[Samba] Fwd: Migrating server

Rowland Penny rpenny at samba.org
Mon Mar 5 15:13:55 UTC 2018 

On Mon, 5 Mar 2018 22:16:36 +1000
Rob Thoman via samba <samba at lists.samba.org> wrote:

> Hi Gruss,
> 
> At this stage there is only one server, running 3.6.25 on
> Ubuntu12.04. The plan to get LDAP to work on this one. Then add the
> second server 4.x and the promote it to BDC and then demote this
> one.  Just a side info, we didn't want to go tdbsam in both as I read
> it breaks the domain trust.
> 
> The domain names are real ones.
> 
> I ran the commands you suggested, nothing in reply.  I tried ldapi://
> and ldap://sam3dc.mydomain .
> 
> Let me run through what I did ,
> /etc/ldap/ldap.conf:
> BASE    dc=mydomain
> URI     ldap://sam3dc.mydomain
> TLS_CACERT /etc/ldap/ca_certs.pem
> 
> Imported the samba.ldif from the 3.6.25 binaries.
> 
> Imported the indices
> 
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcDbIndex
> olcDbIndex: ou eq
> olcDbIndex: mail eq
> olcDbIndex: surname eq
> olcDbIndex: givenname eq
> olcDbIndex: loginShell eq
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: default sub
> olcDbIndex: nisMapName eq
> olcDbIndex: nisMapEntry eq
> add: olcAccess
> olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
> self write by * read
> olcAccess: to
> attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
> by dn="cn=admin,dc=mydomain" write by self write by * none
> 
> Did the certificates, confirmed working
> 
> Added the following
> dn: ou=users,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: users
> 
> dn: ou=groups,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: groups
> 
> dn: ou=idmap,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: idmap
> 
> dn: ou=computers,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: computers
> 
> Added the unixdipool as per your email
> 
> cat unixidpool.ldif
> 
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
> 
> changetype: modify
> 
> add: objectclass
> 
> objectclass: sambaUnixIdPool
> 
> -
> 
> add: uidnumber
> 
> uidnumber: 10000
> 
> -
> 
> add: gidnumber
> 
> gidnumber: 10000
> 
> 
> Then smbpasswd -a '' bit.
> 
> Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
> entries from tdb. Then exported the /etc/passwd and /etc/group and
> imported using the migration tool scripts
> 
> here is smb.conf
> 
> workgroup = MYDOMAIN
> netbios name = sam3dc
> security = USER
> obey pam restrictions = Yes
>         encrypt passwords = true
> 
>         preferred master = Yes
>         local master = Yes
>         domain master = Yes
>         domain logons = yes
> max protocol = NT1
> map untrusted to domain = Yes
>  os level = 65
>   time server = yes
>   passdb backend = ldapsam
>   ldapsam:editposix = yes
>   ldapsam:trusted = yes
>   ldap admin dn = cn=admin,dc=mydomain
>   ldap suffix = dc=mydomain
>   ldap group suffix = ou=groups
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   idmap config *: backend = ldap
>   idmap config *: range = 10000-19999
>   idmap config *: ldap_url = ldap://sam3dc.mydomain/
>   idmap config *: ldap_base_dn = ou=idmap,dc=example,dc=com
>   idmap config *: ldap_user_dn = cn=admin,dc=example,dc=com
>   ldap delete dn = yes
>   ldap password sync = yes
>   wins support = yes
> ldap ssl= no
> 
> add user script = /usr/bin/smbldap-useradd -m '%u'
>         delete user script = /usr/bin/smbldap-userdel '%u'
>         add group script = /usr/bin/smbldap-groupadd -p '%g'
>         delete group script = /usr/bin/smbldap-groupdel '%g'
>         add user to group script = /usr/bin/smbldap-groupmod -m '%g'
> '%u' delete user from group script = /usr/bin/smbldap-groupmod -x '%g'
> '%u'
>         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>         set primary group script = /usr/bin/smbldap-usermod -g '%g'
> '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> 
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> check password script = /usr/local/sbin/crackcheck -d
>

OK, I have been doing some tests with 'ldapsam:editposix' &
'ldapsam:trusted' because smbldap-tools seems to be a dead project.

Whilst I can get a PDC to provision (if that's the right word) and
winbind to work with nss i.e. getent works, it seems to ignore the
'sambaUnixIdPool' and the 'idmap config' lines in smb.conf (well the
ones for the DOMAIN).

What I cannot get to work, in any form, is a winbind client. I tried
various smb.conf settings, some do nothing, some lead to winbindd
crashing. The main problem seems to be that winbind cannot contact the
ldap server.

Has anyone got a Samba PDC (set up with 'ldapsam:editposix' &
'ldapsam:trusted') working correctly and also a Samba winbind client ?
If they have, can they post the smb.conf files.

Rowland

More information about the samba mailing list