[Samba] Samba 4 users - UID/GID - or how to migrate

Sun Jan 13 20:41:39 UTC 2019

Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba:
> On Sun, 13 Jan 2019 20:22:22 +0100
> Anton Blau via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I try to migrate my old SAMBA Installation to a new Installation.
>> SAMBA is running. But my Windows users can see the shares but cannot
>> open Files.
>>
>> My old Installation /etc/samba/smb.con
>>
>> ...
>>
>>
>>          workgroup = DUCK
>>           server string = %h server (Samba, Ubuntu)
>>           interfaces = eth0 192.168.1.200/255.255.255.0 localhost
>>           bind interfaces only = Yes
>>           security = USER
>>           map to guest = Bad User
>>           obey pam restrictions = Yes
>>           pam password change = Yes
>>           passwd program = /usr/bin/passwd %u
>>           passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>           unix password sync = Yes
>>           log file = /var/log/samba/log.%M
>>           max log size = 1000
>>           time server = Yes
>>           unix extensions = No
>>           printcap name = cups
>>           logon script = %U\logon.bat
>>           logon path = \\gustav\profiles\%U\winxpprofile
>>           logon drive = z:
>>           logon home = \\gustav\profiles\%U\w9xprofile
>>           domain logons = Yes
>>           os level = 255
>>           preferred master = Yes
>>           domain master = Yes
>>           wins proxy = Yes
>>           wins support = Yes
>>           usershare allow guests = Yes
>>
>> New (Proxmox LXV) with: /etc/samba/smb.con
>>
>>        -- snip because false file
>>
>> I think the problem is the mappig to the uid/gid of the new samba.
>>
>> The user "testuser" on the old System has uid 500 and gid 100. I
>> created my testuser - who can access on the old Installation on the
>> new Installation:
>>
>> samba-tool user create testuser --unix-home=/home/gerhard
>> --uid-number=501 --login-shell=/bin/bash --gid-number=100
>>
>>
>> What is to to to get full access?
>>
> Well, as you are using samba-tool to create users and your last post
> was about setting up an AD DC, you could try setting up your Unix
> domain member correctly and when you do, do not use such low ID numbers.
> I suggest you read this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Your smb.conf above is for an NT4-style PDC.
>
> Rowland
>
>
Sorry,

I posted the wrong text. This is the /etc/samba/smb.conf (testparm) of 
the new LXC SAMBA Server:

  realm = SMBDOMAIN.DUCK
         workgroup = SMBDOMAIN
         dns forwarder = 192.168.1.254
         disable spoolss = Yes
         load printers = No
         printcap name = /dev/null
         passdb backend = samba_dsdb
         server role = active directory domain controller
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         printing = bsd
         vfs objects = dfs_samba4 acl_xattr

In future only the new Samba should run. So Samba is not a Domain 
Member. I hope I understand you correct.

NT4-style PDC should be migrated to AD DC.

Tony