Marco Gaiarin
2019-Sep-19 13:20 UTC
[Samba] Script to sync xID/idmap.ldb, some questions...
I'm scripting the ''replica'' of DC xID db (idmap.ldb)
between DCs,
following:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
but i've two question.
1) because i've just in place the sysvol replica, i've thinked of
copying the 'idmap.ldb.bak' file on sysvol share (in debian,
/var/lib/samba/sysvol/), so the file get simply replicated between DC.
It is forbidden/not good policy/... to have ''extraneous'' files
on
sysvol?
2) looking at wiki (above link) seems to me that, to restore the DB on
other dc it suffices to copy the db over the existant and do:
net cache flush
really it is not needed to stop samba before copy, or restart it after
the copy?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2019-Sep-20 13:41 UTC
[Samba] Script to sync xID/idmap.ldb, some questions...
I reply to myself.> 1) because i've just in place the sysvol replica, i've thinked of > copying the 'idmap.ldb.bak' file on sysvol share (in debian, > /var/lib/samba/sysvol/), so the file get simply replicated between DC. > It is forbidden/not good policy/... to have ''extraneous'' files on > sysvol?My domain survive to 2-days presence of an ''extraneous'' file in sysvol, so i suppose does not hurt. ;-)> 2) looking at wiki (above link) seems to me that, to restore the DB on > other dc it suffices to copy the db over the existant and do: > net cache flushDone on a DC, i've not seen errors in logs or something like this; DC works as expected and so effectively seems that a samba restart is not needed. Still i'm a bit scared to do this 'automatically' in the domain... Also, a note. To verify ACL i've run: getfacl -R /var/lib/samba/sysvol/ and found: a) some ACL that seems not mapped: # file: var/lib/samba/sysvol//ad.fvg.lnf.it # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:BUILTIN\134server\040operators:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:BUILTIN\134server\040operators:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- (eg, group:3000002 and group:3000003) Ah! Wait! They are listed in 'user' and 'group' contextes, and so they are probably 'ID_BOTH' identifiers, that clearly cannot be mapped to user *and* group... b) a flood of these errors in /var/log/samba/log.winbindd: [2019/09/20 15:15:52.727890, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent) Failed to find domain 'NT AUTHORITY'. Check connection to trusted domains! This on 'ALL' DCs... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2019-Sep-20 14:01 UTC
[Samba] Script to sync xID/idmap.ldb, some questions...
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: vrijdag 20 september 2019 15:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Script to sync xID/idmap.ldb, some questions... > > > I reply to myself. > > > 1) because i've just in place the sysvol replica, i've thinked of > > copying the 'idmap.ldb.bak' file on sysvol share (in debian, > > /var/lib/samba/sysvol/), so the file get simply replicated > between DC. > > It is forbidden/not good policy/... to have ''extraneous'' files on > > sysvol? > > My domain survive to 2-days presence of an ''extraneous'' file in > sysvol, so i suppose does not hurt. ;-)No, but its prone to more risk on problem. Just setup an extra (hidden) share on the DC, and use that. I do the same, works fine.> > > > 2) looking at wiki (above link) seems to me that, to > restore the DB on > > other dc it suffices to copy the db over the existant and do: > > net cache flush > > Done on a DC, i've not seen errors in logs or something like this; DC > works as expected and so effectively seems that a samba restart is not > needed. > Still i'm a bit scared to do this 'automatically' in the domain... > > > > Also, a note. To verify ACL i've run: > > getfacl -R /var/lib/samba/sysvol/ > > and found: > > a) some ACL that seems not mapped: > > # file: var/lib/samba/sysvol//ad.fvg.lnf.it > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:BUILTIN\134server\040operators:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:BUILTIN\134server\040operators:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > (eg, group:3000002 and group:3000003) > > Ah! Wait! They are listed in 'user' and 'group' contextes, and so they > are probably 'ID_BOTH' identifiers, that clearly cannot be mapped to > user *and* group...Correct.. See : https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh Lines 101-144 ;-) The checkup parts.> > > b) a flood of these errors in /var/log/samba/log.winbindd: > > [2019/09/20 15:15:52.727890, 0] > ../source3/winbindd/winbindd_group.c:45(fill_grent) > Failed to find domain 'NT AUTHORITY'. Check connection to > trusted domains!That should work and you should not havae a flood if these messages. ... Well you know what i want to know if this server ;-)> > > This on 'ALL' DCs... >Ok, on ALL DC's. ..you made the this problem appear on all DC's ... That not nice ;-) hehe.. Greetz, Louis
Marco Gaiarin
2019-Sep-24 12:50 UTC
[Samba] Script to sync xID/idmap.ldb, some questions...
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> > My domain survive to 2-days presence of an ''extraneous'' file in > > sysvol, so i suppose does not hurt. ;-) > No, but its prone to more risk on problem. > Just setup an extra (hidden) share on the DC, and use that. > I do the same, works fine.Boh, i admint is not a 'clean' solution, but seems does not bother at all with sysvol/GPO, and is more simple that define another sync. ;-)> > b) a flood of these errors in /var/log/samba/log.winbindd: > > [2019/09/20 15:15:52.727890, 0] > > ../source3/winbindd/winbindd_group.c:45(fill_grent) > > Failed to find domain 'NT AUTHORITY'. Check connection to > > trusted domains! > That should work and you should not havae a flood if these messages.I'm still on 4.5, and seems this bug (solved in 4.8): https://bugzilla.samba.org/show_bug.cgi?id=12164 (but message flood does not happen in GPO access by clients, only doing 'getfacl -R', so...) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)