samba - Dec 2024 - preparing for a new site with an extra domain controller

On Mon, 16 Dec 2024 10:33:59 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 12.12.24 um 10:48 schrieb Stefan G. Weichinger via samba:
> > Am 10.12.24 um 15:10 schrieb Luis Peromarta via samba:
> >> No issue, sync will continue next time network is up.
> > 
> > great
> > 
> > As I prepare that I also hit the fact that I should switch from
> > one- directional sysvol-sync to bi/multidirectional sync via unison
> > or osync.
> > 
> > That means I have to switch over the existing syncing also, right
> > now we do the basic rsync-syncing. I will do that first, after
> > backups and rtfm.
> 
> switched over to unison, looks good
> 
> Now I prepare joining the third DC. That will happen after sending
> the appliance to the new site, to have the correct IPs and routing
> etc in place.
> 
> (AFAIK changing IPs after joining is bad, so I will only start the 
> joining when it's in the correct place)
> 
> -
> 
> I read howtos like: 
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> 
> I have joined Samba DCs in the past, so I think I got that part
> right, but let me quote something that is written a bit misleading.
> 
> Keep in mind that I am not a native speaker, my first language is
> german.
> 
> In the section "Built-in User & Group ID Mappings"
there's that red
> block telling me:
> 
> "You need to sync idmap.ldb when you first join a new DC and then 
> regularly, to ensure the IDs remain constant, you do not need to sync 
> idmap.ldb every time you sync SysVol but as stated in the mailing
> list it should be done periodically."
> 
> So what?
> 
> 1) sync it at first
> 2) do not sync it every time with sysvol
> 3) sync it periodically
I am now not entirely convinced that '3' is required if you only use
the DC in the recommended way, that is only for authentication and no
shares other than sysvol & netlogon.

The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a first
come basis and because the AD admin users & groups generally do not get
the same IDs on all DCs, then you need to ensure that these users &
groups have the same IDs on all DCs. The way to do this is to sync
idmap.ldb from the DC that holds the 'main' Sysvol to all others. Now,
as the users that you want to have the same IDs on all DCs only get
their ID once, it doesn't really matter that your main users have
different IDs, they aren't really used on the DCs, Windows and Unix
domain members ensure they are known on those machines.

Rowland

 


> 
> I don't do 3) for years in two sites ... and afaik it didn't hurt
> 
> How often is "periodically" ? daily/weekly/monthly ?
> 
> Why not provide an example or add that to the "SysVol
replication"
> cron-jobs (or as similar instructions) as well, if it's necessary?
> 
> to me it's a bit unclear and could be easily missed (as mentioned I 
> don't do it so far)
> 
> thoughts? explanation?
> 
> just my 2 cents, maybe the docs could be improved here. thanks all!
> 
> 
> 
>

Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> On Mon, 16 Dec 2024 10:33:59 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
>> 1) sync it at first
>> 2) do not sync it every time with sysvol
>> 3) sync it periodically
> 
> I am now not entirely convinced that '3' is required if you only
use
> the DC in the recommended way, that is only for authentication and no
> shares other than sysvol & netlogon.
I run them this way.
> The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a
first
> come basis and because the AD admin users & groups generally do not get
> the same IDs on all DCs, then you need to ensure that these users &
> groups have the same IDs on all DCs. The way to do this is to sync
> idmap.ldb from the DC that holds the 'main' Sysvol to all others.
Now,
> as the users that you want to have the same IDs on all DCs only get
> their ID once, it doesn't really matter that your main users have
> different IDs, they aren't really used on the DCs, Windows and Unix
> domain members ensure they are known on those machines.
Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the 
users?

If I don't resync it I assume it is updated by the ad-replication within 
samba, right? Otherwise new users wouldn't be distributed.

(just wondering)

OK, I will start that third DC as I did start the second: run steps 1) 
and 2)

thanks!