[Samba] Unable_to_migrate_shares_from_AD_to_file_server

[Rowland Penny]

On Fri, 2 Jun 2017 17:25:43 +0530
Srikar Somineni <srikars at vedams.com> wrote:

> Hi Rowland,
>             I followed your suggestions and changed the smb.conf file.
> Currently my smb.conf file looks like below.
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.LOCAL
>     wins server = SAMDOM.LOCAL
>     password server = SAMDOM.LOCAL

Remove the line above, your Unix domain member should find the password
server by dns.

>     domain master = no
>     local master = no
>     preferred master = no
>     idmap backend = tdb
>     idmap config *:range = 20000-99999
>     idmap config SAMDOM:backend = rid
>     idmap config SAMDOM:range = 10000-99999

Your Ranges overlap, I suggest you replace '20000-99999' with
'2000-9999'

>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>     winbind nested groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = true
>     template shell = /bin/bash
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     encrypt passwords = yes

You do not need the line above, it is a default setting.

>     restrict anonymous = 2
>     log file = /var/log/samba/samba.log
>     log level = 2
>     passdb backend = tdbsam

You do not need the line above, it is a default setting.

>     map untrusted to domain = Yes
>     username map = /usr/local/samba/etc/user.map

> [demouser]
>     path = /tmp/demouser
>     users = @SAMDOM/Administrator

I thought I had pointed out that 'Administrator' was a Windows user and
shouldn't be used in smb.conf.

You would be better off removing most of these lines and using ACLs set
from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

>     force group = "domain users"
>     writable = yes
>     read only = no
>     force create mode = 0660
>     create mask = 0777
>     directory mask = 0777
>     force directory mode = 0770
>     access based share enum = yes
>     hide unreadable = yes
> 
> I have mapped "Administrator" domain user to local root in user.map
> file and added the location of file to smb.conf.
> Also changed idmap config from "*" to AD Domain name.
> After making these changes restarted the samba and winbind servers,
> left the domain and joined again. Again restarted the samba and
> winbind servers. Later when I ran "net rpc share migrate shares"
> command, faced the same error (WERR_ACCESS_DENIED) again.
> Also for "net rpc share migrate files" command got the previous
> error(NT_STATUS_REVISION_MISMATCH).
> Am I still missing anything in the configuration file ?

Have you set up libnss_winbind and /etc/nsswitch.conf, does 'getent
passwd' display the DOMAIN users ?

> 
> I went through Samba-HOWTO document and learned that, it is better to
> run "net rpc vampire" command prior to migrating shares or files with
> "net rpc" and got the below error.

Do not read the Samba-HOWTO documentation, read the wiki, the HOWTO is
outdated, some of it is still valid, but a lot isn't.

> 
> # net rpc vampire -U administrator -S samdom.local --force
> Cannot import users from samdom at this time, as the current domain:
>         <Domain-Member-Server>:
> S-1-5-21-3946493590-2691586179-362208375 conflicts with the remote
> domain SAMDOM: S-1-5-21-3130717435-2775834446-724000085

if you run 'net rpc --help' amongst the output, you will find this:

net rpc vampire
    Sync a remote NT PDC's data into local passdb

You do not have an NT PDC.

Until 'getent passwd username' produces output, you will get nowhere
i.e. getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Rowland