Rowland Penny
2019-Mar-26 11:56 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
On Tue, 26 Mar 2019 07:37:54 -0400 Jonathon Reinhart via samba <samba at lists.samba.org> wrote:> I recently went through these steps from the wiki and took the > following notes which I had not yet shared / suggested for the wiki. > (This is from mobile, sorry for the terse message.) > > - You need to clear the idmap cache after copying idmap.ldb ("net > cache clear") otherwise you could have stale entries hanging around.I have added that.> > - You need to sync SysVol before running sysvol reset, because > samba-tool falls on its face if that directory is empty.This has also been added.> > - The initial permissions of the the stuff in Sysvol didn't match what > "sysvol reset" wanted. I'm not sure who initially created the stuff > with bad permissions.I have been saying this for years, the permissions set on a Samba AD DC do not appear to match what a Windows DC uses. Rowland
Stephen
2019-Mar-26 12:04 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Jonathon and Rowland, are you sure the command you are referring to here is net cache clear for clearing the cache? I couldnt see this in the manpage for net cache. There is a 'net cache flush' command though? Thanks Stephen On 26/03/2019 11:56, Rowland Penny via samba wrote:> On Tue, 26 Mar 2019 07:37:54 -0400 > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > >> I recently went through these steps from the wiki and took the >> following notes which I had not yet shared / suggested for the wiki. >> (This is from mobile, sorry for the terse message.) >> >> - You need to clear the idmap cache after copying idmap.ldb ("net >> cache clear") otherwise you could have stale entries hanging around. > I have added that. > >> - You need to sync SysVol before running sysvol reset, because >> samba-tool falls on its face if that directory is empty. > This has also been added. > >> - The initial permissions of the the stuff in Sysvol didn't match what >> "sysvol reset" wanted. I'm not sure who initially created the stuff >> with bad permissions. > I have been saying this for years, the permissions set on a Samba AD DC > do not appear to match what a Windows DC uses. > > Rowland > >
L.P.H. van Belle
2019-Mar-26 12:07 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
>From man : man netCACHE Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'. ;-) Its there.. At least in 4.8.9 and up, thats what i've checked. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: dinsdag 26 maart 2019 13:04 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem achieving manual > synchronisation of idmap.ldb and the associated User and > Group ID mappings between two Samba 4 AD DCs > > Jonathon and Rowland, are you sure the command you are referring to > here is net cache clear for clearing the cache? I couldnt see this in > the manpage for net cache. > There is a 'net cache flush' command though? > > Thanks > > Stephen > > On 26/03/2019 11:56, Rowland Penny via samba wrote: > > On Tue, 26 Mar 2019 07:37:54 -0400 > > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > > > >> I recently went through these steps from the wiki and took the > >> following notes which I had not yet shared / suggested for > the wiki. > >> (This is from mobile, sorry for the terse message.) > >> > >> - You need to clear the idmap cache after copying idmap.ldb ("net > >> cache clear") otherwise you could have stale entries > hanging around. > > I have added that. > > > >> - You need to sync SysVol before running sysvol reset, because > >> samba-tool falls on its face if that directory is empty. > > This has also been added. > > > >> - The initial permissions of the the stuff in Sysvol > didn't match what > >> "sysvol reset" wanted. I'm not sure who initially created the stuff > >> with bad permissions. > > I have been saying this for years, the permissions set on a > Samba AD DC > > do not appear to match what a Windows DC uses. > > > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2019-Mar-26 12:11 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
On Tue, 26 Mar 2019 12:04:06 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Jonathon and Rowland, are you sure the command you are referring to > here is net cache clear for clearing the cache? I couldnt see this in > the manpage for net cache. > There is a 'net cache flush' command though?BIG NOTE TO SELF: must read commands to the end ;-) Yes it is 'net cache flush' Rowland> > Thanks > > Stephen > > On 26/03/2019 11:56, Rowland Penny via samba wrote: > > On Tue, 26 Mar 2019 07:37:54 -0400 > > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > > > >> I recently went through these steps from the wiki and took the > >> following notes which I had not yet shared / suggested for the > >> wiki. (This is from mobile, sorry for the terse message.) > >> > >> - You need to clear the idmap cache after copying idmap.ldb ("net > >> cache clear") otherwise you could have stale entries hanging > >> around. > > I have added that. > > > >> - You need to sync SysVol before running sysvol reset, because > >> samba-tool falls on its face if that directory is empty. > > This has also been added. > > > >> - The initial permissions of the the stuff in Sysvol didn't match > >> what "sysvol reset" wanted. I'm not sure who initially created the > >> stuff with bad permissions. > > I have been saying this for years, the permissions set on a Samba > > AD DC do not appear to match what a Windows DC uses. > > > > Rowland > > > > >
Stephen
2019-Mar-26 12:33 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Roland, Jonathon, what permissions set would you recommend for use when syncing SysVol? I have only found a single tutorial (https://www.tecmint.com/samba4-ad-dc-sysvol-replication/) that even mentions what permissions should be used when replicating SysVol. , and that suggests using 775 permission set during replication ie: rsync --dry-run -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root at ad2:/var/lib/samba/sysvol/ Perhaps its just me but that seems an excessively promiscuous? Thanks Stephen Ellwod
Rowland Penny
2019-Mar-26 12:50 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
On Tue, 26 Mar 2019 12:33:33 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Roland, Jonathon, what permissions set would you recommend for use > when syncing SysVol? > > I have only found a single tutorial > (https://www.tecmint.com/samba4-ad-dc-sysvol-replication/) that even > mentions what permissions should be used when replicating SysVol. , > and that suggests using 775 permission set during replication ie:Go on, I give in, what is wrong with the official Samba documentation ?> > rsync --dry-run -XAavz --chmod=775 --delete-after --progress > --stats /var/lib/samba/sysvol/ root at ad2:/var/lib/samba/sysvol/ > > Perhaps its just me but that seems an excessively promiscuous?And it doesn't really matter, the important permissions are dealt with by the '-XAavz' part, so to answer your question, tecmint got it wrong (not for the first time either), you do not need to add the '--chmod=775' part. Rowland
L.P.H. van Belle
2019-Mar-26 13:10 UTC
[Samba] Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
Go here : https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) You choose what preffered for you. And setup the sync. A rights check can be done with this script: wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh bash samba-check-set-sysvol.sh cat default-rights-sysvol.acl Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: dinsdag 26 maart 2019 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem achieving manual > synchronisation of idmap.ldb and the associated User and > Group ID mappings between two Samba 4 AD DCs > > Roland, Jonathon, what permissions set would you recommend > for use when > syncing SysVol? > > I have only found a single tutorial > (https://www.tecmint.com/samba4-ad-dc-sysvol-replication/) that even > mentions what permissions should be used when replicating > SysVol. , and > that suggests using 775 permission set during replication ie: > > rsync --dry-run -XAavz --chmod=775 --delete-after --progress > --stats /var/lib/samba/sysvol/ root at ad2:/var/lib/samba/sysvol/ > > Perhaps its just me but that seems an excessively promiscuous? > > Thanks > Stephen Ellwod > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >