[Samba] wiki suggestions, part 2

Klaus Hartnegg hartnegg at gmx.de
Thu Apr 26 16:29:39 UTC 2018

Am 10.04.2018 um 18:46 schrieb Rowland Penny via samba:
> Thanks for the updates, I just wish more people would report errors &
> typo's

I can send some more, this time from classicupgrade.

Again I do not want to do these changes myself, a samba expert should 
have a look.

Feedback for wiki page

Tried on Devuan 1 with compiled samba 4.7.6.


When going the classicupgrade route, there is no mention of DNS forwarder.
The "setting up" page points to the classicupgrade page before 
forwarders are mentioned, and the jump back happens to a section behind it.
The classicupgrade page itself does not mention forwarders.


The description of provision says that the file /etc/krb5.conf needs to 
be deleted before retrying, and copied there after provisioning. The 
description of classicupgrade does not mention these.

Also classicupgrade recommends only to delete smb.conf and the private 
Provision recommends to delete additionally *.tdb and *.ldb files from
LOCKDIR: /usr/local/samba/var/lock/
STATEDIR: /usr/local/samba/var/locks/
CACHEDIR: /usr/local/samba/var/cache/

And the samba processes should also be killed before retrying.

Failure to do so can completely mess everything up, should be mentioned.


The page says:
"To find duplicate SID's on other passdb backends (smbpasswd, tdbsam), 
you have to script around the output of the following two commands: 
pdbedit -Lv, net groupmap list"

Is that really so difficult? How about these two commands:

pdbedit -Lv  | grep "User SID" | sort | uniq -d
net groupmap list | cut -d- -f8 | sort | uniq -d

Is it enough when these both return nothing?
Maybe I misunderstand it.


The sample upgrade command creates this error message:
   error: no such option: --use-xattrs
It does work when the option --use-xattrs is left out.


The command "samba-tool domain classicupgrade" complains about missing 
file wins.dat.
Should that file be copied from the old server as well?
If so the command for that would probably be:
cp -p /usr/local/samba.PDC/var/locks/wins.dat /usr/local/samba.PDC/dbdir/


The description of doing classicupgrade on a new server should mention 
that /etc/passwd and /etc/group must contain the samba users.
Yes it is obvious, but it should be mentioned.


I have no idea what this sentence wants to tell me:

"It used to be thought that setting the Unix ID to the windows RID was 
acceptable, time has proven otherwise. If you have users and groups that 
use the Windows RID as their Unix ID, you should consider changing these 
before carrying out the upgrade. You should also consider removing any 
Unix IDs from the 'Well known SIDs', except for the 'Domain Users' group."

Is this referring to "net groupmap" ?
That lists in my case more than just Domain Users below 1000.
It also shows 512 as Domain Admins, and 514 as nobody.
Is this a problem?


"If any of your users have a RID less than '1000' and you wish these to 
exist in the new AD domain, you will need to change their RID, see below 
for how to do this."

How about this command:
pdbedit -Lv | grep SID | grep -v Group | cut -d- -f8

Does it do the right thing? Then it could be added as example.


The description of classicupgrade should tell that doing so affects the 
choice of workgroup name:
Provisioning sets the workgroup to the domain, which is the first part 
of the realm.
Classicupgrade keeps the old workgroup name from the PDC.
It affects the login names, they are workgroup\user instead of domain\user.


The last line of the output of classicupgrade claims that the password
for administrator is set to the password of root.
This is not true, the administrator accounts keeps its password.


And one unrelated note:
The last three "restrict" lines on
could probably be replaced with one line "restrict source".
And "mask" appears to be the default, is thus not necessary.


More information about the samba mailing list