Hi Rowland,
Am 30.07.2021 um 09:54 schrieb Rowland Penny via samba:
> On Fri, 2021-07-30 at 08:29 +0200, Thomas Kempf via samba wrote:
>> Hello all,
>> i'm in a network with about 40 OSX-Clients, a couple of Linux and
>> Freebsd Servers and a growing number of win10 machines. I have two
>> Samba
>> Servers 4.9.5.-Debian on Debian-Buster running as DCs. For ID-
>> Mapping
>
> Can I suggest you have a look here: https://apt.van-belle.nl/
> 4.9.5 is really old
>
ok, until now i still hesitated leaving the debian packages repo, but
i'll definitely check this out
>> i'm using the RFC-2307 ad.
>> I set up the bidirectional sysvol Replication as documented in the
>> Wiki
>> with unison/rsync workaround.
>>
>> As samba-tool complained about some sysvol permissions error, i've
>> done
>> a sysvolreset as advised in the wiki
>> https://wiki.samba.org/index.php/Sysvolreset. because my Domain
>> Admins
>> group had a gidNumber.
>
> Can I suggest you create another group and use that instead of Domain
> Admins.
This is what already i did this morning.I created a new admin group
using the same gidNumber as Domain Admins
had before and removed the gidNumber from Domain Admins. After that i
resynchronized idmap.ldb to the second DC. including net cache flush on
both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs
configuration and restarted them.
>>
>> The Sysvol seems ok on the machine to which i connected, but the
>> ACL-changes during the sysvolreset don't get synchronized to the
>> other DC.
>
> That is correct, you also need to sync idmap.ldb from the DC with the
> PDC_Emulator FSMO role to all other DC's.
Does this mean, i alwys have to do a manual full resync to my second DC
when i only change ACL on the Policys ?