[Samba] Migrating Samba NT4 Domain to Samba AD

Rowland penny rpenny at samba.org
Thu Sep 19 18:49:21 UTC 2019 

On 19/09/2019 19:33, Bartłomiej Solarz-Niesłuchowski via samba wrote:
> Dear List,
>
> After migration I have found some problems:
>
> 1.
>
> directives in /etc/samba/smb.conf
>
> force user
>
> force group
You shouldn't be using those anymore, you should use Windows ACLs
>
> I have found similar problems like here: 
> https://bugzilla.samba.org/show_bug.cgi?id=11320
>
> if i have share:
>
> [global]
>
>         workgroup = WSISIZ.EDU.PL

Is that really your workgroup name ?

I would have expected something like 'AD' based on your realm (which 
incidentally should be in uppercase)

> realm = ad.wsisiz.edu.pl
>         server role = member server
>         security = ads
>  ....
>
>         winbind use default domain = Yes
>
> [admin]
>
>  valid users = +laboratoria
>  write list = +laboratoria
>  force group = laboratoria
>
> i cannot connect:
>
> oceanic:~# smbclient \\oceanic\admins -U solarz
> Enter WSISIZ.EDU.PL\solarz's password:
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> BUT
>
> if i change "force group" to:
>
>  force group = unix group\laboratoria
>
> it works! (prefix unix group is not documented?)
I think you had better post your full smb.conf from the Unix domain member.
>
> Samba is at version:
>
> Name        : samba
> Epoch       : 2
> Version     : 4.10.7
> Release     : 0.fc30
> Architecture: x86_64
>
>
> I have some strange problems with AD:
>
> at domain member:
>
> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 
> to gid
>
> oceanic:~# wbinfo  --online-status
> BUILTIN : active connection
> OCEANIC : active connection
> WSISIZ.EDU.PL : active connection
>
> wbinfo -u and -g works as expected....
Bit meaningless on a Unix computer
>
> at DC AD server:
>
> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
> 1038
> root at themes:~# wbinfo  --online-status
> BUILTIN : active connection
> WSISIZ.EDU.PL : active connection
>
>
> It looks very strange ... Those conversion from sid to gid is an 
> essential one?
>
As I said, post your smb.conf

Rowland

More information about the samba mailing list