On Wed, 17 Apr 2019 18:29:19 +0100 Sérgio Basto via samba <samba at lists.samba.org> wrote:> My experience was : > > 1. Mit kbr doesn't support it, we need to use the old kbr system.Do not use MIT, it is, at best, experimental.> 2. We need disable selinux , selinux permissive is not enough to allow > to write on shared folder sysvol. it cause crashes on windows.Selinux is not part of Samba, perhaps asking Fedora about this.> 3. When we have 2 or more DC(s) we need to force client tools like > RAST only write in the first DC because "Samba in its current state > doesn't support SysVol replication" [1], if RAST write randomly on > DC(s) we may have errors like: samba-tool ntacl sysvolreset, - open: > error=2 (No such file or directory) [2]This is mis-configuration of your DC's. Yes, Sysvol isn't replicated (yet) but there are ways around this.> 4. With an efficient replication and writing POL(s) just in first DC , > seems that works well.Provide you use some form of two way sync, you should be able to create GPO's on any Samba AD DC, but it is probably best practice to just create them on the PDC-Emulator DC. Rowland
On Wed, 2019-04-17 at 18:56 +0100, Rowland Penny via samba wrote:> On Wed, 17 Apr 2019 18:29:19 +0100 > Sérgio Basto via samba <samba at lists.samba.org> wrote: > > > My experience was : > > > > 1. Mit kbr doesn't support it, we need to use the old kbr system. > > Do not use MIT, it is, at best, experimental. > > > 2. We need disable selinux , selinux permissive is not enough to > > allow > > to write on shared folder sysvol. it cause crashes on windows. > > Selinux is not part of Samba, perhaps asking Fedora about this. > > > 3. When we have 2 or more DC(s) we need to force client tools like > > RAST only write in the first DC because "Samba in its current state > > doesn't support SysVol replication" [1], if RAST write randomly on > > DC(s) we may have errors like: samba-tool ntacl sysvolreset, - > > open: > > error=2 (No such file or directory) [2] > > This is mis-configuration of your DC's. Yes, Sysvol isn't replicated > (yet) but there are ways around this.As far as I can tell and in my experience the replications methods that we find in wiki fail in be bi-directional. So to workaround we may force just write POL(s) in just one DC and sync it to the other.> > 4. With an efficient replication and writing POL(s) just in first > > DC , > > seems that works well. > > Provide you use some form of two way sync, you should be able to > create > GPO's on any Samba AD DC, but it is probably best practice to just > create them on the PDC-Emulator DC. > > Rowland > >-- Sérgio M. B.
Mandi! Sérgio Basto via samba In chel di` si favelave...> As far as I can tell and in my experience the replications methods that > we find in wiki fail in be bi-directional. So to workaround we may > force just write POL(s) in just one DC and sync it to the other.AFAIK gpedit just write to the DC with FSMO role by default. https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround#Information_on_rsync-based_replication so, simply use as source the FSMO DC. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)