[Samba] moved DM config to new server : gids different etc

L.P.H. van Belle belle at bazuin.nl
Tue Nov 26 16:19:57 UTC 2019 

Hai Stefan, 

Remove the netbios alias and then put that as CNAME in the DNS
Verify if the server its PTR is set also. 

And yeah, your totaly correct that your ACL is messed up..
Because your using backend RID. 

The "advantage" of backend AD.
Consistent IDs on all Samba clients and servers using the ad back end. 

Which is also the DISAVANTAGE of RID.
IN-Consistent IDs on all Samba clients and servers with RID.


Maybe im bit wrong here, with recent updates, .. Then Rowland will correct me.. ;-) 
But this is exactly why i ONLY use AD backends. 

I suggest, setup a folder, correct the rights, and use get-set facl to apply them again on the filesystem/folders/files. 

So far,

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 26 november 2019 17:01
> Aan: samba
> Onderwerp: [Samba] moved DM config to new server : gids different etc
> 
> 
> Last week the mobo in a DM server died, so we had to set up a fallback
> machine and reinstall Debian 10.2 including Samba
> 
> I had smb.conf but not /var/lib/samba in backups.
> 
> Restored krb5.conf and smb.conf, rejoined.
> 
> Things work mostly ...
> 
> but for example I get gid 10006 for "domain users" instead of 
> 10513 before.
> 
> and getent group doesn't show the AD groups, btw
> 
> -
> 
> I have:
> 
> # /etc/nsswitch.conf
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> ---
> 
> # cat /etc/samba/smb.conf
> # Samba config file
> # from sgw 2018/jun/15
> # with help from Rowland
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = XYZ.INTRA
> workgroup = XYZ
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> netbios aliases = u1XYZ
> server string = U1XYZ
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> 		uucp
> obey pam restrictions = yes
> 
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config XYZ : range = 10000-20000
> idmap config XYZ : backend = rid
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> inherit acls = yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir read pread write pwrite rename unlink
> full_audit:facility = local5
> full_audit:priority = notice
> 
> ---
> 
> wbinfo -u and -g work afaik
> 
> But permissions and ACLs are screwed up.
> 
> I might be missing some package to install ... or what ever ...
> 
> pls advise, Stefan
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba-technical mailing list