[Samba] Fwd: Migrating server
Harry Jede
walk2sun at arcor.de
Wed Mar 7 12:10:35 UTC 2018
Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
> Hi Gruss,
>
> At this stage there is only one server, running 3.6.25 on Ubuntu12.04.
> The plan to get LDAP to work on this one. Then add the second server
> 4.x and the promote it to BDC and then demote this one. Just a side
> info, we didn't want to go tdbsam in both as I read it breaks the
> domain trust.
>
> The domain names are real ones.
>
> I ran the commands you suggested, nothing in reply. I tried ldapi://
> and ldap://sam3dc.mydomain .
>
> Let me run through what I did ,
> /etc/ldap/ldap.conf:
> BASE dc=mydomain
> URI ldap://sam3dc.mydomain
> TLS_CACERT /etc/ldap/ca_certs.pem
>
> Imported the samba.ldif from the 3.6.25 binaries.
>
> Imported the indices
>
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcDbIndex
> olcDbIndex: ou eq
> olcDbIndex: mail eq
> olcDbIndex: surname eq
> olcDbIndex: givenname eq
> olcDbIndex: loginShell eq
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: default sub
> olcDbIndex: nisMapName eq
> olcDbIndex: nisMapEntry eq
> add: olcAccess
> olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
> self write by * read
> olcAccess: to
>
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwd
MustChan
> ge by dn="cn=admin,dc=mydomain" write by self write by * none
>
> Did the certificates, confirmed working
>
> Added the following
> dn: ou=users,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: users
>
> dn: ou=groups,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: groups
>
> dn: ou=idmap,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: idmap
>
> dn: ou=computers,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: computers
>
> Added the unixdipool as per your email
>
> cat unixidpool.ldif
>
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> changetype: modify
>
> add: objectclass
>
> objectclass: sambaUnixIdPool
>
> -
>
> add: uidnumber
>
> uidnumber: 10000
>
> -
>
> add: gidnumber
>
> gidnumber: 10000
>
add this point you should have cleaned /var/lib/samba
by stopping samba
backup and remove the content of /var/lib/samba
start samba
> Then smbpasswd -a '' bit.
>
> Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
> entries from tdb.
Are you sure that the generated ldif is working? I am sure not!
Why do I say this? Because samba 3.6 tolerates lot of things which are not
allowed in current releases.
> Then exported the /etc/passwd and /etc/group and
> imported using the migration tool scripts
I have never done this.
And this could also make problems. i.e.
You have the user sadmin in /etc/paaswd and in ldap.
Remember that nss use first passwd and then ldap and stops after first
match.
> here is smb.conf
>
> workgroup = MYDOMAIN
> netbios name = sam3dc
> security = USER
> obey pam restrictions = Yes
> encrypt passwords = true
>
> preferred master = Yes
> local master = Yes
> domain master = Yes
> domain logons = yes
> max protocol = NT1
> map untrusted to domain = Yes
> os level = 65
> time server = yes
> passdb backend = ldapsam
> ldapsam:editposix = yes
> ldapsam:trusted = yes
> ldap admin dn = cn=admin,dc=mydomain
> ldap suffix = dc=mydomain
> ldap group suffix = ou=groups
> ldap machine suffix = ou=computers
> ldap user suffix = ou=users
More information about the samba
mailing list