[Samba] Issues post AD migration
Rowland Penny
rpenny at samba.org
Thu Apr 12 07:43:06 UTC 2018
On Thu, 12 Apr 2018 06:47:45 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
>
> We ran the classic upgrade and migrated the domain . We were then
> able to add a Windows Server 2008R2 and dcpromo it.
>
> Here are some of the issues we are seeing post migration
>
> - Pre the migration, the password backend was LDAP. We had
> some groups that we had migrated into LDAP from TBD. These groups
> doesn't seem to have come up in AD.
>
> - Any groups that were created in LDAP did show up in AD.
>
> - We have a member server which we joined to the AD using
> the following
>
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- TESTDOM
> Joined 'fs01' to dns domain 'testdom.group'
> net_update_dns_internal: Failed to connect to our DC!
> DNS update failed!
>
> Ran the samba_dnsupdate -verbose -all-names in the Samba 4 AD DC box
> and got the following ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Failed update of 27 entries
>
>
> - Using a Windows 7 machine , we tried to access the shares
> in member server and it fails with the following in the logs
>
> user 'TESTDOM\pghimire' (from session setup) not permitted to access
> this share (downloads)
>
> The user is a member of a group who has permissions for the folder
> (in smb.conf). This was one of the groups that didn't migrate to AD,
> so we setup the group in AD and added the user as a member.
>
> Using smblient the user account is able to enumerate all the shares
> in the Samba 4 DC and the member server
>
>
>
> - Getent passwd does find the user
>
> getent passwd "testdom\pghimire"
>
> pghimire:*:3001:3002::/home/TESTDOM/pghimire:/bin/false
>
>
> - Even if we add the permissions for the user in smb.conf
> the above still fails.
>
> The following is the nsswitch.conf
> #passwd: compat
> #group: compat
> shadow: compat
> passwd: files winbind
> group: files winbind
>
> The following is the member server's smb.conf
>
> netbios name = FS01
> security = ADS
> workgroup = TESTDOM
> realm = TESTDOM.GROUP
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # wins server = 192.168.1.18
> log level = 2 auth:5
> syslog = 0
> log file = /var/log/samba-ad-dc/log.%m
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
Your smb.conf isn't set up correctly, I would expect to see 'idmap
config' lines for 'TESTDOM'.
See here for more info:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list