On 10/4/2016 11:22 AM, Rowland Penny via samba wrote:> See inline comments: > > On Tue, 4 Oct 2016 10:44:07 -0400 > Bob Thomas via samba <samba at lists.samba.org> wrote: > >> Hey Samba team - Thanks for all your work >> >> I have three production samba 4 DCs 2 running on Ubuntu 16.04 (Samba >> 4.4.5 and 4.4.4) and one on 14.04 (Samba 4.3.3) all working well for >> the most part. However to keep everything in sync I setup osync for >> syncing Sysvol. As recent conversations on the list indicate >> following the sync operation I lose access to sysvol until I run >> 'samba-tool ntacl sysvolreset' - thats not my concern. >> >> While looking into the issue, I have found that the three >> /var/lib/samba/private/idmap.ldp files are drastically different >> between the three controllers with the first DC having the most >> complete. >> > Yes they are very likely to be different, but it doesn't matter if you > are using 'winbindd' on the DCs, it knows what number is who. All you > need to do is run 'sysvolreset' after the sync and osync can be set to > do this for you. > >> So my first question is, can I simply copy the first DC's idmap.ldp >> to the other DCs to get them the same? >> > You can if you want to, but you would also have to keep syncing it, > you would have to stop Samba before you backed idmap.ldb before > copying it. > >> My second question is, based on Rowland's repeated advice about >> smb.conf - Should I remove the idmap config lines from the DC's, and >> if so will it have any impact on their operation? > The idmap config lines do nothing on a DC, it will either use the > xidNumbers found in idmap.ldb or be overidden by any uidNumbers found > in AD. > You don't have to remove them, Samba will just ignore them. > > Rowland >My understanding (someone please correct me if I am wrong) is if you use RFC2307 and provide each user and group a UID and GID, you do not need to sync idmap.ldb. If not you will need to sync idmap.ldb because Samba uses XID's for mapping. This is only relevant if you have users or computers that are accessing services being served from a Linux device. Windows users and computers use SID's and RID's which are synced automatically by Samba across all DC's. -- -James
On Tue, 4 Oct 2016 11:43:45 -0400 lingpanda101--- via samba <samba at lists.samba.org> wrote:> On 10/4/2016 11:22 AM, Rowland Penny via samba wrote: > > See inline comments: > > > > On Tue, 4 Oct 2016 10:44:07 -0400 > > Bob Thomas via samba <samba at lists.samba.org> wrote: > > > >> Hey Samba team - Thanks for all your work > >> > >> I have three production samba 4 DCs 2 running on Ubuntu 16.04 > >> (Samba 4.4.5 and 4.4.4) and one on 14.04 (Samba 4.3.3) all working > >> well for the most part. However to keep everything in sync I > >> setup osync for syncing Sysvol. As recent conversations on the > >> list indicate following the sync operation I lose access to sysvol > >> until I run 'samba-tool ntacl sysvolreset' - thats not my concern. > >> > >> While looking into the issue, I have found that the three > >> /var/lib/samba/private/idmap.ldp files are drastically different > >> between the three controllers with the first DC having the most > >> complete. > >> > > Yes they are very likely to be different, but it doesn't matter if > > you are using 'winbindd' on the DCs, it knows what number is who. > > All you need to do is run 'sysvolreset' after the sync and osync > > can be set to do this for you. > > > >> So my first question is, can I simply copy the first DC's idmap.ldp > >> to the other DCs to get them the same? > >> > > You can if you want to, but you would also have to keep syncing it, > > you would have to stop Samba before you backed idmap.ldb before > > copying it. > > > >> My second question is, based on Rowland's repeated advice about > >> smb.conf - Should I remove the idmap config lines from the DC's, > >> and if so will it have any impact on their operation? > > The idmap config lines do nothing on a DC, it will either use the > > xidNumbers found in idmap.ldb or be overidden by any uidNumbers > > found in AD. > > You don't have to remove them, Samba will just ignore them. > > > > Rowland > > > > My understanding (someone please correct me if I am wrong) is if you > use RFC2307 and provide each user and group a UID and GID, you do not > need to sync idmap.ldb. If not you will need to sync idmap.ldb > because Samba uses XID's for mapping. This is only relevant if you > have users or computers that are accessing services being served from > a Linux device. Windows users and computers use SID's and RID's which > are synced automatically by Samba across all DC's. >You don't have to sync idmap.ldb at all, just use sysvolreset after after each sysvol sync (this is provided you are using winbindd) Your last sentence explains why. Rowland
On 10/4/2016 11:54 AM, Rowland Penny wrote:> On Tue, 4 Oct 2016 11:43:45 -0400 > lingpanda101--- via samba <samba at lists.samba.org> wrote: > >> On 10/4/2016 11:22 AM, Rowland Penny via samba wrote: >>> See inline comments: >>> >>> On Tue, 4 Oct 2016 10:44:07 -0400 >>> Bob Thomas via samba <samba at lists.samba.org> wrote: >>> >>>> Hey Samba team - Thanks for all your work >>>> >>>> I have three production samba 4 DCs 2 running on Ubuntu 16.04 >>>> (Samba 4.4.5 and 4.4.4) and one on 14.04 (Samba 4.3.3) all working >>>> well for the most part. However to keep everything in sync I >>>> setup osync for syncing Sysvol. As recent conversations on the >>>> list indicate following the sync operation I lose access to sysvol >>>> until I run 'samba-tool ntacl sysvolreset' - thats not my concern. >>>> >>>> While looking into the issue, I have found that the three >>>> /var/lib/samba/private/idmap.ldp files are drastically different >>>> between the three controllers with the first DC having the most >>>> complete. >>>> >>> Yes they are very likely to be different, but it doesn't matter if >>> you are using 'winbindd' on the DCs, it knows what number is who. >>> All you need to do is run 'sysvolreset' after the sync and osync >>> can be set to do this for you. >>> >>>> So my first question is, can I simply copy the first DC's idmap.ldp >>>> to the other DCs to get them the same? >>>> >>> You can if you want to, but you would also have to keep syncing it, >>> you would have to stop Samba before you backed idmap.ldb before >>> copying it. >>> >>>> My second question is, based on Rowland's repeated advice about >>>> smb.conf - Should I remove the idmap config lines from the DC's, >>>> and if so will it have any impact on their operation? >>> The idmap config lines do nothing on a DC, it will either use the >>> xidNumbers found in idmap.ldb or be overidden by any uidNumbers >>> found in AD. >>> You don't have to remove them, Samba will just ignore them. >>> >>> Rowland >>> >> My understanding (someone please correct me if I am wrong) is if you >> use RFC2307 and provide each user and group a UID and GID, you do not >> need to sync idmap.ldb. If not you will need to sync idmap.ldb >> because Samba uses XID's for mapping. This is only relevant if you >> have users or computers that are accessing services being served from >> a Linux device. Windows users and computers use SID's and RID's which >> are synced automatically by Samba across all DC's. >> > You don't have to sync idmap.ldb at all, just use sysvolreset after > after each sysvol sync (this is provided you are using winbindd) > Your last sentence explains why. > > RowlandI thought sysvolreset and winbindd was only applicable to builtin groups. Manually created users and groups must still be kept in sync. -- -James