[Samba] Unable_to_migrate_shares_from_AD_to_file_server

Rowland Penny rpenny at samba.org
Wed May 31 16:29:13 UTC 2017 

On Wed, 31 May 2017 21:32:32 +0530
Srikar Somineni via samba <samba at lists.samba.org> wrote:

> Hi All,
>         I am trying to migrate shares from my Win2k12 R2 AD
> server(SJCLAB2.LOCAL) to Ubuntu 16.04 samba fileserver present in same
> domain. Samba version is 4.3.11-Ubuntu.
> Before migrating shares I was able to successfully join fileserver to
> Active Directory.
> 
> Below is my samba server configuration.
> #======================= Global Settings =======================
> 
> [global]
> 
> 
>    workgroup = SJCLAB2
>    security = ADS
>    realm = SJCLAB2.LOCAL
>    wins server = SJCLAB2.LOCAL
>    password server = SJCLAB2.LOCAL
>    server string = %h server (Samba, Ubuntu)
>    domain master = no
>    local master = no
>    preferred master = no
>    printcap name = /etc/printcap
>    load printers = no
>    dns proxy = no
>    interfaces = 127.0.0.0/8 ens4
>    bind interfaces only = yes
>    log file = /var/log/samba/log.%m
>    log level = 10
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
>    server role = member server
>    passdb backend = tdbsam
>    map untrusted to domain = Yes
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
> 
> ############ Misc ############
>    template shell = /bin/bash
>    client use spnego = yes
>    client ntlmv2 auth = yes
>    encrypt passwords = yes
>    restrict anonymous = 2
>     idmap config *:backend = tdb
>     idmap config *:range = 10000-20000
>     winbind enum users = yes
>     winbind enum groups = yes
>     # This way users log in with username instead of
> username at example.org winbind use default domain = yes
>     # Inherit groups in groups
>     winbind nested groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = true
> 
> # Allow users who've been granted usershare privileges to create
> # public shares, not just authenticated ones
>    usershare allow guests = no
> 
> [sjc_demouser2]    -------------------->Share present on AD and
> create on file server
>   browseable = yes
>   users=@SJCLAB2/administrator
>   force unknown acl user = yes
>   writable = yes
>   create mask = 0700
>   directory mask = 0770
>   acl group control = yes
>   acl check permissions = True
>   nt acl support = yes
>   force directory security mode = 770
>   inherit permissions = yes
>   inherit acls = yes
>   inherit owner = no
>   map acl inherit = yes
>   path = /home/sjc_demouser2
>   dos filemode = yes
>   vfs objects = acl_xattr
> 
> 

You seem to have several problems with your smb.conf

You seem to be trying to put all your users and groups into the '*'
domain, this is meant for the BUILTIN users etc.

You have 'unix password sync = yes' , why ? You cannot have users
in /etc/passwd and AD, they have to be in AD, so this line is not
required.

You have 'users=@SJCLAB2/administrator' in the share, Administrator is
a Windows user and should be mapped to the Unix user 'root' by a
user.map by a line in the [global] part of smb.conf

You would be better off setting the ACLs on the share from Windows, you
wouldn't need all those extraneous lines.

Can I suggest that you spend sometime reading the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Rowland

More information about the samba mailing list