Rowland Penny
2016-Oct-02 10:24 UTC
[Samba] GID mappings of built-in groups when addin additional dc
On Sun, 2 Oct 2016 11:45:15 +0200 Achim Gottinger via samba <samba at lists.samba.org> wrote:> > > Am 02.10.2016 um 08:20 schrieb Trenta sis via samba: > > Hi, > > > > I have a samba 4.4.5 AD domain and is working perfect, but now I > > need to add a second samba 4 AD, I have found that in > > https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory > > is detailed the correct steps, my question is about step related > > with winbind (tdbbackup) builtin groups, appears a message "*NOTE: > > Only do this if you are running a version of Samba before 4.2.0 or > > are using the built-in winbind.*" but I'm not sure if in my > > environment I have to make this step. > > > > I have installed and configured samba 4.4.5 from sources and only > > added > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind > > https://wiki.samba.org/index.php/Libnss_winbind_links > > > > In my environment is needed tdbbackup when you adds second dc? > > > > Thanks > The step "GID mapping of build-in groups" is still required with > 4.4.5, no matter if you use winbind or winbindd. >This is no longer required on any supported version of Samba, you just need to run 'samba-tool ntacl sysvolreset' Rowland
Achim Gottinger
2016-Oct-02 10:44 UTC
[Samba] GID mappings of built-in groups when addin additional dc
Am 02.10.2016 um 12:24 schrieb Rowland Penny via samba:> On Sun, 2 Oct 2016 11:45:15 +0200 > Achim Gottinger via samba <samba at lists.samba.org> wrote: > >> >> Am 02.10.2016 um 08:20 schrieb Trenta sis via samba: >>> Hi, >>> >>> I have a samba 4.4.5 AD domain and is working perfect, but now I >>> need to add a second samba 4 AD, I have found that in >>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory >>> is detailed the correct steps, my question is about step related >>> with winbind (tdbbackup) builtin groups, appears a message "*NOTE: >>> Only do this if you are running a version of Samba before 4.2.0 or >>> are using the built-in winbind.*" but I'm not sure if in my >>> environment I have to make this step. >>> >>> I have installed and configured samba 4.4.5 from sources and only >>> added >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind >>> https://wiki.samba.org/index.php/Libnss_winbind_links >>> >>> In my environment is needed tdbbackup when you adds second dc? >>> >>> Thanks >> The step "GID mapping of build-in groups" is still required with >> 4.4.5, no matter if you use winbind or winbindd. >> > This is no longer required on any supported version of Samba, you just > need to run 'samba-tool ntacl sysvolreset' > > RowlandWe discussed this a while back, back then you did not have the time to compare your rsync setup. It is still required if you do not want to run sysvolreset after each rsync of the sysvol folders.
Achim Gottinger
2016-Oct-02 10:58 UTC
[Samba] GID mappings of built-in groups when addin additional dc
Am 02.10.2016 um 12:44 schrieb Achim Gottinger via samba:> > > Am 02.10.2016 um 12:24 schrieb Rowland Penny via samba: >> On Sun, 2 Oct 2016 11:45:15 +0200 >> Achim Gottinger via samba <samba at lists.samba.org> wrote: >> >>> >>> Am 02.10.2016 um 08:20 schrieb Trenta sis via samba: >>>> Hi, >>>> >>>> I have a samba 4.4.5 AD domain and is working perfect, but now I >>>> need to add a second samba 4 AD, I have found that in >>>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory >>>> >>>> is detailed the correct steps, my question is about step related >>>> with winbind (tdbbackup) builtin groups, appears a message "*NOTE: >>>> Only do this if you are running a version of Samba before 4.2.0 or >>>> are using the built-in winbind.*" but I'm not sure if in my >>>> environment I have to make this step. >>>> >>>> I have installed and configured samba 4.4.5 from sources and only >>>> added >>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind >>>> >>>> https://wiki.samba.org/index.php/Libnss_winbind_links >>>> >>>> In my environment is needed tdbbackup when you adds second dc? >>>> >>>> Thanks >>> The step "GID mapping of build-in groups" is still required with >>> 4.4.5, no matter if you use winbind or winbindd. >>> >> This is no longer required on any supported version of Samba, you just >> need to run 'samba-tool ntacl sysvolreset' >> >> Rowland > We discussed this a while back, back then you did not have the time to > compare your rsync setup. > > It is still required if you do not want to run sysvolreset after each > rsync of the sysvol foldersIf the mappings in idmap.tdb are not the same there will always be an small timeframe with incorrect access rights on sysvol. If an clients connects in this timeframe it may not have access to gpo's and scripts. Or even worse an attacker may have unwanted access rights on the sysvol share.
Rowland Penny
2016-Oct-02 10:59 UTC
[Samba] GID mappings of built-in groups when addin additional dc
On Sun, 2 Oct 2016 12:44:52 +0200 Achim Gottinger via samba <samba at lists.samba.org> wrote:> > > Am 02.10.2016 um 12:24 schrieb Rowland Penny via samba: > > On Sun, 2 Oct 2016 11:45:15 +0200 > > Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > >> > >> Am 02.10.2016 um 08:20 schrieb Trenta sis via samba: > >>> Hi, > >>> > >>> I have a samba 4.4.5 AD domain and is working perfect, but now I > >>> need to add a second samba 4 AD, I have found that in > >>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory > >>> is detailed the correct steps, my question is about step related > >>> with winbind (tdbbackup) builtin groups, appears a message "*NOTE: > >>> Only do this if you are running a version of Samba before 4.2.0 or > >>> are using the built-in winbind.*" but I'm not sure if in my > >>> environment I have to make this step. > >>> > >>> I have installed and configured samba 4.4.5 from sources and only > >>> added > >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind > >>> https://wiki.samba.org/index.php/Libnss_winbind_links > >>> > >>> In my environment is needed tdbbackup when you adds second dc? > >>> > >>> Thanks > >> The step "GID mapping of build-in groups" is still required with > >> 4.4.5, no matter if you use winbind or winbindd. > >> > > This is no longer required on any supported version of Samba, you > > just need to run 'samba-tool ntacl sysvolreset' > > > > Rowland > We discussed this a while back, back then you did not have the time > to compare your rsync setup. > > It is still required if you do not want to run sysvolreset after each > rsync of the sysvol folders. > >No it isn't, if you are using winbindd on the DCs, you only need to sync sysvol and then run sysvolreset, you can do this automatically with osync, see here: https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround Rowland