On 22 November 2017 at 17:45, Rowland Penny <rpenny at samba.org> wrote:> On Wed, 22 Nov 2017 16:01:17 +0200 > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > Hi Guys, > > > > I have run into a very interesting problem using GPO's on our DC's. > > > > As you may (or may not) know, we have migrated to a pure Samba4 (Git > > stable branch checkout) AD network. I can't be happier. *Kudos to the > > Samba team* > > > > We are running to DC's, DC1 and DC2, both full fledged DC's, both > > running CentOS 6.9, fully up to date. > > > > For the sysvol partition I decided to run a glusterfs between the > > DC's. I started out with a unison sync, but being the impatient > > person I am, I needed more real time. > > > > Now my problem is with the permissions in the sysvol folder structure. > > > > Sorry, but your problem is that you missed this: > > https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_ > based_SysVol_replication_workaround#FAQ > > Where it quite clearly says this: > > Why can't I simply use a distributed filesystem like GlusterFS, > Lustre, etc. for SysVol? > A cluster file system with Samba requires CTDB to be able to do it > safely. And CTDB and AD DC are incompatible. > > Rowland >Hi Rowland, Yes, you are right, I completely missed that part. I actually had the system set up using https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround But then I decided to become creative with a glusterfs setup. I now have a Osync set up (much easier IMO), but the permissions are still not quite right, bringing me back to my idmap syncing question. Kind regards
On Thu, 23 Nov 2017 14:01:03 +0200 Ian Coetzee via samba <samba at lists.samba.org> wrote:> On 22 November 2017 at 17:45, Rowland Penny <rpenny at samba.org> wrote: > > > On Wed, 22 Nov 2017 16:01:17 +0200 > > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > > > Hi Guys, > > > > > > I have run into a very interesting problem using GPO's on our > > > DC's. > > > > > > As you may (or may not) know, we have migrated to a pure Samba4 > > > (Git stable branch checkout) AD network. I can't be happier. > > > *Kudos to the Samba team* > > > > > > We are running to DC's, DC1 and DC2, both full fledged DC's, both > > > running CentOS 6.9, fully up to date. > > > > > > For the sysvol partition I decided to run a glusterfs between the > > > DC's. I started out with a unison sync, but being the impatient > > > person I am, I needed more real time. > > > > > > Now my problem is with the permissions in the sysvol folder > > > structure. > > > > > > > Sorry, but your problem is that you missed this: > > > > https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_ > > based_SysVol_replication_workaround#FAQ > > > > Where it quite clearly says this: > > > > Why can't I simply use a distributed filesystem like GlusterFS, > > Lustre, etc. for SysVol? > > A cluster file system with Samba requires CTDB to be able > > to do it safely. And CTDB and AD DC are incompatible. > > > > Rowland > > > > Hi Rowland, > > Yes, you are right, I completely missed that part. > > I actually had the system set up using > https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround > > But then I decided to become creative with a glusterfs setup. > > I now have a Osync set up (much easier IMO), but the permissions are > still not quite right, bringing me back to my idmap syncing question. > > Kind regardsThere are instructions here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings Rowland
On 23 November 2017 at 14:16, Rowland Penny <rpenny at samba.org> wrote:> On Thu, 23 Nov 2017 14:01:03 +0200 > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > On 22 November 2017 at 17:45, Rowland Penny <rpenny at samba.org> wrote: > > > > > On Wed, 22 Nov 2017 16:01:17 +0200 > > > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > > > > > Hi Guys, > > > > > > > > I have run into a very interesting problem using GPO's on our > > > > DC's. > > > > > > > > As you may (or may not) know, we have migrated to a pure Samba4 > > > > (Git stable branch checkout) AD network. I can't be happier. > > > > *Kudos to the Samba team* > > > > > > > > We are running to DC's, DC1 and DC2, both full fledged DC's, both > > > > running CentOS 6.9, fully up to date. > > > > > > > > For the sysvol partition I decided to run a glusterfs between the > > > > DC's. I started out with a unison sync, but being the impatient > > > > person I am, I needed more real time. > > > > > > > > Now my problem is with the permissions in the sysvol folder > > > > structure. > > > > > > > > > > Sorry, but your problem is that you missed this: > > > > > > https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_ > > > based_SysVol_replication_workaround#FAQ > > > > > > Where it quite clearly says this: > > > > > > Why can't I simply use a distributed filesystem like GlusterFS, > > > Lustre, etc. for SysVol? > > > A cluster file system with Samba requires CTDB to be able > > > to do it safely. And CTDB and AD DC are incompatible. > > > > > > Rowland > > > > > > > Hi Rowland, > > > > Yes, you are right, I completely missed that part. > > > > I actually had the system set up using > > https://wiki.samba.org/index.php/Bidirectional_Rsync/ > Unison_based_SysVol_replication_workaround > > > > But then I decided to become creative with a glusterfs setup. > > > > I now have a Osync set up (much easier IMO), but the permissions are > > still not quite right, bringing me back to my idmap syncing question. > > > > Kind regards > > There are instructions here: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory#Built-in_Groups_GID_Mappings > >Hi Rowland, I followed that howto> I copied the idmap.tdb.bak from dc1 to dc2 and restarted samba on dc2,but a getfacl on the sysvol directory gives me the wrong mappings. My issue is with AD groups on the permissions of the Policies Should I make a nightly backup of the idmap.tdb on dc1 and sync it to dc2 perhaps? Kind regards