samba - Nov 2022 - several offices: home dirs, local resources, ...

22.11.2022 21:59, cn--- via samba wrote:
> Sorry for top posting.
That's entirely okay, thank you!
> To say it is  try to answer your questions.
> 
> Why not to use a dc as file server:
> 
> It is slower. Because e. g. All the traffic is signed.
> Because every DC uses its own idmap file you have to keep that in sync and
use the AD idmap backend. Rid for example does not work I think.
> The Fileserver on a DC behaves differently with regards to Administrator
mappings.
Yeah. All this seems to be irrelevant in context of a domain-level MSDFS root
shares,
which only purpose is to give connecting client a referral, - where to find the
actual
data (server/share), and clients even cache this info.

idmap needs to be syncronized anyway, or else sysvol permissions can't be
syncronized properly.
Yes, idmap_rid doesn't work, actually whole idmap config* is ignored,
winbind in ad uses
its own way for idmapping.
> As for the DNS:
> 
> It does work to use another DNS Server. However, this is a lot of manual
labor and if it does not work, folks here are likely to say it is your DNS.
The second part is very much understandable, I faced it already several times :)

For the first, it is not difficult at all, - grabbing dns_update_cache files
from
servers (much easier when all of them are containers on the same server so
directly
accessible from the host filesystem) to a host which manages dns, and converting
them into regular dns zone format with a trivial 3-line shell fragment, -- it is
all set up in some 10 minutes, especially if config syncronization is already
working between the offices.  And once any file changes, zone is regenerated
and signed automatically, and downstream resolvers are notified and updates the
zone content.
> As for your roaming profile question:
> You can specify a GPO to a site. That should help you if I understood your
question right.
Can you give an example please? I can't find a way to map home/profile path
to
a site-specific name, - be the GPO itself site-specific or not.  It smells like
GPO can be used there, but I can't find a way to do that.

Thank you very much Christian!

Your reply makes me hope (just a little bit), maybe my questions aren't
completely
stupid after all.. :)

/mjt

On 22-11-2022 20:36, Michael Tokarev via samba wrote:
> 22.11.2022 21:59, cn--- via samba wrote:
>> Sorry for top posting.
>
> That's entirely okay, thank you!
>
>> To say it is? try to answer your questions.
>>
>> Why not to use a dc as file server:
>>
>> It is slower. Because e. g. All the traffic is signed.
>> Because every DC uses its own idmap file you have to keep that in 
>> sync and use the AD idmap backend. Rid for example does not work I 
>> think.
>> The Fileserver on a DC behaves differently with regards to 
>> Administrator mappings.
>
> Yeah. All this seems to be irrelevant in context of a domain-level 
> MSDFS root shares,
> which only purpose is to give connecting client a referral, - where to 
> find the actual
> data (server/share), and clients even cache this info.
>
> idmap needs to be syncronized anyway, or else sysvol permissions can't 
> be syncronized properly.
> Yes, idmap_rid doesn't work, actually whole idmap config* is ignored, 
> winbind in ad uses
> its own way for idmapping.
>
>> As for the DNS:
>>
>> It does work to use another DNS Server. However, this is a lot of 
>> manual labor and if it does not work, folks here are likely to say it 
>> is your DNS.
>
> The second part is very much understandable, I faced it already 
> several times :)
>
> For the first, it is not difficult at all, - grabbing dns_update_cache 
> files from
> servers (much easier when all of them are containers on the same 
> server so directly
> accessible from the host filesystem) to a host which manages dns, and 
> converting
> them into regular dns zone format with a trivial 3-line shell 
> fragment, -- it is
> all set up in some 10 minutes, especially if config syncronization is 
> already
> working between the offices.? And once any file changes, zone is 
> regenerated
> and signed automatically, and downstream resolvers are notified and 
> updates the
> zone content.
>
>> As for your roaming profile question:
>> You can specify a GPO to a site. That should help you if I understood 
>> your question right.
>
> Can you give an example please? I can't find a way to map home/profile 
> path to
> a site-specific name, - be the GPO itself site-specific or not. It 
> smells like
> GPO can be used there, but I can't find a way to do that.
>
Indeed you can link a GPO to a site instead of an OU.
Additionally you can filter it to a group. That way only group-members 
within the linked-object (site) get the GPO applied.
> Thank you very much Christian!
>
> Your reply makes me hope (just a little bit), maybe my questions 
> aren't completely
> stupid after all.. :)
>
> /mjt
>

Maybe this helps?

https://serverfault.com/questions/936172/active-directory-site-level-group-policy-not-applied



Am 22. November 2022 20:36:04 MEZ schrieb Michael Tokarev via samba <samba at
lists.samba.org>:
>22.11.2022 21:59, cn--- via samba wrote:
>> Sorry for top posting.
>
>That's entirely okay, thank you!
>
>> To say it is  try to answer your questions.
>> 
>> Why not to use a dc as file server:
>> 
>> It is slower. Because e. g. All the traffic is signed.
>> Because every DC uses its own idmap file you have to keep that in sync
and use the AD idmap backend. Rid for example does not work I think.
>> The Fileserver on a DC behaves differently with regards to
Administrator mappings.
>
>Yeah. All this seems to be irrelevant in context of a domain-level MSDFS
root shares,
>which only purpose is to give connecting client a referral, - where to find
the actual
>data (server/share), and clients even cache this info.
>
>idmap needs to be syncronized anyway, or else sysvol permissions can't
be syncronized properly.
>Yes, idmap_rid doesn't work, actually whole idmap config* is ignored,
winbind in ad uses
>its own way for idmapping.
>
>> As for the DNS:
>> 
>> It does work to use another DNS Server. However, this is a lot of
manual labor and if it does not work, folks here are likely to say it is your
DNS.
>
>The second part is very much understandable, I faced it already several
times :)
>
>For the first, it is not difficult at all, - grabbing dns_update_cache files
from
>servers (much easier when all of them are containers on the same server so
directly
>accessible from the host filesystem) to a host which manages dns, and
converting
>them into regular dns zone format with a trivial 3-line shell fragment, --
it is
>all set up in some 10 minutes, especially if config syncronization is
already
>working between the offices.  And once any file changes, zone is regenerated
>and signed automatically, and downstream resolvers are notified and updates
the
>zone content.
>
>> As for your roaming profile question:
>> You can specify a GPO to a site. That should help you if I understood
your question right.
>
>Can you give an example please? I can't find a way to map home/profile
path to
>a site-specific name, - be the GPO itself site-specific or not.  It smells
like
>GPO can be used there, but I can't find a way to do that.
>
>Thank you very much Christian!
>
>Your reply makes me hope (just a little bit), maybe my questions aren't
completely
>stupid after all.. :)
>
>/mjt
>
-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36
64673 Zwingenberg, Germany

T: +49 6251 9331-30
F: +49 6251 9331-11

cn at brain-biotech.com
www.brain-biotech.com

Sitz der Gesellschaft: Zwingenberg | Bergstrasse
Registergericht AG Darmstadt | HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender) | Michael Schneiders
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen