On 20/06/16 18:49, lingpanda101 at gmail.com wrote:> On 6/20/2016 1:19 PM, lists wrote: >> Hi all, >> >> Following this thread with interest, as we are also having some >> issues with GPO (they work on and off, unpredictably) >> We checked iddap.ldb on the DCs and noticed differences between DCs. >> >> We would like to ask some questions: >> >> On 10-6-2016 9:26, Rowland penny wrote: >>> Well, it is and it isn't, yes winbindd will display the user & group >>> names for sysvol, but sysvol still isn't replicated between DCs. I >>> think >>> this means that when you sync sysvol manually, you will get the ID's >>> from the first DC applied to sysvol on the second DC and if there is a >>> difference in ID numbers between the DC's, you will either just get a >>> number or, even worse, a wrong name returned. >>> >>> I could be wrong, but I still think you need to keep idmap.ldb in sync >>> on all DCs, if you are syncing sysvol. >> >> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is running >> on DCs. >> >> We understand we need to keep idmap.ldb in sync. We did this in the >> past, but it seems they have gotten out of sync again. >> One question: HOW OFTEN do we need to do manually sync the imap.ldb >> files? After each and every regular user addition/deletion? >> >> We are currently on sernet-4.4.4 on the 3 DCs, but on our fileserver >> we are still on samba 4.2.11 and sssd. Would that last bit have any >> impact on the GPO situation..? (i don't think so, because GPOs are on >> the DCs and not on the fileserver..?) >> >> Since our idmap.ldb differs per DC, HOW to choose which one to copy >> to the other DCs? Choosing wrongly will probably have major >> implications..? >> >> Sorry to ask so many questions, hopefully someone will answer. >> >> Best regards, >> MJ >> > > Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no > longer keep the idmap.ldb in sync as I thought this was no longer > needed since version 4.2 or greater unless using winbind. > > I also never would reset sysvol on the other DC's when replicating > using rsync. I don't believe it was ever in the wiki. Clarification > from someone would be helpful. >If you use Samba < 4.2.0 with the 'winbind' part of the 'samba' binary, then you had to, but if you use Samba >= 4.2.0, then this uses the separate 'winbindd' binary and this will map the BUILTIN users & groups correctly. Rowland
On 6/20/2016 2:10 PM, Rowland penny wrote:> On 20/06/16 18:49, lingpanda101 at gmail.com wrote: >> On 6/20/2016 1:19 PM, lists wrote: >>> Hi all, >>> >>> Following this thread with interest, as we are also having some >>> issues with GPO (they work on and off, unpredictably) >>> We checked iddap.ldb on the DCs and noticed differences between DCs. >>> >>> We would like to ask some questions: >>> >>> On 10-6-2016 9:26, Rowland penny wrote: >>>> Well, it is and it isn't, yes winbindd will display the user & group >>>> names for sysvol, but sysvol still isn't replicated between DCs. I >>>> think >>>> this means that when you sync sysvol manually, you will get the ID's >>>> from the first DC applied to sysvol on the second DC and if there is a >>>> difference in ID numbers between the DC's, you will either just get a >>>> number or, even worse, a wrong name returned. >>>> >>>> I could be wrong, but I still think you need to keep idmap.ldb in sync >>>> on all DCs, if you are syncing sysvol. >>> >>> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is >>> running on DCs. >>> >>> We understand we need to keep idmap.ldb in sync. We did this in the >>> past, but it seems they have gotten out of sync again. >>> One question: HOW OFTEN do we need to do manually sync the imap.ldb >>> files? After each and every regular user addition/deletion? >>> >>> We are currently on sernet-4.4.4 on the 3 DCs, but on our fileserver >>> we are still on samba 4.2.11 and sssd. Would that last bit have any >>> impact on the GPO situation..? (i don't think so, because GPOs are >>> on the DCs and not on the fileserver..?) >>> >>> Since our idmap.ldb differs per DC, HOW to choose which one to copy >>> to the other DCs? Choosing wrongly will probably have major >>> implications..? >>> >>> Sorry to ask so many questions, hopefully someone will answer. >>> >>> Best regards, >>> MJ >>> >> >> Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no >> longer keep the idmap.ldb in sync as I thought this was no longer >> needed since version 4.2 or greater unless using winbind. >> >> I also never would reset sysvol on the other DC's when replicating >> using rsync. I don't believe it was ever in the wiki. Clarification >> from someone would be helpful. >> > > If you use Samba < 4.2.0 with the 'winbind' part of the 'samba' > binary, then you had to, but if you use Samba >= 4.2.0, then this uses > the separate 'winbindd' binary and this will map the BUILTIN users & > groups correctly. > > Rowland > >I completely missed the BUILTIN part. That explains my issue. That means for all other users idmap.ldb must be kept in sync? -- -James
On 20/06/16 19:17, lingpanda101 at gmail.com wrote:> On 6/20/2016 2:10 PM, Rowland penny wrote: >> On 20/06/16 18:49, lingpanda101 at gmail.com wrote: >>> On 6/20/2016 1:19 PM, lists wrote: >>>> Hi all, >>>> >>>> Following this thread with interest, as we are also having some >>>> issues with GPO (they work on and off, unpredictably) >>>> We checked iddap.ldb on the DCs and noticed differences between DCs. >>>> >>>> We would like to ask some questions: >>>> >>>> On 10-6-2016 9:26, Rowland penny wrote: >>>>> Well, it is and it isn't, yes winbindd will display the user & group >>>>> names for sysvol, but sysvol still isn't replicated between DCs. I >>>>> think >>>>> this means that when you sync sysvol manually, you will get the ID's >>>>> from the first DC applied to sysvol on the second DC and if there >>>>> is a >>>>> difference in ID numbers between the DC's, you will either just get a >>>>> number or, even worse, a wrong name returned. >>>>> >>>>> I could be wrong, but I still think you need to keep idmap.ldb in >>>>> sync >>>>> on all DCs, if you are syncing sysvol. >>>> >>>> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is >>>> running on DCs. >>>> >>>> We understand we need to keep idmap.ldb in sync. We did this in the >>>> past, but it seems they have gotten out of sync again. >>>> One question: HOW OFTEN do we need to do manually sync the imap.ldb >>>> files? After each and every regular user addition/deletion? >>>> >>>> We are currently on sernet-4.4.4 on the 3 DCs, but on our >>>> fileserver we are still on samba 4.2.11 and sssd. Would that last >>>> bit have any impact on the GPO situation..? (i don't think so, >>>> because GPOs are on the DCs and not on the fileserver..?) >>>> >>>> Since our idmap.ldb differs per DC, HOW to choose which one to copy >>>> to the other DCs? Choosing wrongly will probably have major >>>> implications..? >>>> >>>> Sorry to ask so many questions, hopefully someone will answer. >>>> >>>> Best regards, >>>> MJ >>>> >>> >>> Mine are also out of sync. Using Samba 4.4.4 on Ubuntu 12.04. I no >>> longer keep the idmap.ldb in sync as I thought this was no longer >>> needed since version 4.2 or greater unless using winbind. >>> >>> I also never would reset sysvol on the other DC's when replicating >>> using rsync. I don't believe it was ever in the wiki. Clarification >>> from someone would be helpful. >>> >> >> If you use Samba < 4.2.0 with the 'winbind' part of the 'samba' >> binary, then you had to, but if you use Samba >= 4.2.0, then this >> uses the separate 'winbindd' binary and this will map the BUILTIN >> users & groups correctly. >> >> Rowland >> >> > I completely missed the BUILTIN part. That explains my issue. That > means for all other users idmap.ldb must be kept in sync? > >No, It seems that it now works similar to the 'rid' backend, if a user connects to a share on the DC, that users username is used for any files/directories created by the user. Rowland