[Samba] Issues post AD migration

Rowland Penny rpenny at samba.org
Thu Apr 12 07:43:06 UTC 2018 

On Thu, 12 Apr 2018 06:47:45 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi ,
> 
> We ran the classic upgrade and migrated the domain . We were then
> able to add a Windows Server 2008R2 and dcpromo it.
> 
> Here are some of the issues we are seeing post migration
> 
> -          Pre the migration, the password backend was LDAP. We had
> some groups that we had migrated into LDAP from TBD. These groups
> doesn't seem to have come up in AD.
> 
> -          Any groups that were created in LDAP did show up in AD.
> 
> -          We have a member server which we joined to the AD using
> the following
> 
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- TESTDOM
> Joined 'fs01' to dns domain 'testdom.group'
> net_update_dns_internal: Failed to connect to our DC!
> DNS update failed!
> 
> Ran the samba_dnsupdate -verbose -all-names in the Samba 4  AD DC box
> and got the following ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Failed update of 27 entries
> 
> 
> -          Using a Windows 7 machine , we tried to access the shares
> in member server and it fails with the following in the logs
> 
> user 'TESTDOM\pghimire' (from session setup) not permitted to access
> this share (downloads)
> 
> The user is a member of a group who has permissions for the folder
> (in smb.conf). This was one of the groups that didn't migrate to AD,
> so we setup the group in AD and added the user as a member.
> 
> Using smblient the user account is able to enumerate all the shares
> in the Samba 4 DC and the member server
> 
> 
> 
> -          Getent passwd does find the user
> 
> getent passwd "testdom\pghimire"
> 
> pghimire:*:3001:3002::/home/TESTDOM/pghimire:/bin/false
> 
> 
> -          Even if we add the permissions for the user in smb.conf
> the above still fails.
> 
> The following is the nsswitch.conf
> #passwd:         compat
> #group:          compat
> shadow:          compat
> passwd:         files winbind
> group:          files winbind
> 
> The following is the member server's smb.conf
> 
>      netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
> #       wins server = 192.168.1.18
>         log level = 2 auth:5
>         syslog = 0
>         log file = /var/log/samba-ad-dc/log.%m
>    winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> 

Your smb.conf isn't set up correctly, I would expect to see 'idmap
config' lines for 'TESTDOM'.
See here for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list