Hi Rowland, Am 30.07.2021 um 09:54 schrieb Rowland Penny via samba: > On Fri, 2021-07-30 at 08:29 +0200, Thomas Kempf via samba wrote: >> Hello all, >> i'm in a network with about 40 OSX-Clients, a couple of Linux and >> Freebsd Servers and a growing number of win10 machines. I have two >> Samba >> Servers 4.9.5.-Debian on Debian-Buster running as DCs. For ID- >> Mapping > > Can I suggest you have a look here: https://apt.van-belle.nl/ > 4.9.5 is really old > ok, until now i still hesitated leaving the debian packages repo, but i'll definitely check this out >> i'm using the RFC-2307 ad. >> I set up the bidirectional sysvol Replication as documented in the >> Wiki >> with unison/rsync workaround. >> >> As samba-tool complained about some sysvol permissions error, i've >> done >> a sysvolreset as advised in the wiki >> https://wiki.samba.org/index.php/Sysvolreset. because my Domain >> Admins >> group had a gidNumber. > > Can I suggest you create another group and use that instead of Domain > Admins. This is what already i did this morning.I created a new admin group using the same gidNumber as Domain Admins had before and removed the gidNumber from Domain Admins. After that i resynchronized idmap.ldb to the second DC. including net cache flush on both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs configuration and restarted them. >> >> The Sysvol seems ok on the machine to which i connected, but the >> ACL-changes during the sysvolreset don't get synchronized to the >> other DC. > > That is correct, you also need to sync idmap.ldb from the DC with the > PDC_Emulator FSMO role to all other DC's. Does this mean, i alwys have to do a manual full resync to my second DC when i only change ACL on the Policys ?
On Fri, 2021-07-30 at 10:29 +0200, Thomas Kempf via samba wrote:> Hi Rowland, > > ok, until now i still hesitated leaving the debian packages repo, > but > i'll definitely check this outI suppose that I should mention that Louis is a Samba team member and lots of people (including myself) use his repo> > > > This is what already i did this morning.I created a new admin group > using the same gidNumber as Domain Admins > had before and removed the gidNumber from Domain Admins. After that i > resynchronized idmap.ldb to the second DC. including net cache flush > on > both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs > configuration and restarted them.You didn't need to do both, not having 'idmap_ldb:use rfc2307 = yes' on a DC means 'do not use any rfc2307 attributes on this DC', so the Domain Admins gidNumber would be ignored. If you only use a DC for authentication, you do not need the line.> > >> > >> The Sysvol seems ok on the machine to which i connected, but the > >> ACL-changes during the sysvolreset don't get synchronized to the > >> other DC.You have to run sysvolreset on all DC's> > > > That is correct, you also need to sync idmap.ldb from the DC with > the > > PDC_Emulator FSMO role to all other DC's. > Does this mean, i alwys have to do a manual full resync to my second > DC > when i only change ACL on the Policys ?Any time you alter Sysvol, you need to sync it to the other DC's, but this doesn't mean that you need to sync idmap.ldb, only if you have made user or group changes. Rowland