[Samba] AD migration issues

Rowland Penny rpenny at samba.org
Thu Apr 11 13:13:35 UTC 2019 

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi ,
> 
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came
> across issues with user shares. Some of the users were able to access
> the shares and some were not.

Can I suggest you migrate again, this time to Ubuntu 18.04, this will
get you a supported (by Samba) version.

> 
> The server in question has both AD and File and we followed the samba
> wiki to enable the Windows ACL
> 
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf
> --use-ntvfs
> 
> We had to use the ntvfs as we got the Your filesystem or build does
> not support posix ACLs, which s3fs requires. Try the mounting the
> filesystem with the 'acl' option."

Which filesystem are you using, most support acl's by default, have you
installed the acl & xattr packages. Whatever your problem is, you need
to fix it, ntvfs is now only used in testing and isn't built by
default, this happened at Samba 4.5.0

> 
> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> 
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
> groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(deptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086(depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttraining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user

I bet it is a group as well ;-)

>         winbind enum users = yes
>         winbind enum groups = yes

Whilst you can use the above two lines on any Samba server, you should
only use them for testing purposes.
 
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999

You need to remove the above lines, they are only used on a Unix
domain member

Rowland

More information about the samba mailing list