[Samba] AD migration issues

Praveen Ghimire PGhimire at sundata.com.au
Sat Apr 13 10:40:27 UTC 2019

Hi Rowland,

Just a quick summary, we had to roll back the AD migration due to some users having issues accessing the shares post the migration. They were getting server couldn't not be found , using both hostname and IP. It won't even show the shares available in the server.  Some users had no issues, which is the puzzling bit

Re the OS and file system:

I had a look at the following document regarding the file system support. It mentions something like adding the 
posix:eadb = /usr/local/samba/private/eadb.tdb to smb.conf file

As mentioned, we got the following during the migration
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
I then put the old tdb files back on /var/lib/samba and re-ran the migration with the ntvs flag. Could that have caused issues with share access? But having said that, post the migration some users had no issues accessing the shares.  

Re the packages: 

I followed the following to install the required files for Ubuntu and it does include the act and attr package

Let me just explain what I have added to the migration script

- Because some of the unix groups are not in Samba, we're adding them just before the migration steps. This is because we found that if the groups are not present pre-migration , they are not migrated which I would expect.
	net groupmap add ntgroup abcd unix group abcd

- Then we remove the well know groups (domain admins and domain users)
- Then perform migration based the main Samba Migration wiki page using Bind9_DLZ
- Then we setup the krb5 and test Kerberos
- Then configure and populate DNS

The one question I have is we have users and groups defined in the /etc/passwd and /etc/group. The users and most of the groups are also in the tbd, do we manually remove them pre/post migration? In our test environment we left them one and didn't have access issues , possibly because nsswitch looks for files first then winbind

The other issue we found is we seems to have hit a bug of the max 16 group membership, it came with sys_panic. When we look run groups username we see lesser groups that when we do id username. It looks like a default group is added to the user something like BUILTIN\users, is that normal?

Any thoughts?

Praveen Ghimire

-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org] 
Sent: Thursday, 11 April 2019 11:14 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: Re: [Samba] AD migration issues

On Thu, 11 Apr 2019 12:05:13 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> Hi ,
> We migrated to AD account in a Ubuntu 16.04 (Samba 4.3.11)and came 
> across issues with user shares. Some of the users were able to access 
> the shares and some were not.

Can I suggest you migrate again, this time to Ubuntu 18.04, this will get you a supported (by Samba) version.

> The server in question has both AD and File and we followed the samba 
> wiki to enable the Windows ACL
> To migrate , we ran the following
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=lin.GROUP --dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf 
> --use-ntvfs
> We had to use the ntvfs as we got the Your filesystem or build does 
> not support posix ACLs, which s3fs requires. Try the mounting the 
> filesystem with the 'acl' option."

Which filesystem are you using, most support acl's by default, have you installed the acl & xattr packages. Whatever your problem is, you need to fix it, ntvfs is now only used in testing and isn't built by default, this happened at Samba 4.5.0

> The smbd -b | grep HAVE_LIBACL gave    HAVE_LIBACL
> A user with the issue has the following
> uid=1091(chel) gid=1091(cheryl)
> groups=1091(cheryl),1002(domainusers),1004(lin),1009(workshop),1017(de
> ptfin),1057(skillsdb),1058(incidentdb),1059(hrdb),1079(deptlegal),1086
> (depteng),1109(deptivolve),1117(deptsop),1119(deptjelldb),1169(depttra
> ining),1170(deptshms),100(users),3000002(lin\ocetest)
> The bit at the end, ocetest is not even a group, it is a user

I bet it is a group as well ;-)

>         winbind enum users = yes
>         winbind enum groups = yes

Whilst you can use the above two lines on any Samba server, you should only use them for testing purposes.
>         winbind nss info = rfc2307
>         idmap config * : backend = tdb
>         idmap config * : range = 4000-7999
>         idmap config lin:backend = ad
>         idmap config lin:schema_mode = rfc2307
>         idmap config lin:range = 10000-999999

You need to remove the above lines, they are only used on a Unix domain member


This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list