Listening to notifications can only complement another mechanism (and then reduce latency) as otherwise you are going to loose changes during downtimes. Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jonathon Reinhart via samba Gesendet: Tuesday, 16 July 2019 22:22 An: Rowland penny <rpenny at samba.org> Cc: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Syncing Sysvol On Tue, Jul 16, 2019 at 12:32 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 16/07/2019 16:40, Jonathon Reinhart wrote: > > On Tue, Jul 16, 2019 at 9:32 AM Rowland penny via samba > > <samba at lists.samba.org> wrote: > >> On 16/07/2019 14:16, Jonathon Reinhart wrote: > >>> On Tue, Jul 16, 2019 at 9:11 AM Rowland penny via samba > >>> <samba at lists.samba.org> wrote: > >>>> On 16/07/2019 14:02, Jonathon Reinhart wrote: > >>>>> Rowland, > >>>>> > >>>>> You could go another step further and run that with "notify" to > >>>>> monitor for changes, instead of having to run it in a cron job. > >>>>> In my experience, "notify" works using smbclient, but not so > >>>>> with libsmbclient. > >>>> Problem is, the script is written to be run on DC's that do not > >>>> hold the PDC Emulator FSMO role, so it would have to be re-written. > >>> Why does the PDC emulator role matter? All non-PDC-emulators could > >>> simply watch for changes on the PDC Emulator, right? Am I missing > >>> something? > >> It doesn't really matter, but it is probably best practise to only > >> carry out GPO operations on one DC and the PDC Emulator DC is > >> probably the best one to use. > > Absolutely, all of my plans and scripts assume this. I also enforce > > it by marking Sysvol and netlogon as "read only = yes" on > > non-PDC-Emulators. > > > >> From my knowledge, inotify only works on the computer it is > >> installed on, so how do you suggest that inotify could watch for > >> something happening on another computer ? > > I'm not referring to inotify; I'm talking about the smbcient "notify" > > command, or libsmbclient smbc_notify() API. > > I don't think this does what you think, from 'man smbclient': > > notify <dir name> > Query a directory for change notifications. This command > issues a > recursive filechangenotify call for all possible changes. As > changes come in will print one line per change. See > https://msdn.microsoft.com/en-us/library/dn392331.aspx for a > description of the action numbers that this command prints. > > This command never ends, it waits for event indefinitely. > > So I think for this to work, you would have to keep a connection open > to sysvol on the PDC Emulator at all times. I have never used > 'notify', so I am guessing here, the above seems to be the total of > the documentation available.That's exactly what I'm proposing. Instead of running a cron job, you'd run this script like a daemon. It would continuously read the output of a "smbclient -c '... notify ...'" process, and when it is notified of a change, then you would sync that changed file.> > It could just be the most underused part of Samba ;-)If you look back at my reply to Joachim's original post, you'll see that this is what I was suggesting; except I wanted to implement it in Python using libsmbclient, rather than in a shell script: https://lists.samba.org/archive/samba/2019-July/224347.html> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
> That's exactly what I'm proposing. Instead of running a cron job, you'd run this script like a daemon. It would continuously read the output of a "smbclient -c '... notify ...'" process, and when it is notified of a change, then you would sync that changed file.I think the easiest way to do this, would be to create a script on the PDC Emulator to watch for changes in Sysvol and then send them to each DC, rather than getting each DC to watch the PDC Emulator. If you stop and think about it, I am sure you will agree this is a better idea because what would happen if you have multiple DC's and they all try to update Sysvol at the same time ?> If you look back at my reply to Joachim's original post, you'll see that this is what I was suggesting; except I wanted to implement it in Python using libsmbclient, rather than in a shell script:I don't think it matters what the script is written in, just as long as it does the job. Rowland
On 17/07/2019 12:03, Jonathon Reinhart wrote:> > > On Wed, Jul 17, 2019, 02:47 Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > Just trying to get on the same page as you. In my scenario only the > PDC Emulator ("primary") even has a writable Sysvol share; all other > DCs are in effect read-only as far as GPOs go. So I don't see how > multiple DCs could modify Sysvol.They are all going to have to be writeable, or how are you going to update them ? This wasn't what I was getting at though. If Sysvol on the PDC Emulator is updated and all other DC's are watching for updates, it is very possible that they will all try to update their Sysvol at the same time.> > In this read-only configuration, *pushing* changes to secondary DCs > can't be done without using another protocol aside from SMB. > Furthermore, having secondary DCs pull from the primary avoids any > extra configuration on the primary: secondaries just use their machine > password and pull.This is the snag I have hit upon, fairly easy to use smbclient to copy Sysvol to each DC in turn, but then getting sysvolreset to run is another thing entirely.> > This is the way I do it now, and it works fine; secondaries locate PDC > Emulator via SRV and then rsync. You'd have to really try to convince > me that a "push" approach is better (assuming read-only Sysvol on > non-PDC-emulator DCs) :-)In theory 'push' is better, you get more control of when each DC is updated, just got to get around the sysvolreset problem. Rowland
On 17/07/2019 13:02, Jonathon Reinhart wrote:> I have the [Sysvol] share in smb.conf marked "read only = yes". That > way, if someone connects GPO Editor to a DC other than the PDC > Emulator, it will fail to write the changes, thus enforcing the "GPOs > are only edited on the PDC Emulator DC". This is acceptable in a small > organization; YMMV.If Sysvol is 'read only' it is not writable by anything.> >> This wasn't what I was getting at though. If Sysvol on the PDC Emulator >> is updated and all other DC's are watching for updates, it is very >> possible that they will all try to update their Sysvol at the same time. > Ah, I see. Is this an actual performance problem, or are we > prematurely optimizing? :-)Probably both, I have see reports on here of domains with 20 DC's, image 19 DC's trying to download exactly the same files all at once. Rowland
On Wed, Jul 17, 2019 at 8:16 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 17/07/2019 13:02, Jonathon Reinhart wrote: > > > I have the [Sysvol] share in smb.conf marked "read only = yes". That > > way, if someone connects GPO Editor to a DC other than the PDC > > Emulator, it will fail to write the changes, thus enforcing the "GPOs > > are only edited on the PDC Emulator DC". This is acceptable in a small > > organization; YMMV. > If Sysvol is 'read only' it is not writable by anything.While I stated it a couple times previously, I worded it in a misleading way this last time. Let me try to clear it up: The [Sysvol] samba share is writable on the PDC Emulator. If GPO Editor uses the default behavior and connects to PDC Emulator, all is well. The [Sysvol] samba share is read-only on all non-PDC-Emulator DCs. If GPO Editor connects to a non-PDC-Emulator DC and tries to make a change, it will fail as expected. Our Sysvol-sync scripts (running on non-PDC-Emulator DCs) are writing to the underlying directory (/var/lib/samba/sysvol on Debian). Certainly the underlying kernel/filesystem do not care what Samba thinks about the read-only share pointing at that directory.> > > >> This wasn't what I was getting at though. If Sysvol on the PDC Emulator > >> is updated and all other DC's are watching for updates, it is very > >> possible that they will all try to update their Sysvol at the same time. > > Ah, I see. Is this an actual performance problem, or are we > > prematurely optimizing? :-) > Probably both, I have see reports on here of domains with 20 DC's, image > 19 DC's trying to download exactly the same files all at once. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba