Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Sysvol replication with Unison for more than 2 server.
292 views
Skip to first unread message
Min Wai Chan
Oct 2, 2014, 11:30:02 AM10/2/14
to
Dear Louis,
Just to check...
Would it be possible to have more than 2 DC using Unison to sync?
I was trying to make this to the samba wiki.
But when reading the list I see Rowland talking about the SID and RID issue
Because of built-in group SID is not sync across domain.
Which I think samba should have their own way of dealing this or it will
just be a mess in a long run.
Did we have any trick to deal with this built-in group UID/RID temporary?
I remember saw something like io notice/fam to monitor the sysvol and
trigger unison when change happen.
but I'm not sure how it would help when you have more than 3 server...
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Just to check...
Would it be possible to have more than 2 DC using Unison to sync?
I was trying to make this to the samba wiki.
But when reading the list I see Rowland talking about the SID and RID issue
Because of built-in group SID is not sync across domain.
Which I think samba should have their own way of dealing this or it will
just be a mess in a long run.
Did we have any trick to deal with this built-in group UID/RID temporary?
I remember saw something like io notice/fam to monitor the sysvol and
trigger unison when change happen.
but I'm not sure how it would help when you have more than 3 server...
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
Oct 2, 2014, 11:40:02 AM10/2/14
to
I have done this with Unison in a single environment and had no issues
thus far. I am out sick today with a fever but can get the details next
week.
thus far. I am out sick today with a fever but can get the details next
week.
Rowland Penny
Oct 2, 2014, 1:10:02 PM10/2/14
to
On 02/10/14 16:26, Min Wai Chan wrote:
> Dear Louis,
>
> Just to check...
> Would it be possible to have more than 2 DC using Unison to sync?
>
> I was trying to make this to the samba wiki.
>
> But when reading the list I see Rowland talking about the SID and RID
> issue
> Because of built-in group SID is not sync across domain.
Ahh, I dropped a right clanger there, when I said SID I meant RID, it
> Dear Louis,
>
> Just to check...
> Would it be possible to have more than 2 DC using Unison to sync?
>
> I was trying to make this to the samba wiki.
>
> But when reading the list I see Rowland talking about the SID and RID
> issue
> Because of built-in group SID is not sync across domain.
would seem that when you join a DC to a domain, idmap.ldb does not get
replicated to the new DC and so the RID's could be and probably are
different. This is not really a problem, just copy idmap.ldb from the
original DC to the new one.
Rowland
Min Wai Chan
Oct 2, 2014, 1:20:02 PM10/2/14
to
Dear Rowland,
When should we copy the idmap.ldb?
After join the AD DC before start samba or
Only after started samba let it sync later only power off and copy over the
idmap.ldb?
which is much preferable.
Thank You.
On Fri, Oct 3, 2014 at 1:07 AM, Rowland Penny <rowlan...@googlemail.com>
wrote:
When should we copy the idmap.ldb?
After join the AD DC before start samba or
Only after started samba let it sync later only power off and copy over the
idmap.ldb?
which is much preferable.
Thank You.
On Fri, Oct 3, 2014 at 1:07 AM, Rowland Penny <rowlan...@googlemail.com>
wrote:
L.P.H. van Belle
Oct 3, 2014, 2:50:01 AM10/3/14
to
Hello Min Wai,
I havent tested it with more than 2 server but in my opionion it should work if you make sure you set gpo and work on 1 machine.
for example.
You work on the sysvol of DC1 only. then you can sync to unlimited DC's.
you let DC1 do al the syncing. ( the cron job on this machine. )
With only 2 DC's you can work on both DC's, in this case sync both ways works ok, this i have tested.
to overcome some of the rights issues..
The DC's only work as DC, just sysvol as shares ( and netlogon )
The 2 DC's i've running, will be accessed only from windows computers. and i have set the following.
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acl = yes <==
http://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility.
and in this case i set my rights from windows on the share, and i dont have any rights problems as far as i have seen.
The acl_xattr is not really needed, but i noticed it made it more easy to setup, since you dont have to look at the linux rights in the background.
Hope this helps you out a but.
Best regards,
Louis
I havent tested it with more than 2 server but in my opionion it should work if you make sure you set gpo and work on 1 machine.
for example.
You work on the sysvol of DC1 only. then you can sync to unlimited DC's.
you let DC1 do al the syncing. ( the cron job on this machine. )
With only 2 DC's you can work on both DC's, in this case sync both ways works ok, this i have tested.
to overcome some of the rights issues..
The DC's only work as DC, just sysvol as shares ( and netlogon )
The 2 DC's i've running, will be accessed only from windows computers. and i have set the following.
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acl = yes <==
http://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility.
and in this case i set my rights from windows on the share, and i dont have any rights problems as far as i have seen.
The acl_xattr is not really needed, but i noticed it made it more easy to setup, since you dont have to look at the linux rights in the background.
Hope this helps you out a but.
Best regards,
Louis
L.P.H. van Belle
Oct 3, 2014, 3:20:02 AM10/3/14
to
This idmap copy is really not needed IF you only use sysvol on the DC.
and you obey the following.
1) You set you GPO as user Administrator
2) or if an other user you use, is member of "Domain\Domain Admins" ( but i did not test this )
The build-in group sid is the same on all servers.
Administrators should be "SID: S-1-5-32-544" ...always.
http://support2.microsoft.com/kb/243330
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group.
After the initial installation of the operating system, the only member of the group is the Administrator account.
When a computer joins a domain, the Domain Admins group is added to the Administrators group.
When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
All above does not work if you add you own groups etc on sysvol.
I only use the defaults on it and i add user to the needed groups.
If a "Admin2user" adds this to gpo of sysvol, yes then this user can have problems with IDMAP and RIDs.
then a copy of idmap is needed.
I overcome the sid/xid/rid problems by using only Administrator on the GPO/Sysvol work.
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 2 oktober 2014 19:08
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more
>than 2 server.
>
and you obey the following.
1) You set you GPO as user Administrator
2) or if an other user you use, is member of "Domain\Domain Admins" ( but i did not test this )
The build-in group sid is the same on all servers.
Administrators should be "SID: S-1-5-32-544" ...always.
http://support2.microsoft.com/kb/243330
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group.
After the initial installation of the operating system, the only member of the group is the Administrator account.
When a computer joins a domain, the Domain Admins group is added to the Administrators group.
When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
All above does not work if you add you own groups etc on sysvol.
I only use the defaults on it and i add user to the needed groups.
If a "Admin2user" adds this to gpo of sysvol, yes then this user can have problems with IDMAP and RIDs.
then a copy of idmap is needed.
I overcome the sid/xid/rid problems by using only Administrator on the GPO/Sysvol work.
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 2 oktober 2014 19:08
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more
>than 2 server.
>
Peter Serbe
Oct 3, 2014, 4:50:02 AM10/3/14
to
Dear List,
I tried to build samba-4.2.0rc1 on my Raspi.
I did this:
./configure --prefix=/usr/local/samba \
--with-piddir=/usr/local/samba/var/run \
--with-syslog \
--with-quotas \
--with-acl-support \
--enable-debug
make
Then after a couple of hours it crashes here:
# [3863/3973] Generating manpages/smb.conf.5
# Bus error
# Waf: Leaving directory `/usr/src/samba4/bin'
# Build failed: -> task failed (err #135):
# {task: manpages/smb.conf.5 smb.conf.5.xml,parameters.all.xml -> smb.conf.5}
# Makefile:8: recipe for target 'all' failed
# make: *** [all] Error 1
I don't see anything suspicious in the logs. With one exception:
Oct 2 23:41:03 charon kernel: [103830.052440] smsc95xx 1-1.1:1.0 eth0: kevent 2 may have been dropped
The message occurs about 10 times. But I am not convinced that this is related to
my problem to compile samba-4.2.0rc1.
For the sake of completeness: I run Raspbian Jessie on the machine.
A couple of apt-get updates earlier, compiling samba 4.1.11 and 12
worked like a charm. A first web research revealed that typically
bus errors, i.e. wrongly aligned data words, hint at some messy
pointers. But the log is not verbose enough to give me any idea
on how to attack this problem.
Is this something, which needs to be solved by someone of the
developers? What can I do??
Best regards
Peter
I tried to build samba-4.2.0rc1 on my Raspi.
I did this:
./configure --prefix=/usr/local/samba \
--with-piddir=/usr/local/samba/var/run \
--with-syslog \
--with-quotas \
--with-acl-support \
--enable-debug
make
Then after a couple of hours it crashes here:
# [3863/3973] Generating manpages/smb.conf.5
# Bus error
# Waf: Leaving directory `/usr/src/samba4/bin'
# Build failed: -> task failed (err #135):
# {task: manpages/smb.conf.5 smb.conf.5.xml,parameters.all.xml -> smb.conf.5}
# Makefile:8: recipe for target 'all' failed
# make: *** [all] Error 1
I don't see anything suspicious in the logs. With one exception:
Oct 2 23:41:03 charon kernel: [103830.052440] smsc95xx 1-1.1:1.0 eth0: kevent 2 may have been dropped
The message occurs about 10 times. But I am not convinced that this is related to
my problem to compile samba-4.2.0rc1.
For the sake of completeness: I run Raspbian Jessie on the machine.
A couple of apt-get updates earlier, compiling samba 4.1.11 and 12
worked like a charm. A first web research revealed that typically
bus errors, i.e. wrongly aligned data words, hint at some messy
pointers. But the log is not verbose enough to give me any idea
on how to attack this problem.
Is this something, which needs to be solved by someone of the
developers? What can I do??
Best regards
Peter
Vash
Oct 4, 2014, 4:50:02 AM10/4/14
to
Rowland Penny <rowlandpenny <at> googlemail.com> writes:
Hello!
> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
> would seem that when you join a DC to a domain, idmap.ldb does not get
> replicated to the new DC and so the RID's could be and probably are
> different. This is not really a problem, just copy idmap.ldb from the
> original DC to the new one.
>
SID and uid/gid are not replicated between DCs.
There is no need to copy idmap.ldb.
The right method should be to activate idmap_ldb:use rfc2307 = yes and NIS
extensions.
Read this document:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
Instead I think SID and RID should be in sync between DCs, because mapping
is stored in sam.ldb. Right?
--
Eros
Hello!
> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
> would seem that when you join a DC to a domain, idmap.ldb does not get
> replicated to the new DC and so the RID's could be and probably are
> different. This is not really a problem, just copy idmap.ldb from the
> original DC to the new one.
>
There is no need to copy idmap.ldb.
The right method should be to activate idmap_ldb:use rfc2307 = yes and NIS
extensions.
Read this document:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
Instead I think SID and RID should be in sync between DCs, because mapping
is stored in sam.ldb. Right?
--
Eros
Rowland Penny
Oct 4, 2014, 5:40:02 AM10/4/14
to
On 04/10/14 09:46, Vash wrote:
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
> Hello!
>
>> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
>> would seem that when you join a DC to a domain, idmap.ldb does not get
>> replicated to the new DC and so the RID's could be and probably are
>> different. This is not really a problem, just copy idmap.ldb from the
>> original DC to the new one.
>>
OK, clanger again
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
> Hello!
>
>> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
>> would seem that when you join a DC to a domain, idmap.ldb does not get
>> replicated to the new DC and so the RID's could be and probably are
>> different. This is not really a problem, just copy idmap.ldb from the
>> original DC to the new one.
>>
For RID read xidNumber ( definitely right this time)
> SID and uid/gid are not replicated between DCs.
other DC's and if you examine the users SID on each DC, they will all be
the same.
> There is no need to copy idmap.ldb.
xidNumbers on all DC's
> The right method should be to activate idmap_ldb:use rfc2307 = yes and NIS
> extensions.
the default. But having said that, this has nothing to do with the problem.
Read it, I could have written it :-D
>
> Instead I think SID and RID should be in sync between DCs, because mapping
> is stored in sam.ldb. Right?
correct, but as I said we really are discussing xidNumber's.
> Instead I think SID and RID should be in sync between DCs, because mapping
> is stored in sam.ldb. Right?
Rowland
Vash
Oct 4, 2014, 9:10:01 AM10/4/14
to
Rowland Penny <rowlandpenny <at> googlemail.com> writes:
> Yes they are, if you create a new user on a DC, it will replicate to any
> other DC's and if you examine the users SID on each DC, they will all be
> the same.
>
Sorry Rowland, you're right about SID, but... if user has not activated
> Yes they are, if you create a new user on a DC, it will replicate to any
> other DC's and if you examine the users SID on each DC, they will all be
> the same.
>
rfc2307 and NIS, the uid/gid -> SID relationship could be different on each
servers.
You can read it in "Possible problems, when RFC2307 is not used" section of
this document:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
That's what I meant before.
> There is if you want to ensure that the builtin users have the same
> xidNumbers on all DC's
>
Just to understand.
> Using rfc2307 should be the default (in my opinion), NIS extensions are
> the default. But having said that, this has nothing to do with the problem.
Option --use-rfc2307 during domain provisioning is needed.
> correct, but as I said we really are discussing xidNumber's.
>
Rowland Penny
Oct 4, 2014, 10:40:01 AM10/4/14
to
On 04/10/14 13:37, Vash wrote:
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
>
>> Yes they are, if you create a new user on a DC, it will replicate to any
>> other DC's and if you examine the users SID on each DC, they will all be
>> the same.
>>
> Sorry Rowland, you're right about SID, but... if user has not activated
> rfc2307 and NIS, the uid/gid -> SID relationship could be different on each
> servers.
there is only a relationship between SID and uid/gid numbers if you use
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
>
>> Yes they are, if you create a new user on a DC, it will replicate to any
>> other DC's and if you examine the users SID on each DC, they will all be
>> the same.
>>
> Sorry Rowland, you're right about SID, but... if user has not activated
> rfc2307 and NIS, the uid/gid -> SID relationship could be different on each
> servers.
winbind and the rid backend and yes, they could be different on on each
member server/client and they will definitely be different on the server.
If you do use the rfc2307 attributes and the winbind ad backend, then
you will get the same uid/gid numbers everywhere.
>
> You can read it in "Possible problems, when RFC2307 is not used" section of
> this document:
> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>
> That's what I meant before.
>
>
>> There is if you want to ensure that the builtin users have the same
>> xidNumbers on all DC's
>>
> So... Why is there the need of copy idmap.ldb if rfc2307 and NIS are activated?
> Just to understand.
>
can and probably will be different on each DC.
>> Using rfc2307 should be the default (in my opinion), NIS extensions are
>> the default. But having said that, this has nothing to do with the problem.
> rfc2307 isn't the default.
> Option --use-rfc2307 during domain provisioning is needed.
>
whether or not you use rfc2307 attributes.
>> correct, but as I said we really are discussing xidNumber's.
>>
> are xidNumber attribute stored in idmap.ldb?
Rowland
steve
Oct 4, 2014, 11:10:01 AM10/4/14
to
On 04/10/14 10:46, Vash wrote:
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
> Hello!
>
>> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
>> would seem that when you join a DC to a domain, idmap.ldb does not get
>> replicated to the new DC and so the RID's could be and probably are
>> different. This is not really a problem, just copy idmap.ldb from the
>> original DC to the new one.
>>
Hi
> Rowland Penny <rowlandpenny <at> googlemail.com> writes:
>
> Hello!
>
>> Ahh, I dropped a right clanger there, when I said SID I meant RID, it
>> would seem that when you join a DC to a domain, idmap.ldb does not get
>> replicated to the new DC and so the RID's could be and probably are
>> different. This is not really a problem, just copy idmap.ldb from the
>> original DC to the new one.
>>
Just for anyone reading the thread in future:
>
> SID and uid/gid are not replicated between DCs.
Yes they are.
> SID and uid/gid are not replicated between DCs.
> There is no need to copy idmap.ldb.
Yes there is.
> The right method should be to activate idmap_ldb:use rfc2307 = yes and NIS
> extensions.
No, it isn't.
> extensions.
Please continue reading the rest of the thread.
HTH save someone some time in future.
Cheers,
Steve
Min Wai Chan
Oct 4, 2014, 1:10:02 PM10/4/14
to
Dear Steve,
Don't worry, I've got it taken care by changing the samba wiki
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
:)
Don't worry, I've got it taken care by changing the samba wiki
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
:)
steve
Oct 4, 2014, 2:00:02 PM10/4/14
to
On 04/10/14 19:01, Min Wai Chan wrote:
> Dear Steve,
>
> Don't worry, I've got it taken care by changing the samba wiki
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
>
> :)
Excellent work. That is gonna save a lot of traffic on this list.
> Dear Steve,
>
> Don't worry, I've got it taken care by changing the samba wiki
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
>
> :)
A minor point, here is the English if you have a moment:
If your DC is Samba
There are issues with UID/GID mapping between DCs for the built-in
groups who own files and directories under sysvol. As we have no method
at the moment to replicate the UID/GID from the existing Samba DCs,
please try the following:
Min Wai Chan
Oct 5, 2014, 4:20:02 AM10/5/14
to
Dear All,
I've one question.
If you have run software deployment with GPO before.
You might be noticing a problem
If your software source are on the AD DC your deployment are ok (but that
don't make any sense right)
But if your software installation source are on the Member server, it will
fail by access to share fail...
And I wonder.
If that have something to do with the same problem we are talking now.
The UID/GID mapping for built-in Groups
-- I don't have the environment to test it now :)
But my tough was since the installation will be using local computer
administrator to install the software
The access from the Pc will be from these built-in group Samba have no
problem on that
But problem come from unix when the RID conversation to UID don't match...
Any tough?
I've one question.
If you have run software deployment with GPO before.
You might be noticing a problem
If your software source are on the AD DC your deployment are ok (but that
don't make any sense right)
But if your software installation source are on the Member server, it will
fail by access to share fail...
And I wonder.
If that have something to do with the same problem we are talking now.
The UID/GID mapping for built-in Groups
-- I don't have the environment to test it now :)
But my tough was since the installation will be using local computer
administrator to install the software
The access from the Pc will be from these built-in group Samba have no
problem on that
But problem come from unix when the RID conversation to UID don't match...
Any tough?
Ryan Ashley
Oct 5, 2014, 11:50:02 AM10/5/14
to
I have one quick question pertaining to this. If I sync but inherit
permissions on new files/directories and leave existing permissions in
place for updated, existing files, will I still need to copy idmap? I
have been doing this and it SEEMS to be fine, but I may also have
problems I am not aware of.
permissions on new files/directories and leave existing permissions in
place for updated, existing files, will I still need to copy idmap? I
have been doing this and it SEEMS to be fine, but I may also have
problems I am not aware of.
Min Wai Chan
Oct 5, 2014, 3:00:02 PM10/5/14
to
Ryan,
You will still have problem.
- When GPO are created on DC1, it will have the DC1 build UID and GID
- When this GPO is read on DC1 --> no problem
- When DC2 read this GPO, it will think that something is wrong as it have
a different UID and GID... GPO Manager will ask if you want to change the
permission?
- It might fail when DC2 want to sending this GPO but request was from
different UID/GID (in samba) and thus access are deny by linux core.
Not sure if I'm getting it right.
But I think that what happen :)
You will still have problem.
- When GPO are created on DC1, it will have the DC1 build UID and GID
- When this GPO is read on DC1 --> no problem
- When DC2 read this GPO, it will think that something is wrong as it have
a different UID and GID... GPO Manager will ask if you want to change the
permission?
- It might fail when DC2 want to sending this GPO but request was from
different UID/GID (in samba) and thus access are deny by linux core.
Not sure if I'm getting it right.
But I think that what happen :)
James
Oct 5, 2014, 9:30:02 PM10/5/14
to
How often would one need to sync the file across DC's?
On 10/4/2014 1:50 PM, steve wrote:
> On 04/10/14 19:01, Min Wai Chan wrote:
>> Dear Steve,
>>
>> Don't worry, I've got it taken care by changing the samba wiki
>>
>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
>>
>>
>> :)
>
> Excellent work. That is gonna save a lot of traffic on this list.
>
> A minor point, here is the English if you have a moment:
> If your DC is Samba
> There are issues with UID/GID mapping between DCs for the built-in
> groups who own files and directories under sysvol. As we have no
> method at the moment to replicate the UID/GID from the existing Samba
> DCs, please try the following:
>
> Cheers,
> Steve
>
--
-James
>> Dear Steve,
>>
>> Don't worry, I've got it taken care by changing the samba wiki
>>
>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Note_if_you_AD_DC_is_Samba
>>
>>
>> :)
>
> Excellent work. That is gonna save a lot of traffic on this list.
>
> A minor point, here is the English if you have a moment:
> If your DC is Samba
> There are issues with UID/GID mapping between DCs for the built-in
> groups who own files and directories under sysvol. As we have no
> method at the moment to replicate the UID/GID from the existing Samba
> DCs, please try the following:
>
> Cheers,
> Steve
>
--
steve
Oct 6, 2014, 2:00:01 AM10/6/14
to
On 06/10/14 03:26, James wrote:
> How often would one need to sync the file across DC's?
Once.
> How often would one need to sync the file across DC's?
James
Oct 6, 2014, 10:50:03 AM10/6/14
to
Thanks Steve. I noticed after making the change on existing DC's I have
some file permissions I need to clean up. Users unable to access
documents due to folder redirect to DC. Removing and applying the user
ACL rights resolves it. I figured this would be an issue but anything
else that may creep up I'm not aware of?
On 10/6/2014 1:52 AM, steve wrote:
> On 06/10/14 03:26, James wrote:
>> How often would one need to sync the file across DC's?
> Once.
>
--
-James
some file permissions I need to clean up. Users unable to access
documents due to folder redirect to DC. Removing and applying the user
ACL rights resolves it. I figured this would be an issue but anything
else that may creep up I'm not aware of?
On 10/6/2014 1:52 AM, steve wrote:
> On 06/10/14 03:26, James wrote:
>> How often would one need to sync the file across DC's?
> Once.
>
--
steve
Oct 6, 2014, 12:30:03 PM10/6/14
to
On 06/10/14 16:48, James wrote:
> Thanks Steve. I noticed after making the change on existing DC's I have
> some file permissions I need to clean up. Users unable to access
> documents due to folder redirect to DC. Removing and applying the user
> ACL rights resolves it. I figured this would be an issue but anything
> else that may creep up I'm not aware of?
>
> On 10/6/2014 1:52 AM, steve wrote:
>> On 06/10/14 03:26, James wrote:
>>> How often would one need to sync the file across DC's?
>> Once.
>>
>
Can't think of any. It's usually just a case if copy the idmap db and
> Thanks Steve. I noticed after making the change on existing DC's I have
> some file permissions I need to clean up. Users unable to access
> documents due to folder redirect to DC. Removing and applying the user
> ACL rights resolves it. I figured this would be an issue but anything
> else that may creep up I'm not aware of?
>
> On 10/6/2014 1:52 AM, steve wrote:
>> On 06/10/14 03:26, James wrote:
>>> How often would one need to sync the file across DC's?
>> Once.
>>
>
then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
HTH,
Steve
James
Oct 6, 2014, 1:20:03 PM10/6/14
to
I did no run sysvolreset. Thanks for the heads up.
On 10/6/2014 12:27 PM, steve wrote:
> On 06/10/14 16:48, James wrote:
>> Thanks Steve. I noticed after making the change on existing DC's I have
>> some file permissions I need to clean up. Users unable to access
>> documents due to folder redirect to DC. Removing and applying the user
>> ACL rights resolves it. I figured this would be an issue but anything
>> else that may creep up I'm not aware of?
>>
>> On 10/6/2014 1:52 AM, steve wrote:
>>> On 06/10/14 03:26, James wrote:
>>>> How often would one need to sync the file across DC's?
>>> Once.
>>>
>>
> Can't think of any. It's usually just a case if copy the idmap db and
> then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
> HTH,
> Steve
>
--
-James
On 10/6/2014 12:27 PM, steve wrote:
> On 06/10/14 16:48, James wrote:
>> Thanks Steve. I noticed after making the change on existing DC's I have
>> some file permissions I need to clean up. Users unable to access
>> documents due to folder redirect to DC. Removing and applying the user
>> ACL rights resolves it. I figured this would be an issue but anything
>> else that may creep up I'm not aware of?
>>
>> On 10/6/2014 1:52 AM, steve wrote:
>>> On 06/10/14 03:26, James wrote:
>>>> How often would one need to sync the file across DC's?
>>> Once.
>>>
>>
> Can't think of any. It's usually just a case if copy the idmap db and
> then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
> HTH,
> Steve
>
--
steve
Oct 7, 2014, 2:30:02 AM10/7/14
to
On 06/10/14 19:11, James wrote:
> I did no run sysvolreset. Thanks for the heads up.
Hi James
> I did no run sysvolreset. Thanks for the heads up.
Could you feed us back and tell us if this solved it?
Cheers,
Steve
>
> On 10/6/2014 12:27 PM, steve wrote:
>> On 06/10/14 16:48, James wrote:
>>> Thanks Steve. I noticed after making the change on existing DC's I have
>>> some file permissions I need to clean up. Users unable to access
>>> documents due to folder redirect to DC. Removing and applying the user
>>> ACL rights resolves it. I figured this would be an issue but anything
>>> else that may creep up I'm not aware of?
>>>
>>> On 10/6/2014 1:52 AM, steve wrote:
>>>> On 06/10/14 03:26, James wrote:
>>>>> How often would one need to sync the file across DC's?
>>>> Once.
>>>>
>>>
>> Can't think of any. It's usually just a case if copy the idmap db and
>> then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
>> HTH,
>> Steve
>>
>
--
James
Oct 7, 2014, 8:10:03 AM10/7/14
to
Hi Steve,
Unfortunately no. I have to manually go into each folder that has
been affected to remove and reapply the users ACL's. The same with user
groups. I don't believe built in users or groups has been affected. I've
also noticed one of my shares no longer displays in the Windows computer
management screen under shares. I'll have to sort that out. This all
stems from redirecting users My Documents and Favorites to a share. Let
it be known I'm not using Unison but just Rsync to keep the sysvol
replicated.
On 10/7/2014 2:21 AM, steve wrote:
> On 06/10/14 19:11, James wrote:
>> I did no run sysvolreset. Thanks for the heads up.
> Hi James
> Could you feed us back and tell us if this solved it?
> Cheers,
> Steve
>
>>
>> On 10/6/2014 12:27 PM, steve wrote:
>>> On 06/10/14 16:48, James wrote:
>>>> Thanks Steve. I noticed after making the change on existing DC's I
>>>> have
>>>> some file permissions I need to clean up. Users unable to access
>>>> documents due to folder redirect to DC. Removing and applying the user
>>>> ACL rights resolves it. I figured this would be an issue but anything
>>>> else that may creep up I'm not aware of?
>>>>
>>>> On 10/6/2014 1:52 AM, steve wrote:
>>>>> On 06/10/14 03:26, James wrote:
>>>>>> How often would one need to sync the file across DC's?
>>>>> Once.
>>>>>
>>>>
>>> Can't think of any. It's usually just a case if copy the idmap db and
>>> then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
>>> HTH,
>>> Steve
>>>
>>
>
--
-James
Unfortunately no. I have to manually go into each folder that has
been affected to remove and reapply the users ACL's. The same with user
groups. I don't believe built in users or groups has been affected. I've
also noticed one of my shares no longer displays in the Windows computer
management screen under shares. I'll have to sort that out. This all
stems from redirecting users My Documents and Favorites to a share. Let
it be known I'm not using Unison but just Rsync to keep the sysvol
replicated.
On 10/7/2014 2:21 AM, steve wrote:
> On 06/10/14 19:11, James wrote:
>> I did no run sysvolreset. Thanks for the heads up.
> Hi James
> Could you feed us back and tell us if this solved it?
> Cheers,
> Steve
>
>>
>> On 10/6/2014 12:27 PM, steve wrote:
>>> On 06/10/14 16:48, James wrote:
>>>> Thanks Steve. I noticed after making the change on existing DC's I
>>>> have
>>>> some file permissions I need to clean up. Users unable to access
>>>> documents due to folder redirect to DC. Removing and applying the user
>>>> ACL rights resolves it. I figured this would be an issue but anything
>>>> else that may creep up I'm not aware of?
>>>>
>>>> On 10/6/2014 1:52 AM, steve wrote:
>>>>> On 06/10/14 03:26, James wrote:
>>>>>> How often would one need to sync the file across DC's?
>>>>> Once.
>>>>>
>>>>
>>> Can't think of any. It's usually just a case if copy the idmap db and
>>> then a samba-tool ntacl sysvolreset. Maybe you missed the latter?
>>> HTH,
>>> Steve
>>>
>>
>
--
Min Wai Chan
Oct 7, 2014, 8:30:03 AM10/7/14
to
Dear Louis,
Need to double check with you on something.
Why we need to ignore system acl?
When ACL removed the files and folder are with the basic Unix ACL which
don't have the extended ACL...
The linux right in the backgound meant?
Thank You.
Need to double check with you on something.
Why we need to ignore system acl?
acl_xattr:ignore system acl = yes
Wouldn't the ACL on sysvol help us in most of the case?
When ACL removed the files and folder are with the basic Unix ACL which
don't have the extended ACL...
The linux right in the backgound meant?
Thank You.
Min Wai Chan
Oct 7, 2014, 8:30:04 AM10/7/14
to
Dear James,
I think we need to understand more about your setup...
1. Sysvol shouldn't be the holder for your home directory or My Documents.
- It should be the files for Domain Control and all the Group Policy Object
(GPO)
2. Sysvol should only hold GPO stuff and not other...
I think we need to understand more about your setup...
1. Sysvol shouldn't be the holder for your home directory or My Documents.
- It should be the files for Domain Control and all the Group Policy Object
(GPO)
2. Sysvol should only hold GPO stuff and not other...
L.P.H. van Belle
Oct 7, 2014, 9:50:01 AM10/7/14
to
Putting you home folder on sysvol wil mess up the needed acl's and you wil have lots or problems.
and it is very adviced to not useing a DC as file server.
install a member server and put your files on that server.
only 1 server ( aka hardware ), get XEN server ( its free and easy ) google for it.
and install 2 DC's and 1 file server.
only thing you need is about 16Gb Ram. about 2-4Gb XenServer, 2 x 4 GB for the DC's.
last 4GB for you member server. and since ram is cheap..
I've done some testing on a Dell Vostro 230 ( Pentium G cpu, 2x2.8Gz.)
on 1 sata disk and even that is ok in performance.
Just dont use a setup like this in a production environment.
Louis
>-----Oorspronkelijk bericht-----
>Van: dcm...@gmail.com [mailto:samba-...@lists.samba.org]
>Namens Min Wai Chan
>Verzonden: dinsdag 7 oktober 2014 14:24
>Aan: James
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more
>than 2 server.
>
and it is very adviced to not useing a DC as file server.
install a member server and put your files on that server.
only 1 server ( aka hardware ), get XEN server ( its free and easy ) google for it.
and install 2 DC's and 1 file server.
only thing you need is about 16Gb Ram. about 2-4Gb XenServer, 2 x 4 GB for the DC's.
last 4GB for you member server. and since ram is cheap..
I've done some testing on a Dell Vostro 230 ( Pentium G cpu, 2x2.8Gz.)
on 1 sata disk and even that is ok in performance.
Just dont use a setup like this in a production environment.
Louis
>-----Oorspronkelijk bericht-----
>Van: dcm...@gmail.com [mailto:samba-...@lists.samba.org]
>Namens Min Wai Chan
>Verzonden: dinsdag 7 oktober 2014 14:24
>Aan: James
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more
>than 2 server.
>
L.P.H. van Belle
Oct 7, 2014, 9:50:03 AM10/7/14
to
Since i dont use sysvol for anything else as sysvol/netlogon and in this case it's only access from windows computers.
If you also use linux/mac other computers to access sysvol, than dont put acl_xattr:ignore system acl = yes on the share.
If you also use linux/mac other computers to access sysvol, than dont put acl_xattr:ignore system acl = yes on the share.
steve
Oct 7, 2014, 12:20:02 PM10/7/14
to
On 07/10/14 14:06, James wrote:
> Hi Steve,
>
> Unfortunately no. I have to manually go into each folder that has
> been affected to remove and reapply the users ACL's. The same with user
> groups. I don't believe built in users or groups has been affected. I've
> also noticed one of my shares no longer displays in the Windows computer
> management screen under shares. I'll have to sort that out. This all
> stems from redirecting users My Documents and Favorites to a share. Let
> it be known I'm not using Unison but just Rsync to keep the sysvol
> replicated.
Mmm. We seem to be talking about two unrelated items here. The acls on
> Hi Steve,
>
> Unfortunately no. I have to manually go into each folder that has
> been affected to remove and reapply the users ACL's. The same with user
> groups. I don't believe built in users or groups has been affected. I've
> also noticed one of my shares no longer displays in the Windows computer
> management screen under shares. I'll have to sort that out. This all
> stems from redirecting users My Documents and Favorites to a share. Let
> it be known I'm not using Unison but just Rsync to keep the sysvol
> replicated.
your gpos and the acls on your users's files. Is there a builtin group
also owning you user's files?
steve
Oct 7, 2014, 12:30:03 PM10/7/14
to
On 07/10/14 15:48, L.P.H. van Belle wrote:
> Putting you home folder on sysvol wil mess up the needed acl's and you wil have lots or problems.
>
> and it is very adviced to not useing a DC as file server.
I'm afraid you have to. There is no other option for the folder in question.
> Putting you home folder on sysvol wil mess up the needed acl's and you wil have lots or problems.
>
> and it is very adviced to not useing a DC as file server.
> install a member server and put your files on that server.
use sysvol to store your user's files.
Louis, I'm sure that's what you meant wasn't it?
Steve
Min Wai Chan
Oct 7, 2014, 10:10:02 PM10/7/14
to
OK I've make the guide.
Mainly from Louis installation script :)
https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
Hope this help other.
Mainly from Louis installation script :)
https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
Hope this help other.
L.P.H. van Belle
Oct 8, 2014, 2:40:02 AM10/8/14
to
Yes, totaly steve..
and this is also because of the needed rights for sysvol.
a "home" or "profile" share need different rights.
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: dinsdag 7 oktober 2014 18:22
>Aan: sa...@lists.samba.org
and this is also because of the needed rights for sysvol.
a "home" or "profile" share need different rights.
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: dinsdag 7 oktober 2014 18:22
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more
>than 2 server.
>
>than 2 server.
>
Peter Serbe
Oct 8, 2014, 6:50:03 PM10/8/14
to
OK, I did remove the dokbook-xsl packet and got around the
problem by not building the man-pages.
I set up an AD on the raspi, and all went very well. With
the notable exception, that I couldn't make SSSD work with
the 4.2.0rc1. I don't know what's going on, it looks like
SSSD 1.11.7 doesn't see the AD domain*). I would expect a log
file showing up named after the AD domain. It does on my
main server, but it doesn't on the raspi with 4.2.0rc1.
Right now I am going back to 4.1.12, which should clarify
whether SSSD works like it should. I think I will set up
a box from (faster) spare parts, which should speed up the
evaluation process. I got an i3 2130 lying around and an
Intel mobo...
If someone states interest, I will keep You informed
(otherwise I would reduce mailing list traffic, at least
on behalf of me).
Best regards
Peter
*) I did only test the id_provider ad. There is not much
to tweak. Only one thing: my past issues with SSSD seem
to stem from a certain laziness of SSSD. In other words:
it needed the enumerate option to spit out the domain users
for getent passwd. I am trying to learn to use RFC2307, but
I won't on my main server... ;-) So far it doesn't look
too complicated, but it is a looong concatenation of many,
many simple steps, which all need to be done accurately.
Peter Serbe schrieb am 03.10.2014 10:43:
> Dear List,
>
> I tried to build samba-4.2.0rc1 on my Raspi.
> I did this:
>
> ./configure --prefix=/usr/local/samba \
> --with-piddir=/usr/local/samba/var/run \
> --with-syslog \
> --with-quotas \
> --with-acl-support \
> --enable-debug
> make
>
> Then after a couple of hours it crashes here:
>
> # [3863/3973] Generating manpages/smb.conf.5
> # Bus error
> # Waf: Leaving directory `/usr/src/samba4/bin'
> # Build failed: -> task failed (err #135):
> # {task: manpages/smb.conf.5 smb.conf.5.xml,parameters.all.xml ->
> smb.conf.5}
> # Makefile:8: recipe for target 'all' failed
> # make: *** [all] Error 1
problem by not building the man-pages.
I set up an AD on the raspi, and all went very well. With
the notable exception, that I couldn't make SSSD work with
the 4.2.0rc1. I don't know what's going on, it looks like
SSSD 1.11.7 doesn't see the AD domain*). I would expect a log
file showing up named after the AD domain. It does on my
main server, but it doesn't on the raspi with 4.2.0rc1.
Right now I am going back to 4.1.12, which should clarify
whether SSSD works like it should. I think I will set up
a box from (faster) spare parts, which should speed up the
evaluation process. I got an i3 2130 lying around and an
Intel mobo...
If someone states interest, I will keep You informed
(otherwise I would reduce mailing list traffic, at least
on behalf of me).
Best regards
Peter
*) I did only test the id_provider ad. There is not much
to tweak. Only one thing: my past issues with SSSD seem
to stem from a certain laziness of SSSD. In other words:
it needed the enumerate option to spit out the domain users
for getent passwd. I am trying to learn to use RFC2307, but
I won't on my main server... ;-) So far it doesn't look
too complicated, but it is a looong concatenation of many,
many simple steps, which all need to be done accurately.
Peter Serbe schrieb am 03.10.2014 10:43:
> Dear List,
>
> I tried to build samba-4.2.0rc1 on my Raspi.
> I did this:
>
> ./configure --prefix=/usr/local/samba \
> --with-piddir=/usr/local/samba/var/run \
> --with-syslog \
> --with-quotas \
> --with-acl-support \
> --enable-debug
> make
>
> Then after a couple of hours it crashes here:
>
> # [3863/3973] Generating manpages/smb.conf.5
> # Bus error
> # Waf: Leaving directory `/usr/src/samba4/bin'
> # Build failed: -> task failed (err #135):
> # {task: manpages/smb.conf.5 smb.conf.5.xml,parameters.all.xml ->
> smb.conf.5}
> # Makefile:8: recipe for target 'all' failed
> # make: *** [all] Error 1
0 new messages