Who am I to say this? I am only a lowly user and would-be admin, but it seems to me that one of the most useful features of an AD environment, GPOs, is not fully trust-able under Samba because of instability and ensuing fear, before and after each update, related to sysvol and who knows what. I still love you, though.
Hi Miguel, I have been using Samba AD DC 4.9.1 for a little bit 6 months now. Very stable. Never heard of any stability problems concerning GPOs. There are no problems with GPOs, but as I found out, you must give the GPO changes time to take effect (30 minutes). I haven't found out how to force GPO updates under Samba yet, but that's probably due to my lack of time and inherent laziness. And you can lock yourself out from a true Windows domain, as well as from a Samba domain. Nothing that yells at you that you're up to something stupid in either system ;-) Best regards, Peter On 13.04.2019 21:40, miguel medalha via samba wrote:> Who am I to say this? I am only a lowly user and would-be admin, but > it seems to me that one of the most useful features of an AD > environment, GPOs, is not fully trust-able under Samba because of > instability and ensuing fear, before and after each update, related to > sysvol and who knows what. > > I still love you, though. > > >
> I have been using Samba AD DC 4.9.1 for a little bit 6 months now. > Very stable. Never heard of any stability problems concerning GPOs. > There are no problems with GPOs, but as I found out, you must give the > GPO changes time to take effect (30 minutes). I haven't found out how > to force GPO updates under Samba yet, but that's probably due to my > lack of time and inherent laziness. And you can lock yourself out from > a true Windows domain, as well as from a Samba domain. Nothing that > yells at you that you're up to something stupid in either system ;-) >I have been using Samba for many years, and GPOs since Samba 4 was first released. And yes, they do work... most of the time. But I am sure Samba developers understand what I meant.
On Sat, 2019-04-13 at 20:40 +0100, miguel medalha via samba wrote:> Who am I to say this? I am only a lowly user and would-be admin, but > it > seems to me that one of the most useful features of an AD > environment, > GPOs, is not fully trust-able under Samba because of instability and > ensuing fear, before and after each update, related to sysvol and > who > knows what.My experience was : 1. Mit kbr doesn't support it, we need to use the old kbr system. 2. We need disable selinux , selinux permissive is not enough to allow to write on shared folder sysvol. it cause crashes on windows. 3. When we have 2 or more DC(s) we need to force client tools like RAST only write in the first DC because "Samba in its current state doesn't support SysVol replication" [1], if RAST write randomly on DC(s) we may have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory) [2] 4. With an efficient replication and writing POL(s) just in first DC , seems that works well. Best Regards, [1] https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) https://www.tecmint.com/samba4-ad-dc-sysvol-replication/ [2] https://lists.samba.org/archive/samba/2018-September/218137.html -- Sérgio M. B.