[Samba] AD migration issues

Praveen Ghimire PGhimire at sundata.com.au
Thu Apr 11 13:46:25 UTC 2019

Hi Rowland,

Thank you for that.

We did the testing in a Vmware VM, the actual production box is hosted in SmartOS. Didn't encounter the issues during testing.

I am pretty sure it is not a group, it is a user. When I check the AD , I see it as  a user. The user with the issue is doesn't have that listed in members of section.

With the idmap stuff, the server in question is both DC and file server. So I thought we need the idmap config

With the ACLs, I read the following Wiki article
If you must use the Samba DC as a fileserver, you should be aware that the auto-enabled acl_xattr virtual file system (VFS) object enables you to only configure shares with Windows access control lists (ACL). Using POSIX ACLs with shares on a Samba DC does not work. However the document mentions not to add it to the config in the DC. 

Does it mean, we need to change the share permissions to something like chown root:"Domain Admins" /srv/samba/Demo? Including the sysvol

What about the smb.conf file? Do we leave it with just 
server role = active directory domain controller

We had to roll back (reverted the tbd files and smb conf) due to the issues, we only had a few test machine online during the testing.  Then we found same issues with users in non-AD server. The users had no issue with the shares previously.

Sorry about the long email, has been a long day.

Praveen Ghimire

-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org] 
Sent: Thursday, 11 April 2019 11:14 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: Re: [Samba] AD migration issues

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi ,
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came 
> across issues with user shares. Some of the users were able to access 
> the shares and some were not.

Can I suggest you migrate again, this time to Ubuntu 18.04, this will get you a supported (by Samba) version.

> The server in question has both AD and File and we followed the samba 
> wiki to enable the Windows ACL
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf 
> --use-ntvfs
> We had to use the ntvfs as we got the Your filesystem or build does 
> not support posix ACLs, which s3fs requires. Try the mounting the 
> filesystem with the 'acl' option."

Which filesystem are you using, most support acl's by default, have you installed the acl & xattr packages. Whatever your problem is, you need to fix it, ntvfs is now only used in testing and isn't built by default, this happened at Samba 4.5.0

> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
> groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(de
> ptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086
> (depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttra
> ining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user

I bet it is a group as well ;-)

>         winbind enum users = yes
>         winbind enum groups = yes

Whilst you can use the above two lines on any Samba server, you should only use them for testing purposes.
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999

You need to remove the above lines, they are only used on a Unix domain member


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list