Am 30.07.2021 um 11:15 schrieb Rowland Penny via samba:> On Fri, 2021-07-30 at 11:01 +0200, Thomas Kempf via samba wrote: >> >>> >>> You have to run sysvolreset on all DC's >> can i do this safely now having removed the gidNUmber from Domain >> Admins? > > Yes > >> >>> >>> this doesn't mean that you need to sync idmap.ldb, only if you have > made user or group changes. >> ok, but shouldn't this be done automagically by the implemented >> "Bidirectional Rsync/Unison based SysVol replication workaround" ? > > No, because that method does not sync idmap.ldbSorry, i fear, i was not clear in what i meant. As far as i understood, there will be no change in idmap.ldb, when i'm not making any user or group changes, so no need to resync idmap.ldb each time when i change ACL on a GPO. But if i change only Delegation on one Policy - which leads AFAIK to changed ACL on FSMO-DCs sysvol, shouldn't these ACL-Changes be synced to the other DC automatically by Unison ? This is, what does not work here. Kind Regards Tom
On Fri, 2021-07-30 at 11:26 +0200, Thomas Kempf via samba wrote:> > > > > > > > Sorry, i fear, i was not clear in what i meant. > As far as i understood, there will be no change in idmap.ldb, when > i'm > not making any user or group changes, so no need to resync idmap.ldb > each time when i change ACL on a GPO.Yes> > But if i change only Delegation on one Policy - which leads AFAIK to > changed ACL on FSMO-DCs sysvol, shouldn't these ACL-Changes be synced > to > the other DC automatically by Unison ?If the ACL on disk is changed, then it should be synced, but if the changes are only in sam.ldb, then replication should sync the changes. I do not use the unison method, so cannot really comment on it, have you tried one of the other methods ? Rowland
Automatic SysVol replication with the help of "watcher", a recursive incron. https://github.com/splitbrain/Watcher "Watcher is a daemon that watches specified files/folders for changes and fires commands in response to those changes. It is similar to incron, however, configuration uses a simpler to read ini file instead of a plain text file. Unlike incron it can also recursively monitor directories." Watcher needs "python-inotify". Install it using your package manager. Follow the general instructions for SysVol replication on the Samba WiKi: https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround Please note that the rsync command line will have to be sligthly modified. Since the SysVol events will be detected on the source DC, replication will be made in push mode, not in pull mode as per the Samba Wiki. Test the rsync command line manually before automating it. Since we are using "--delete-after", a mistake can be catastrophic for your target system. Use --dry-run and -v (verbose) on the command line, like this: /bin/rsync --dry-run -XAavuz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret /usr/local/samba/var/sysvol/ rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/ Once you are happy with the results, you can remove "--dry-run" and -v (this can cause a very large watcher log file, but you can keep it if you like) from the rsync command line and use the form included in watcher.ini. Put "watcher.py" and "watcher.ini" in a secure place, giving them appropriate permissions. Edit "watcher.ini" according to your needs. I have the following: ; ---------------------- ; General Settings ; ---------------------- [DEFAULT] ; where to store output logfile=/tmp/watcher.log ; where to save the PID file pidfile=/tmp/watcher.pid ; ---------------------- ; Job Setups ; ---------------------- [SysVol_Replication] ; directory or file to watch. Probably should be abs path. watch=/usr/local/samba/var/sysvol ; list of events to watch for. ; supported events: ; 'access' - File was accessed (read) (*) ; 'attribute_change' - Metadata changed (permissions, timestamps, extended attributes, etc.) (*) ; 'write_close' - File opened for writing was closed (*) ; 'nowrite_close' - File not opened for writing was closed (*) ; 'create' - File/directory created in watched directory (*) ; 'delete' - File/directory deleted from watched directory (*) ; 'self_delete' - Watched file/directory was itself deleted ; 'modify' - File was modified (*) ; 'self_move' - Watched file/directory was itself moved ; 'move_from' - File moved out of watched directory (*) ; 'move_to' - File moved into watched directory (*) ; 'open' - File was opened (*) ; 'all' - Any of the above events are fired ; 'move' - A combination of 'move_from' and 'move_to' ; 'close' - A combination of 'write_close' and 'nowrite_close' ; ; When monitoring a directory, the events marked with an asterisk (*) above ; can occur for files in the directory, in which case the name field in the ; returned event data identifies the name of the file within the directory. events=attribute_change,create,delete,modify ; Comma separated list of excluded dir. Absolute path needed. ; Leave blank if no excluded dir setted excluded ; if true, watcher will monitor directories recursively for changes recursive=true ; if true, watcher will automatically watch new subdirectory autoadd=true ; the command to run. Can be any command. It's run as whatever user started watcher. ; The following wildards may be used inside command specification: ; $$ dollar sign ; $watched watched filesystem path (see above) ; $filename event-related file name ; $tflags event flags (textually) ; $nflags event flags (numerically) ; $cookie event cookie (integer used for matching move_from and move_to events, otherwise 0) command=/bin/rsync -XAauz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret /usr/local/samba/var/sysvol/ rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/ As you can see under the "events" section, we are monitoring creation, deletion, modification and attribute changes of files and directories inside sysvol. Start the watcher.py daemon, giving as a parameter the location of "watcher.ini": /somefolder/watcher.py -c /somefolder/watcher.ini start You can now watch the results. Input the following at the source DC (attention, your paths may differ): mkdir /usr/local/samba/var/sysvol/newdir touch /usr/local/samba/var/sysvol/newdir/newfile rm -f /usr/local/samba/var/sysvol/newdir/newfile rmdir /usr/local/samba/var/sysvol/newdir Creation and deletion of files and folders will be immediately mirrored on the target DC. File and directory ACLs will be correctly replicated as well. The same method can be used to sync idmap.ldb idmap.ldb from the DC with the PDC_Emulator FSMO role to the other DC's.
Am 30.07.2021 um 11:45 schrieb Rowland Penny via samba:> On Fri, 2021-07-30 at 11:26 +0200, Thomas Kempf via samba wrote: >> >> But if i change only Delegation on one Policy - which leads AFAIK to >> changed ACL on FSMO-DCs sysvol, shouldn't these ACL-Changes be synced >> to >> the other DC automatically by Unison ? > > If the ACL on disk is changed, then it should be synced, but if the > changes are only in sam.ldb, then replication should sync the changes. > > I do not use the unison method, so cannot really comment on it, have > you tried one of the other methods ?I switched from rsync replication to unison, because of it isbidirectional capabilities. Since i only recently started deploying more GPOs, there were no big problems with unison/rsync. But before changing sysvol sync back to rsync, i'll have a look into switching samba version to something more recent, as you suggested. Thank you for your help up to this point and for clarification of some facts which where not really clear to me. One thing is still on my list of big question marks. Is there anywhere a list of well-known sids, which should have no gidNumber set, or is DA the only one ? kind regards Tom
hi miguel, thank you for this proposal. Does this sync method have any advantages compared to standard rsync as described in the wiki ? Am 30.07.2021 um 11:51 schrieb miguel medalha via samba:> Automatic SysVol replication with the help of "watcher", a > recursive incron. > > https://github.com/splitbrain/Watcher > > "Watcher is a daemon that watches specified files/folders for changes > and fires commands in response to those changes. It is similar to > incron, however, configuration uses a simpler to read ini file instead > of a plain text file. Unlike incron it can also recursively monitor > directories." > > Watcher needs "python-inotify". Install it using your package manager. > > > > Follow the general instructions for SysVol replication on the Samba WiKi: > > https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround > > Please note that the rsync command line will have to be sligthly > modified. Since the SysVol events will