On 16/07/2019 16:40, Jonathon Reinhart wrote:> On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 16/07/2019 14:16, Jonathon Reinhart wrote: >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba >>> <samba at lists.samba.org> wrote: >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote: >>>>> Rowland, >>>>> >>>>> You could go another step further and run that with "notify" to >>>>> monitor for changes, instead of having to run it in a cron job. In my >>>>> experience, "notify" works using smbclient, but not so with >>>>> libsmbclient. >>>> Problem is, the script is written to be run on DC's that do not hold the >>>> PDC Emulator FSMO role, so it would have to be re-written. >>> Why does the PDC emulator role matter? All non-PDC-emulators could >>> simply watch for changes on the PDC Emulator, right? Am I missing >>> something? >> It doesn't really matter, but it is probably best practise to only carry >> out GPO operations on one DC and the PDC Emulator DC is probably the >> best one to use. > Absolutely, all of my plans and scripts assume this. I also enforce it > by marking Sysvol and netlogon as "read only = yes" on > non-PDC-Emulators. > >> From my knowledge, inotify only works on the computer it is installed >> on, so how do you suggest that inotify could watch for something >> happening on another computer ? > I'm not referring to inotify; I'm talking about the smbcient "notify" > command, or libsmbclient smbc_notify() API.I don't think this does what you think, from 'man smbclient': ?????? notify <dir name> ?????????? Query a directory for change notifications. This command issues a ?????????? recursive filechangenotify call for all possible changes. As ?????????? changes come in will print one line per change. See ?????????? https://msdn.microsoft.com/en-us/library/dn392331.aspx for a ?????????? description of the action numbers that this command prints. ?????????? This command never ends, it waits for event indefinitely. So I think for this to work, you would have to keep a connection open to sysvol on the PDC Emulator at all times. I have never used 'notify', so I am guessing here, the above seems to be the total of the documentation available. It could just be the most underused part of Samba ;-) Rowland
On Tue, Jul 16, 2019 at 12:32 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 16/07/2019 16:40, Jonathon Reinhart wrote: > > On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > > <samba at lists.samba.org> wrote: > >> On 16/07/2019 14:16, Jonathon Reinhart wrote: > >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba > >>> <samba at lists.samba.org> wrote: > >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote: > >>>>> Rowland, > >>>>> > >>>>> You could go another step further and run that with "notify" to > >>>>> monitor for changes, instead of having to run it in a cron job. In my > >>>>> experience, "notify" works using smbclient, but not so with > >>>>> libsmbclient. > >>>> Problem is, the script is written to be run on DC's that do not hold the > >>>> PDC Emulator FSMO role, so it would have to be re-written. > >>> Why does the PDC emulator role matter? All non-PDC-emulators could > >>> simply watch for changes on the PDC Emulator, right? Am I missing > >>> something? > >> It doesn't really matter, but it is probably best practise to only carry > >> out GPO operations on one DC and the PDC Emulator DC is probably the > >> best one to use. > > Absolutely, all of my plans and scripts assume this. I also enforce it > > by marking Sysvol and netlogon as "read only = yes" on > > non-PDC-Emulators. > > > >> From my knowledge, inotify only works on the computer it is installed > >> on, so how do you suggest that inotify could watch for something > >> happening on another computer ? > > I'm not referring to inotify; I'm talking about the smbcient "notify" > > command, or libsmbclient smbc_notify() API. > > I don't think this does what you think, from 'man smbclient': > > notify <dir name> > Query a directory for change notifications. This command > issues a > recursive filechangenotify call for all possible changes. As > changes come in will print one line per change. See > https://msdn.microsoft.com/en-us/library/dn392331.aspx for a > description of the action numbers that this command prints. > > This command never ends, it waits for event indefinitely. > > So I think for this to work, you would have to keep a connection open to > sysvol on the PDC Emulator at all times. I have never used 'notify', so > I am guessing here, the above seems to be the total of the documentation > available.That's exactly what I'm proposing. Instead of running a cron job, you'd run this script like a daemon. It would continuously read the output of a "smbclient -c '... notify ...'" process, and when it is notified of a change, then you would sync that changed file.> > It could just be the most underused part of Samba ;-)If you look back at my reply to Joachim's original post, you'll see that this is what I was suggesting; except I wanted to implement it in Python using libsmbclient, rather than in a shell script: https://lists.samba.org/archive/samba/2019-July/224347.html> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Listening to notifications can only complement another mechanism (and then reduce latency) as otherwise you are going to loose changes during downtimes. Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jonathon Reinhart via samba Gesendet: Tuesday, 16 July 2019 22:22 An: Rowland penny <rpenny at samba.org> Cc: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Syncing Sysvol On Tue, Jul 16, 2019 at 12:32 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 16/07/2019 16:40, Jonathon Reinhart wrote: > > On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > > <samba at lists.samba.org> wrote: > >> On 16/07/2019 14:16, Jonathon Reinhart wrote: > >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba > >>> <samba at lists.samba.org> wrote: > >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote: > >>>>> Rowland, > >>>>> > >>>>> You could go another step further and run that with "notify" to > >>>>> monitor for changes, instead of having to run it in a cron job. > >>>>> In my experience, "notify" works using smbclient, but not so > >>>>> with libsmbclient. > >>>> Problem is, the script is written to be run on DC's that do not > >>>> hold the PDC Emulator FSMO role, so it would have to be re-written. > >>> Why does the PDC emulator role matter? All non-PDC-emulators could > >>> simply watch for changes on the PDC Emulator, right? Am I missing > >>> something? > >> It doesn't really matter, but it is probably best practise to only > >> carry out GPO operations on one DC and the PDC Emulator DC is > >> probably the best one to use. > > Absolutely, all of my plans and scripts assume this. I also enforce > > it by marking Sysvol and netlogon as "read only = yes" on > > non-PDC-Emulators. > > > >> From my knowledge, inotify only works on the computer it is > >> installed on, so how do you suggest that inotify could watch for > >> something happening on another computer ? > > I'm not referring to inotify; I'm talking about the smbcient "notify" > > command, or libsmbclient smbc_notify() API. > > I don't think this does what you think, from 'man smbclient': > > notify <dir name> > Query a directory for change notifications. This command > issues a > recursive filechangenotify call for all possible changes. As > changes come in will print one line per change. See > https://msdn.microsoft.com/en-us/library/dn392331.aspx for a > description of the action numbers that this command prints. > > This command never ends, it waits for event indefinitely. > > So I think for this to work, you would have to keep a connection open > to sysvol on the PDC Emulator at all times. I have never used > 'notify', so I am guessing here, the above seems to be the total of > the documentation available.That's exactly what I'm proposing. Instead of running a cron job, you'd run this script like a daemon. It would continuously read the output of a "smbclient -c '... notify ...'" process, and when it is notified of a change, then you would sync that changed file.> > It could just be the most underused part of Samba ;-)If you look back at my reply to Joachim's original post, you'll see that this is what I was suggesting; except I wanted to implement it in Python using libsmbclient, rather than in a shell script: https://lists.samba.org/archive/samba/2019-July/224347.html> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Full syncs at startup only will not be sufficient due to potential network outages. In essence, using notifications between hosts is reinventing the wheel as you have to support outages and thus push asynchronously ? like replication. Instead think about replicating a change indicator as an AD attribute (may be a TXT record in DNS) as then you can reuse existing infrastructure. Then only the PDC needs to listen (or detect changes of sysvol somehow), update the indicator, all non PDCs only need to monitor for that locally and pull? Still wondering why.. sysvol is usually small and changes are infrequent, therefore I ?d be fine with just periodic syncs. Regards, Joachim
>I'm assuming a star topology where only the PDC Emulator has a writable Sysvol, and all "secondary" DCs are pulling from it. For my use cases, this>drastically simplifies the problem. If the PDC Emulator is not available, the organization will be focused on restoring it; not on creating new GPOs. I?d prefer not to assume star only, as you may want to avoid replicating multiple times via a slow link. Obviously this would require a modification or configuration option where to pull changes from (pdc being the default only).>In that case, as long as libsmbclient maintains the SMB connection to the primary, I think we can be sure that we won't miss any Sysvol changes. If the >SMB connection dies, then we can re-connect, and perform a full sync. Yes?I would prefer not to rely on this assumption. And monitoring a (local copy) of DNS is for sure more scalable then many connections (star). Regards, Joachim
On Wed, Jul 17, 2019 at 8:31 AM Joachim Lindenberg <samba at lindenberg.one> wrote:> > >I'm assuming a star topology where only the PDC Emulator has a writable Sysvol, and all "secondary" DCs are pulling from it. For my use cases, this > >drastically simplifies the problem. If the PDC Emulator is not available, the organization will be focused on restoring it; not on creating new GPOs. > I?d prefer not to assume star only, as you may want to avoid replicating multiple times via a slow link. Obviously this would require a modification or configuration option where to pull changes from (pdc being the default only). > > >In that case, as long as libsmbclient maintains the SMB connection to the primary, I think we can be sure that we won't miss any Sysvol changes. If the > >SMB connection dies, then we can re-connect, and perform a full sync. Yes? > I would prefer not to rely on this assumption. And monitoring a (local copy) of DNS is for sure more scalable then many connections (star). > Regards, Joachim >These are fair points. The domains I'm dealing with have only a few DCs with fast links. These work-arounds are supposed to be just a stopgap measure until DFS-R is implemented in Samba, rigth? I'm curious to know, from the Samba team, how far out is proper DFS-R replication? If it's not even on the roadmap, then implementing a super-efficient, bullet-proof tool like we're discussing might be worth the effort. If it's a year out, then dealing with the simpler workarounds might be more efficient. Jonathon