[Samba] AD migration issues

Rowland Penny rpenny at samba.org
Sat Apr 13 11:33:34 UTC 2019 

On Sat, 13 Apr 2019 10:40:27 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Just a quick summary, we had to roll back the AD migration due to
> some users having issues accessing the shares post the migration.
> They were getting server couldn't not be found , using both hostname
> and IP. It won't even show the shares available in the server.  Some
> users had no issues, which is the puzzling bit
> 
> Re the OS and file system:
> 
> I had a look at the following document regarding the file system
> support. It mentions something like adding the posix:eadb
> = /usr/local/samba/private/eadb.tdb to smb.conf file
> https://wiki.samba.org/index.php/File_System_Support

You shouldn't have to do this.

> 
> As mentioned, we got the following during the migration
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: Your filesystem or build does not
> support posix ACLs, which s3fs requires.  Try the mounting the
> filesystem with the 'acl' option. I then put the old tdb files back
> on /var/lib/samba and re-ran the migration with the ntvs flag. Could
> that have caused issues with share access? But having said that, post
> the migration some users had no issues accessing the shares.  

Just what filesystem are you using, ext3, ext4 or something else ?

> 
> Re the packages: 
> 
> I followed the following to install the required files for Ubuntu and
> it does include the act and attr package
> https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba

It sounds more & more like your filesystem.

> 
> 
> Let me just explain what I have added to the migration script
> 
> - Because some of the unix groups are not in Samba, we're adding them
> just before the migration steps. This is because we found that if the
> groups are not present pre-migration , they are not migrated which I
> would expect. net groupmap add ntgroup abcd unix group abcd

Yes, the classicupgrade will only migrate things that Samba knows about.

> 
> - Then we remove the well know groups (domain admins and domain users)
> - Then perform migration based the main Samba Migration wiki page
> using Bind9_DLZ
> - Then we setup the krb5 and test Kerberos
> - Then configure and populate DNS

The last worries me, how have you configured DNS and what have you
populated it with ?

> 
> The one question I have is we have users and groups defined in
> the /etc/passwd and /etc/group. The users and most of the groups are
> also in the tbd, do we manually remove them pre/post migration? In
> our test environment we left them one and didn't have access issues ,
> possibly because nsswitch looks for files first then winbind

If (as it sounds like you have) you carry out the migration on the PDC,
once the upgrade is finished, delete ALL users & groups
from /etc/passwd & /etc/group that are now in AD.

> 
> The other issue we found is we seems to have hit a bug of the max 16
> group membership, it came with sys_panic.

Strange, I thought that it was 64k groups on Linux (less, I believe, if
using NFS) and over 1000 in AD.

> When we look run groups
> username we see lesser groups that when we do id username. It looks
> like a default group is added to the user something like
> BUILTIN\users, is that normal?

Yes, it is an AD group.

Rowland

More information about the samba mailing list