samba - Oct 2015 - unique index violation on objectSid on samba ad

>And if you really want to work with cloning, then provision the first,
>join the second, do all your change, take a snapshot of both. Then you
>have the same setup again for the next customer. As long as the
>customers never will met and two of your systems come into the same
>network, is is no problem, because the domain would have the same name,
>SID, etc.
I did more or less so and it resulted in subj problem. I guess some
experiments is needed


2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
> > Let me explain myself here. We ship video surveillance systems with
> > build-in ad domain controllers on 2 servers. Right now we have 4
active
> > projects and 3 more this year. Provisioning dc's by hand each time
is a
> > pain I would like to avoid.
> >
> > There's not much I want from a domain: groups 'video' and
'video admins'
> to
> > exist, gpo's to auto redirect user profiles to network share and
to
> prevent
> > users from video and video admins group from windows login and a some
> > specific password age settings.
>
>
> What is the reason to ship that system with an DC? I don't know your
> system, but usually this kind of equipment is something I want to
> _integrate_ into my network and not run it as a part that manages my
> network.
>
> Why not make it a domain member or standalone system with local users?
>
>
>
> > But if I would have to do this manually for every new system...
>
> You can script very easy around samba-tool the provisining, the join of
> the second DC, user/group creation, etc.
>
>
> And if you really want to work with cloning, then provision the first,
> join the second, do all your change, take a snapshot of both. Then you
> have the same setup again for the next customer. As long as the
> customers never will met and two of your systems come into the same
> network, is is no problem, because the domain would have the same name,
> SID, etc.
>
>
>
> Regards,
> Marc
>

The important thing in what says Marc is if you clone (whatever the way
used) your domains, if one person buy two of your devices to put them on
the same network, none will work.

2015-10-19 17:23 GMT+02:00 Krutskikh Ivan <stein.hak at gmail.com>:
> >And if you really want to work with cloning, then provision the first,
> >join the second, do all your change, take a snapshot of both. Then you
> >have the same setup again for the next customer. As long as the
> >customers never will met and two of your systems come into the same
> >network, is is no problem, because the domain would have the same name,
> >SID, etc.
>
> I did more or less so and it resulted in subj problem. I guess some
> experiments is needed
>
>
> 2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
> > Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
> > > Let me explain myself here. We ship video surveillance systems
with
> > > build-in ad domain controllers on 2 servers. Right now we have 4
active
> > > projects and 3 more this year. Provisioning dc's by hand each
time is a
> > > pain I would like to avoid.
> > >
> > > There's not much I want from a domain: groups 'video'
and 'video
> admins'
> > to
> > > exist, gpo's to auto redirect user profiles to network share
and to
> > prevent
> > > users from video and video admins group from windows login and a
some
> > > specific password age settings.
> >
> >
> > What is the reason to ship that system with an DC? I don't know
your
> > system, but usually this kind of equipment is something I want to
> > _integrate_ into my network and not run it as a part that manages my
> > network.
> >
> > Why not make it a domain member or standalone system with local users?
> >
> >
> >
> > > But if I would have to do this manually for every new system...
> >
> > You can script very easy around samba-tool the provisining, the join
of
> > the second DC, user/group creation, etc.
> >
> >
> > And if you really want to work with cloning, then provision the first,
> > join the second, do all your change, take a snapshot of both. Then you
> > have the same setup again for the next customer. As long as the
> > customers never will met and two of your systems come into the same
> > network, is is no problem, because the domain would have the same
name,
> > SID, etc.
> >
> >
> >
> > Regards,
> > Marc
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 19/10/15 16:23, Krutskikh Ivan wrote:
>> And if you really want to work with cloning, then provision the first,
>> join the second, do all your change, take a snapshot of both. Then you
>> have the same setup again for the next customer. As long as the
>> customers never will met and two of your systems come into the same
>> network, is is no problem, because the domain would have the same name,
>> SID, etc.
> I did more or less so and it resulted in subj problem. I guess some
> experiments is needed
>
>
> 2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
>>> Let me explain myself here. We ship video surveillance systems with
>>> build-in ad domain controllers on 2 servers. Right now we have 4
active
>>> projects and 3 more this year. Provisioning dc's by hand each
time is a
>>> pain I would like to avoid.
>>>
>>> There's not much I want from a domain: groups 'video'
and 'video admins'
>> to
>>> exist, gpo's to auto redirect user profiles to network share
and to
>> prevent
>>> users from video and video admins group from windows login and a
some
>>> specific password age settings.
>>
>> What is the reason to ship that system with an DC? I don't know
your
>> system, but usually this kind of equipment is something I want to
>> _integrate_ into my network and not run it as a part that manages my
>> network.
>>
>> Why not make it a domain member or standalone system with local users?
>>
>>
>>
>>> But if I would have to do this manually for every new system...
>> You can script very easy around samba-tool the provisining, the join of
>> the second DC, user/group creation, etc.
>>
>>
>> And if you really want to work with cloning, then provision the first,
>> join the second, do all your change, take a snapshot of both. Then you
>> have the same setup again for the next customer. As long as the
>> customers never will met and two of your systems come into the same
>> network, is is no problem, because the domain would have the same name,
>> SID, etc.
>>
>>
>>
>> Regards,
>> Marc
>>
Will your appliance need to connect to other machines ? or is it a 
standalone thing ?
What I am trying to get at is, will it run as a domain controller for 
other machines, if not, then it sounds like overkill to me and it also 
sounds a bit like the machine I have for our CCTV cameras, it outputs to 
a monitor (in our case, a TV) and stores everything on a hard drive, a 
bit like a NAS with eyes :-D

