samba - Nov 2022 - several offices: home dirs, local resources, ...

Maybe this helps?

https://serverfault.com/questions/936172/active-directory-site-level-group-policy-not-applied



Am 22. November 2022 20:36:04 MEZ schrieb Michael Tokarev via samba <samba at
lists.samba.org>:
>22.11.2022 21:59, cn--- via samba wrote:
>> Sorry for top posting.
>
>That's entirely okay, thank you!
>
>> To say it is  try to answer your questions.
>> 
>> Why not to use a dc as file server:
>> 
>> It is slower. Because e. g. All the traffic is signed.
>> Because every DC uses its own idmap file you have to keep that in sync
and use the AD idmap backend. Rid for example does not work I think.
>> The Fileserver on a DC behaves differently with regards to
Administrator mappings.
>
>Yeah. All this seems to be irrelevant in context of a domain-level MSDFS
root shares,
>which only purpose is to give connecting client a referral, - where to find
the actual
>data (server/share), and clients even cache this info.
>
>idmap needs to be syncronized anyway, or else sysvol permissions can't
be syncronized properly.
>Yes, idmap_rid doesn't work, actually whole idmap config* is ignored,
winbind in ad uses
>its own way for idmapping.
>
>> As for the DNS:
>> 
>> It does work to use another DNS Server. However, this is a lot of
manual labor and if it does not work, folks here are likely to say it is your
DNS.
>
>The second part is very much understandable, I faced it already several
times :)
>
>For the first, it is not difficult at all, - grabbing dns_update_cache files
from
>servers (much easier when all of them are containers on the same server so
directly
>accessible from the host filesystem) to a host which manages dns, and
converting
>them into regular dns zone format with a trivial 3-line shell fragment, --
it is
>all set up in some 10 minutes, especially if config syncronization is
already
>working between the offices.  And once any file changes, zone is regenerated
>and signed automatically, and downstream resolvers are notified and updates
the
>zone content.
>
>> As for your roaming profile question:
>> You can specify a GPO to a site. That should help you if I understood
your question right.
>
>Can you give an example please? I can't find a way to map home/profile
path to
>a site-specific name, - be the GPO itself site-specific or not.  It smells
like
>GPO can be used there, but I can't find a way to do that.
>
>Thank you very much Christian!
>
>Your reply makes me hope (just a little bit), maybe my questions aren't
completely
>stupid after all.. :)
>
>/mjt
>
-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36
64673 Zwingenberg, Germany

T: +49 6251 9331-30
F: +49 6251 9331-11

cn at brain-biotech.com
www.brain-biotech.com

Sitz der Gesellschaft: Zwingenberg | Bergstrasse
Registergericht AG Darmstadt | HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender) | Michael Schneiders
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

22.11.2022 22:59, cn--- via samba wrote:
> Maybe this helps?
> 
>
https://serverfault.com/questions/936172/active-directory-site-level-group-policy-not-applied
It's an interesting find too, - replication delays is something I'm
always
forgetting about, I already faced something similar in other part.

(the part which is asked in this serverfault question I solved with a DNS
local-data override, it is trivial to do).

But no, this is not it. I'm asking *what* to apply (at site or OU or
other level), not how or where to apply it.  I mean, which policy is it,
which setting to touch?  Roaming profiles, - it is either per-user or
per-machine, is there a GPO for it..

It looks like I'm just too tired now after all this discussion and searching
and countless failed attempts.  There are multiple problems and multiple
possible solutions, and all this mess is now intermixed in my mind in a
weird way.  And I don't understand anymore which problem I'm trying to
solve. I need to rest.

There's user folder redirection (redirecting My Documents and the like
folders) which can be configured in GPO and linked to sites or OUs or
using other criteria.  For profile redirection things are a bit less
sophisticated, user profile settings can be applied to a machine or to
a user (without GPO it seems).  Here's the info, for example.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789199(v=ws.11)

I'll come from there tomorrow.

What's missing still is msdfs-root at domain level, -  which is just
a couple of extra attributes it seems, which samba DC needs to support
(it's my question in another email).

Things starting making sense.

Thank you very much for the help, for the clear and to the point
replies. Very much appreciated!

/mjt