[Samba] AD migration issues

Rowland Penny rpenny at samba.org
Thu Apr 11 14:06:24 UTC 2019 

On Thu, 11 Apr 2019 13:46:25 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Thank you for that.
> 
> We did the testing in a Vmware VM, the actual production box is
> hosted in SmartOS. Didn't encounter the issues during testing.
> 
> I am pretty sure it is not a group, it is a user. When I check the
> AD , I see it as  a user. The user with the issue is doesn't have
> that listed in members of section.

Here is an interesting fact, a group on a Samba AD DC can also be a
user.
Try running this 9as root) on your DC:

ldbedit -e nano -H /path/to/idmap.ldb

Then search for '3000002' (use Ctrl-W)

Once found, there will be a line 'type', I believe it will be
'ID_TYPE_BOTH'

> 
> With the idmap stuff, the server in question is both DC and file
> server. So I thought we need the idmap config

No, this is one of the problems of using a DC as a fileserver.

> 
> With the ACLs, I read the following Wiki article
> If you must use the Samba DC as a fileserver, you should be aware
> that the auto-enabled acl_xattr virtual file system (VFS) object
> enables you to only configure shares with Windows access control
> lists (ACL). Using POSIX ACLs with shares on a Samba DC does not
> work. However the document mentions not to add it to the config in
> the DC. 
> 
> Does it mean, we need to change the share permissions to something
> like chown root:"Domain Admins" /srv/samba/Demo? Including the sysvol

Do not touch Sysvol and what it means is that you MUST set the ACL's
from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> 
> What about the smb.conf file? Do we leave it with just 
> server role = active directory domain controller

Start with the smb.conf that the provision gave you and only add lines
after thoroughly investigating them, if in doubt, ask here.
 
> 
> We had to roll back (reverted the tbd files and smb conf) due to the
> issues, we only had a few test machine online during the testing.
> Then we found same issues with users in non-AD server. The users had
> no issue with the shares previously.

A non AD server is just that, a server that is not part of the domain,
any users on it will not be the same users as in AD, even if they have
the same username.

Rowland

More information about the samba mailing list