[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Juan Ignacio
juan.ignacio.pazos at gmail.com
Thu Nov 24 15:54:59 UTC 2022
>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>
That's good to know. :-)
Are you sure that there aren't any other 'idmap config' lines ?
>
> I would have expected lines for your DOMAIN
>
All the lines on the member file server are these.
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
#WINBIND
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
winbind cache time = 60
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
username map = /usr/local/samba/etc/user.map
The whole idea behind syncing idmap.ldb between DC's is to ensure that
> they all use the ID's.
>
Yea but i have some differences between the ad-dc and member dc, the uid
gid on the member are correct, maybe if i connect another member file
server "MDC2" i must sync the member file server "MDC1".
>
> > On the member file server i can look owners with names instead of uid and
> > gid.
>
> You should be able to do this on a DC as well.
>
No, I don't know why but on the new ad-dc if I look at the files I see the
uid gid numbers instead of the user or group of the domain. I didn't see
any winbind setup on the smb.conf of the new addc also.
I am getting these errors on samba-ad-dc on the service.
nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.425540, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 24 07:24:05 kronos samba[6340]: /usr/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.484656, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 07:24:05 kronos samba[6340]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 1
nov 24 09:04:20 kronos samba[6340]: [2022/11/24 09:04:20.195750, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 09:04:20 kronos samba[6340]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 110
nov 24 09:04:37 kronos smbd[10503]: [2022/11/24 09:04:37.576919, 0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:37 kronos smbd[10503]: chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012
nov 24 09:04:52 kronos smbd[10503]: [2022/11/24 09:04:52.575581, 0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:52 kronos smbd[10503]: chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012
>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>
Because you are a cool samba guru. 😆
El mié, 23 nov 2022 a las 16:13, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:
>
>
> On 23/11/2022 18:49, Juan Ignacio via samba wrote:
> > Thanks Luis and Kris
> > I already transferred the FSMO roles to the new DC with the commands you
> > sent me; I have checked and they have been transferred successfully.
> >
> > Was good that someone mentioned something about FSMO roles, otherwise I
> > would have passed it on completely.
> > Thanks for the links you sent me, I was able to understand more about
> FSMO
> > roles, this was really necessary to do before demoting the old server.
>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>
> >
> > At the moment I would only have to solve some issues and confusion with a
> > member fileserver.
> >
> > One of the member file servers have this on smb.conf
> >
> > idmap config * : backend = tdb
> >> idmap config * : range = 3000-7999
>
> Are you sure that there aren't any other 'idmap config' lines ?
>
> I would have expected lines for your DOMAIN
>
> >>
> >> username map = /usr/local/samba/etc/user.map
>
> Self compiled version of Samba ?
> That line is to map Administrator to root.
>
> >>
> >
> > If i remember correctly we used this ranges because de old acdc who also
> > works as file server didnt have any of that lines and the uid and gid
> > numbers was really long, when i installed the member server we used that
> to
> > make it work better-
>
> A DC uses either the xidNumber attributes found in idmap.ldb (numbers in
> the 3000000 range) or any uidNumber & gidNumber found in AD (provided
> 'idmap_ldb:use rfc2307 = yes' is set in the DC's smb.conf
> >
> > I dont know if now, after sync the idmap.ldb from the old ad-dc to the
> new
> > ad-dc we will have the same long uid and gid. (Is not really important
> > because the new ad-dc will not work as file server but anyway)
>
> The whole idea behind syncing idmap.ldb between DC's is to ensure that
> they all use the ID's.
>
> >
> > Maybe it would have been better transferred the idmap of the member
> server
> > to the new ad-dc, or not because it is using information stored on the
> old
> > ad-dc.
>
> It doesn't work like that, Unix domain members get their ID's from the
> DC's. Provide that you use the same basic smb.conf on all Unix domain
> members, you will always get the same ID's and they will be different to
> a DC.
>
> >
> > On the member file server i can look owners with names instead of uid and
> > gid.
>
> You should be able to do this on a DC as well.
>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list