Hi Carlos,> > DC to DC2/DC3 -> > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > root at samba-dc102:/opt/samba/var/locks/ > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > root at samba-dc102:/opt/samba/var/locks/looking at your smb.conf file, you are using tdb idmap (default on DC). So the UID/SID mapping will be different on the different DC, and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol are very important, otherwise GPO won't be applied. So it is logic for you to have to apply sysvolreset after your rsync. One way to avoid that would be to copy idmap.ldb from your first DC to the other two DCs. The other way would be to configure rfc2307, but I'd say it is too much of a hassle. Cheers, Denis> > Regards > > > On 10-01-2018 11:59, Carlos wrote: >> Hi! >> >> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. >> >> All is ok, but GPO in DC3, with erro the permission, with dont load in >> windows(gpresult /force). >> >> >> My smb.conf all samba server DC. >> >> >> [global] >> netbios name = SAMBA-DC103 >> realm = <DOMAIN> >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = XXXXXXX >> >> ldap server require strong auth = no >> >> [netlogon] >> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts >> read only = No >> >> [sysvol] >> path = /opt/samba/var/locks/sysvol >> read only = No >> >> >> >> >> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a >> not good ideia..( >> https://lists.samba.org/archive/samba/2017-March/207236.html) >> >> >> Any ? >> >> >> Regards; >> >> >> > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Hi, how do I do that ? And what would be the possible problems? (Both are in production) "One way to avoid that would be to copy idmap.ldb from your first DC to the other two DCs." Regards; On 11-01-2018 14:42, Denis Cardon wrote:> Hi Carlos, >> >> DC to DC2/DC3 -> >> >> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol >> root at samba-dc102:/opt/samba/var/locks/ >> >> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol >> root at samba-dc102:/opt/samba/var/locks/ > > looking at your smb.conf file, you are using tdb idmap (default on > DC). So the UID/SID mapping will be different on the different DC, and > your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol are > very important, otherwise GPO won't be applied. > > So it is logic for you to have to apply sysvolreset after your rsync. > > One way to avoid that would be to copy idmap.ldb from your first DC to > the other two DCs. The other way would be to configure rfc2307, but > I'd say it is too much of a hassle. > > Cheers, > > Denis > >> >> Regards >> >> >> On 10-01-2018 11:59, Carlos wrote: >>> Hi! >>> >>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. >>> >>> All is ok, but GPO in DC3, with erro the permission, with dont load in >>> windows(gpresult /force). >>> >>> >>> My smb.conf all samba server DC. >>> >>> >>> [global] >>> netbios name = SAMBA-DC103 >>> realm = <DOMAIN> >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>> workgroup = XXXXXXX >>> >>> ldap server require strong auth = no >>> >>> [netlogon] >>> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts >>> read only = No >>> >>> [sysvol] >>> path = /opt/samba/var/locks/sysvol >>> read only = No >>> >>> >>> >>> >>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a >>> not good ideia..( >>> https://lists.samba.org/archive/samba/2017-March/207236.html) >>> >>> >>> Any ? >>> >>> >>> Regards; >>> >>> >>> >> >> >
On Thu, 11 Jan 2018 17:42:19 +0100 Denis Cardon via samba <samba at lists.samba.org> wrote:> Hi Carlos, > > > > DC to DC2/DC3 -> > > > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > > root at samba-dc102:/opt/samba/var/locks/ > > > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > > root at samba-dc102:/opt/samba/var/locks/ > > looking at your smb.conf file, you are using tdb idmap (default on > DC). So the UID/SID mapping will be different on the different DC, > and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol > are very important, otherwise GPO won't be applied. > > So it is logic for you to have to apply sysvolreset after your rsync. > > One way to avoid that would be to copy idmap.ldb from your first DC > to the other two DCs. The other way would be to configure rfc2307, > but I'd say it is too much of a hassle.If you are going to configure rfc2307 (I take this to mean adding uidNumber & gidNumber attributes to AD), do not give Domain Admins a gidNumber, this will turn the group into just a group. This might seem a strange thing to say, but Domain Admins is mapped to both a group AND a user in idmap.ldb and the group needs to own GPOs in Sysvol and it cannot if it is just a group. Rowland
On Thu, 11 Jan 2018 15:50:40 -0200 Carlos via samba <samba at lists.samba.org> wrote:> Hi, > > how do I do that ? > And what would be the possible problems? (Both are in production) > > "One way to avoid that would be to copy idmap.ldb from your first DC > to the other two DCs." >https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings Rowland
Hello, copying idmap is fairly straightforward. 1) on your first DC (that one that has PDC FSMO, and is the source for rsync) create backup of idmap.ldb tdbbackup -s .bak /path/to/samba/private/idmap.ldb it will create idmap.ldb.bak 2) stop samba service on second DC 3) copy idmap.ldb.bak from first dc to second dc, lose the .bak suffix and just copy it over idmap.ldb on second dc 4) start samba on second dc I'm not sure if it's necessery, but you can flush winbindd cache: net cache flush and that's it No problems occured for me, when I did that. W dniu 11.01.2018 o 18:50, Carlos via samba pisze:> Hi, > > how do I do that ? > And what would be the possible problems? (Both are in production) > > "One way to avoid that would be to copy idmap.ldb from your first DC > to the other two DCs." > > Regards; > > > On 11-01-2018 14:42, Denis Cardon wrote: >> Hi Carlos, >>> >>> DC to DC2/DC3 -> >>> >>> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol >>> root at samba-dc102:/opt/samba/var/locks/ >>> >>> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol >>> root at samba-dc102:/opt/samba/var/locks/ >> >> looking at your smb.conf file, you are using tdb idmap (default on >> DC). So the UID/SID mapping will be different on the different DC, >> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol >> are very important, otherwise GPO won't be applied. >> >> So it is logic for you to have to apply sysvolreset after your rsync. >> >> One way to avoid that would be to copy idmap.ldb from your first DC >> to the other two DCs. The other way would be to configure rfc2307, >> but I'd say it is too much of a hassle. >> >> Cheers, >> >> Denis >> >>> >>> Regards >>> >>> >>> On 10-01-2018 11:59, Carlos wrote: >>>> Hi! >>>> >>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. >>>> >>>> All is ok, but GPO in DC3, with erro the permission, with dont load in >>>> windows(gpresult /force). >>>> >>>> >>>> My smb.conf all samba server DC. >>>> >>>> >>>> [global] >>>> netbios name = SAMBA-DC103 >>>> realm = <DOMAIN> >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> workgroup = XXXXXXX >>>> >>>> ldap server require strong auth = no >>>> >>>> [netlogon] >>>> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /opt/samba/var/locks/sysvol >>>> read only = No >>>> >>>> >>>> >>>> >>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a >>>> not good ideia..( >>>> https://lists.samba.org/archive/samba/2017-March/207236.html) >>>> >>>> >>>> Any ? >>>> >>>> >>>> Regards; >>>> >>>> >>>> >>> >>> >> >