On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote:> Hi Andrew, > > Please elaborate, as we're about to put it on Samba 4.2. Thanks.Please don't use 4.2 with the sudo schema. At a client, we have seen that cause database corruption when combined with multiple DCs, specifically duplicate values in the database that sssd really didn't like. It will also require you to run dbcheck from Samba 4.3 or later before you can replicate with a Samba 4.3 DC. Fixes for that made it into Samba 4.4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Mon, 2 May 2016, Andrew Bartlett wrote:> On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote: >> Hi Andrew, >> >> Please elaborate, as we're about to put it on Samba 4.2. Thanks. > > Please don't use 4.2 with the sudo schema. At a client, we have seen > that cause database corruption when combined with multiple DCs, > specifically duplicate values in the database that sssd really didn't > like. It will also require you to run dbcheck from Samba 4.3 or later > before you can replicate with a Samba 4.3 DC.Is this specific to 4.2? I am currently on 4.1 but planning to upgrade to 4.2 in the near future since 4.1 is no longer supported by anyone. I had previously installed the sudo schema on 4.1, but I was never able to get it to work. Maybe I should remove it before upgrading? BTW, I have seen occasional issues with replication of deleted entries that required me to manually go and delete them on the non-master DCs. Is this possibly related?
You either have to list the full group name in sudoers IE: DOMIN\groupname or use the option "winbind use default domain = yes" for one thing. I'm not sure if you need enumeration but I like seeing domain users and groups with getent so I have the options winbind enum users = yes winbind enum groups = yes On Mon, May 2, 2016 at 6:11 AM, Sketch <smblist at rednsx.org> wrote:> On Mon, 2 May 2016, Andrew Bartlett wrote: > > On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote: >> >>> Hi Andrew, >>> >>> Please elaborate, as we're about to put it on Samba 4.2. Thanks. >>> >> >> Please don't use 4.2 with the sudo schema. At a client, we have seen >> that cause database corruption when combined with multiple DCs, >> specifically duplicate values in the database that sssd really didn't >> like. It will also require you to run dbcheck from Samba 4.3 or later >> before you can replicate with a Samba 4.3 DC. >> > > Is this specific to 4.2? I am currently on 4.1 but planning to upgrade to > 4.2 in the near future since 4.1 is no longer supported by anyone. I had > previously installed the sudo schema on 4.1, but I was never able to get it > to work. Maybe I should remove it before upgrading? > > BTW, I have seen occasional issues with replication of deleted entries > that required me to manually go and delete them on the non-master DCs. Is > this possibly related? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, 2016-05-02 at 07:11 -0500, Sketch wrote:> On Mon, 2 May 2016, Andrew Bartlett wrote: > > > On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote: > > > Hi Andrew, > > > > > > Please elaborate, as we're about to put it on Samba 4.2. Thanks. > > > > Please don't use 4.2 with the sudo schema. At a client, we have > > seen > > that cause database corruption when combined with multiple DCs, > > specifically duplicate values in the database that sssd really > > didn't > > like. It will also require you to run dbcheck from Samba 4.3 or > > later > > before you can replicate with a Samba 4.3 DC. > > Is this specific to 4.2?No.> I am currently on 4.1 but planning to upgrade to > 4.2 in the near future since 4.1 is no longer supported by anyone. I > had > previously installed the sudo schema on 4.1, but I was never able to > get > it to work. Maybe I should remove it before upgrading?That won't help (and you can't remove schema anyway). Just upgrade, samba-tool dbcheck --cross-ncs --fix, and then use the schema.> BTW, I have seen occasional issues with replication of deleted > entries > that required me to manually go and delete them on the non-master > DCs. > Is this possibly related?I'm not sure without much more detail. Andrew Bartltet -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks Andrew. That's good to know. Our project is now on hold. regards, John On 02/05/16 17:17, Andrew Bartlett wrote:> On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote: >> Hi Andrew, >> >> Please elaborate, as we're about to put it on Samba 4.2. Thanks. > Please don't use 4.2 with the sudo schema. At a client, we have seen > that cause database corruption when combined with multiple DCs, > specifically duplicate values in the database that sssd really didn't > like. It will also require you to run dbcheck from Samba 4.3 or later > before you can replicate with a Samba 4.3 DC. > > Fixes for that made it into Samba 4.4. > > Andrew Bartlett >