Hi, Thanks for clarification. However, we held back from implementing your suggestion and observed that after about 40 odd hours from the initial publishing of the policies, all clients connecting to any of the Domain Controllers started to get the policies. No client was throwing any error while applying the policies from any of the 4 Domain Controllers. Does it mean that "idmap.ldb" is taking time to replicate automatically? Or is it some other issue? Nothing interesting about this is logged in samba. Sysvol is getting replicated as soon as any policy is added or modified or deleted on the first domain controller. Basically we are implementing "Software While Listing" policies and these are defined as computer policies. The error started to show up once the policy was linked. Any hints on this behavior? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 12/07/18 7:01 PM, Rowland Penny via samba wrote:> On Thu, 12 Jul 2018 18:49:06 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> But, all user/groups should have the same ids on all DCs right? >> That's what we had thought all these days? Suppose we sync the >> idmap.ldb along with sysvol, will it not call for restart of >> Samba-ad-dc service every time the changes to GPs are made? >> > Er, no, not by default, yes they will all have unique RID's, but they > are not guaranteed to have the same xidNumber's, in fact, I can almost > guarantee they wont. > > You do not have to restart Samba, just run 'net cache flush' > > Rowland > >
On Mon, 16 Jul 2018 17:37:21 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hi, > > Thanks for clarification. > > However, we held back from implementing your suggestion and observed > that after about 40 odd hours from the initial publishing of the > policies, all clients connecting to any of the Domain Controllers > started to get the policies. No client was throwing any error while > applying the policies from any of the 4 Domain Controllers.Good, but why the delay ?> > Does it mean that "idmap.ldb" is taking time to replicate > automatically?'idmap.ldb' never replicates automatically, it must be done manually.> Or is it some other issue? Nothing interesting about > this is logged in samba. Sysvol is getting replicated as soon as any > policy is added or modified or deleted on the first domain controller.How is 'sysvol' being replicated, this again is a manual procedure on Samba AD DC's> > Basically we are implementing "Software While Listing" policies and > these are defined as computer policies. The error started to show up > once the policy was linked. > > Any hints on this behavior? >No, but it might help if you post more info on your setup. Rowland
Hi, On Mon, 16 Jul 2018 17:37:21 +0530> Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> Thanks for clarification. >> >> However, we held back from implementing your suggestion and observed >> that after about 40 odd hours from the initial publishing of the >> policies, all clients connecting to any of the Domain Controllers >> started to get the policies. No client was throwing any error while >> applying the policies from any of the 4 Domain Controllers. > Good, but why the delay ?This is being investigated. Is it something to do with cache, wondering whether running "net cache flush" will help to get over this behavior.> >> Does it mean that "idmap.ldb" is taking time to replicate >> automatically? > 'idmap.ldb' never replicates automatically, it must be done manually.We will include this in our replication script.> >> Or is it some other issue? Nothing interesting about >> this is logged in samba. Sysvol is getting replicated as soon as any >> policy is added or modified or deleted on the first domain controller. > How is 'sysvol' being replicated, this again is a manual procedure on > Samba AD DC'sYes, it is being synchronised using rsync. Basically, we are using "inotify" to watch for changes (add, modify & delete) in "sysvol" and push the changes to all other DCs. I will share our replication scripts here shortly.> >> Basically we are implementing "Software While Listing" policies and >> these are defined as computer policies. The error started to show up >> once the policy was linked. >> >> Any hints on this behavior? >> > No, but it might help if you post more info on your setup.What info you need? Find below the smb.conf. It is same on all Domain Controllers. # Global parameters [global] netbios name = PDC realm = ****.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = **** idmap_ldb:use rfc2307 = yes ldap server require strong auth = No # Logs and events eventlog list = Security log level = 3 log file = /var/log/samba/dc1.%T.log max log size = 1000000 [netlogon] path = /usr/local/samba/var/locks/sysvol/****.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No> > Rowland >