- 

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On 12/07/18 6:42 PM, Rowland Penny via samba wrote:
> On Thu, 12 Jul 2018 18:31:42 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> Thanks for your quick response.
>>
>> We are syncing only sysvol from first Domain Controller, but not
>> idmap.ldb. Do we need to sync idmap.ldb as well?
>>
> Yes, users and groups are mapped in idmap.ldb on a first come basis,
> this means you highly likely to get different ID numbers on each DC.
> This means that a group could get the ID '3000002' on the first DC
and
> '3000022' on another and '3000002' on the second DC could
be another
> user/group.
>
> Rowland
>

On Thu, 12 Jul 2018 18:49:06 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> But, all user/groups should have the same ids on all DCs right?
> That's what we had thought all these days? Suppose we sync the
> idmap.ldb along with sysvol, will it not call for restart of
> Samba-ad-dc service every time the changes to GPs are made?
> 
Er, no, not by default, yes they will all have unique RID's, but they
are not guaranteed to have the same xidNumber's, in fact, I can almost
guarantee they wont.

You do not have to restart Samba, just run 'net cache flush'

Rowland

Hi,

Thanks for clarification.

However, we held back from implementing your suggestion and observed 
that after about 40 odd hours from the initial publishing of the 
policies, all clients connecting to any of the Domain Controllers 
started to get the policies. No client was throwing any error while 
applying the policies from any of the 4 Domain Controllers.

Does it mean that "idmap.ldb" is taking time to replicate
automatically?
Or is it some other issue? Nothing interesting about this is logged in 
samba. Sysvol is getting replicated as soon as any policy is added or 
modified or deleted on the first domain controller.

Basically we are implementing "Software While Listing" policies and 
these are defined as computer policies. The error started to show up 
once the policy was linked.

Any hints on this behavior?

-- 

Thanks & Regards,


Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

On 12/07/18 7:01 PM, Rowland Penny via samba wrote:
> On Thu, 12 Jul 2018 18:49:06 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> But, all user/groups should have the same ids on all DCs right?
>> That's what we had thought all these days? Suppose we sync the
>> idmap.ldb along with sysvol, will it not call for restart of
>> Samba-ad-dc service every time the changes to GPs are made?
>>
> Er, no, not by default, yes they will all have unique RID's, but they
> are not guaranteed to have the same xidNumber's, in fact, I can almost
> guarantee they wont.
>
> You do not have to restart Samba, just run 'net cache flush'
>
> Rowland
>   
>