Rowland

We actually sell whole systems with isolated lan and centralized
authentication and password management. Typically about 7 servers and 5
workstations.

2015-10-19 18:58 GMT+03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 19/10/15 16:23, Krutskikh Ivan wrote:
>
>> And if you really want to work with cloning, then provision the first,
>>> join the second, do all your change, take a snapshot of both. Then
you
>>> have the same setup again for the next customer. As long as the
>>> customers never will met and two of your systems come into the same
>>> network, is is no problem, because the domain would have the same
name,
>>> SID, etc.
>>>
>> I did more or less so and it resulted in subj problem. I guess some
>> experiments is needed
>>
>>
>> 2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
>>
>> Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
>>>
>>>> Let me explain myself here. We ship video surveillance systems
with
>>>> build-in ad domain controllers on 2 servers. Right now we have
4 active
>>>> projects and 3 more this year. Provisioning dc's by hand
each time is a
>>>> pain I would like to avoid.
>>>>
>>>> There's not much I want from a domain: groups
'video' and 'video admins'
>>>>
>>> to
>>>
>>>> exist, gpo's to auto redirect user profiles to network
share and to
>>>>
>>> prevent
>>>
>>>> users from video and video admins group from windows login and
a some
>>>> specific password age settings.
>>>>
>>>
>>> What is the reason to ship that system with an DC? I don't know
your
>>> system, but usually this kind of equipment is something I want to
>>> _integrate_ into my network and not run it as a part that manages
my
>>> network.
>>>
>>> Why not make it a domain member or standalone system with local
users?
>>>
>>>
>>>
>>> But if I would have to do this manually for every new system...
>>>>
>>> You can script very easy around samba-tool the provisining, the
join of
>>> the second DC, user/group creation, etc.
>>>
>>>
>>> And if you really want to work with cloning, then provision the
first,
>>> join the second, do all your change, take a snapshot of both. Then
you
>>> have the same setup again for the next customer. As long as the
>>> customers never will met and two of your systems come into the same
>>> network, is is no problem, because the domain would have the same
name,
>>> SID, etc.
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
> Will your appliance need to connect to other machines ? or is it a
> standalone thing ?
> What I am trying to get at is, will it run as a domain controller for
> other machines, if not, then it sounds like overkill to me and it also
> sounds a bit like the machine I have for our CCTV cameras, it outputs to a
> monitor (in our case, a TV) and stores everything on a hard drive, a bit
> like a NAS with eyes :-D
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>