Hello Rowland, Thanks for your quick response. We are syncing only sysvol from first Domain Controller, but not idmap.ldb. Do we need to sync idmap.ldb as well? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 12/07/18 6:20 PM, Rowland Penny via samba wrote:> On Thu, 12 Jul 2018 18:13:47 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> We have 4 Domain Controllers all on CentOS 7.5 and Samba Version >> 4.7.5. >> >> We are using iNotify to watch the folder and pushing any changes made >> to GPO from our first Domain Controller. >> >> Off late, we started observing that, unless the client is reading the >> Group Policies from the first Domain Controller, none of the Group >> Policies gets applied. On the Windows Clients, we have observed that >> clients are reporting "Access Denied" error to Group Policy Objects >> on other Domain Controllers. >> >> "samba-tool ntacl sysvolcheck" reports no errors on the GPO on any >> Domain Controllers. Yet, the clients report "Access Denied" on all >> other DCs except first one. >> >> What could have gone wrong? Any clues? >> > I take it you are syncing 'sysvol' to the DC's from the first DC, but > are you also syncing idmap.ldb as well ? > > Rowland > >
On Thu, 12 Jul 2018 18:31:42 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > Thanks for your quick response. > > We are syncing only sysvol from first Domain Controller, but not > idmap.ldb. Do we need to sync idmap.ldb as well? >Yes, users and groups are mapped in idmap.ldb on a first come basis, this means you highly likely to get different ID numbers on each DC. This means that a group could get the ID '3000002' on the first DC and '3000022' on another and '3000002' on the second DC could be another user/group. Rowland
Hi, But, all user/groups should have the same ids on all DCs right? That's what we had thought all these days? Suppose we sync the idmap.ldb along with sysvol, will it not call for restart of Samba-ad-dc service every time the changes to GPs are made? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 12/07/18 6:42 PM, Rowland Penny via samba wrote:> On Thu, 12 Jul 2018 18:31:42 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> Thanks for your quick response. >> >> We are syncing only sysvol from first Domain Controller, but not >> idmap.ldb. Do we need to sync idmap.ldb as well? >> > Yes, users and groups are mapped in idmap.ldb on a first come basis, > this means you highly likely to get different ID numbers on each DC. > This means that a group could get the ID '3000002' on the first DC and > '3000022' on another and '3000002' on the second DC could be another > user/group. > > Rowland >