be detected on the source DC, > replication will be made in push mode, not in pull mode as per the Samba > Wiki. > > Test the rsync command line manually before automating it. Since we are > using "--delete-after", a mistake can be catastrophic for your target > system. Use --dry-run and -v (verbose) on the command line, like this: > > /bin/rsync --dry-run -XAavuz --delete-after > --password-file=/usr/local/samba/etc/rsync-sysvol.secret > /usr/local/samba/var/sysvol/ > rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/ > > Once you are happy with the results, you can remove "--dry-run" and -v > (this can cause a very large watcher log file, but you can keep it if > you like) from the rsync command line and use the form included in > watcher.ini. > > Put "watcher.py" and "watcher.ini" in a secure place, giving them > appropriate permissions. > > Edit "watcher.ini" according to your needs. I have the following: > > > ; ---------------------- > ; General Settings > ; ---------------------- > [DEFAULT] > > ; where to store output > logfile=/tmp/watcher.log > > ; where to save the PID file > pidfile=/tmp/watcher.pid > > ; ---------------------- > ; Job Setups > ; ---------------------- > > [SysVol_Replication] > ; directory or file to watch. Probably should be abs path. > watch=/usr/local/samba/var/sysvol > > ; list of events to watch for. > ; supported events: > ; 'access' - File was accessed (read) (*) > ; 'attribute_change' - Metadata changed (permissions, timestamps, > extended attributes, etc.) (*) > ; 'write_close' - File opened for writing was closed (*) > ; 'nowrite_close' - File not opened for writing was closed (*) > ; 'create' - File/directory created in watched directory (*) > ; 'delete' - File/directory deleted from watched directory (*) > ; 'self_delete' - Watched file/directory was itself deleted > ; 'modify' - File was modified (*) > ; 'self_move' - Watched file/directory was itself moved > ; 'move_from' - File moved out of watched directory (*) > ; 'move_to' - File moved into watched directory (*) > ; 'open' - File was opened (*) > ; 'all' - Any of the above events are fired > ; 'move' - A combination of 'move_from' and 'move_to' > ; 'close' - A combination of 'write_close' and 'nowrite_close' > ; > ; When monitoring a directory, the events marked with an asterisk (*) above > ; can occur for files in the directory, in which case the name field in the > ; returned event data identifies the name of the file within the directory. > events=attribute_change,create,delete,modify > > ; Comma separated list of excluded dir. Absolute path needed. > ; Leave blank if no excluded dir setted > excluded> > ; if true, watcher will monitor directories recursively for changes > recursive=true > > ; if true, watcher will automatically watch new subdirectory > autoadd=true > > ; the command to run. Can be any command. It's run as whatever user > started watcher. > ; The following wildards may be used inside command specification: > ; $$ dollar sign > ; $watched watched filesystem path (see above) > ; $filename event-related file name > ; $tflags event flags (textually) > ; $nflags event flags (numerically) > ; $cookie event cookie (integer used for matching move_from and move_to > events, otherwise 0) > command=/bin/rsync -XAauz --delete-after > --password-file=/usr/local/samba/etc/rsync-sysvol.secret > /usr/local/samba/var/sysvol/ > rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/ > > > > As you can see under the "events" section, we are monitoring creation, > deletion, modification and attribute changes of files and directories > inside sysvol. > > Start the watcher.py daemon, giving as a parameter the location of > "watcher.ini": > > /somefolder/watcher.py -c /somefolder/watcher.ini start > > You can now watch the results. Input the following at the source DC > (attention, your paths may differ): > > mkdir /usr/local/samba/var/sysvol/newdir > touch /usr/local/samba/var/sysvol/newdir/newfile > rm -f /usr/local/samba/var/sysvol/newdir/newfile > rmdir /usr/local/samba/var/sysvol/newdir > > Creation and deletion of files and folders will be immediately mirrored > on the target DC. File and directory ACLs will be correctly > replicated as well. > > The same method can be used to sync idmap.ldb idmap.ldb > from the DC with the PDC_Emulator FSMO role to the other DC's. > > >