[Samba] Migrating Samba NT4 Domain to Samba AD

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Thu Sep 19 19:04:11 UTC 2019


W dniu 19.09.2019 o 20:49, Rowland penny via samba pisze:
> On 19/09/2019 19:33, Bartłomiej Solarz-Niesłuchowski via samba wrote:
>> Dear List,
>>
>> After migration I have found some problems:
>>
>> 1.
>>
>> directives in /etc/samba/smb.conf
>>
>> force user
>>
>> force group
> You shouldn't be using those anymore, you should use Windows ACLs
>>
>> I have found similar problems like here: 
>> https://bugzilla.samba.org/show_bug.cgi?id=11320
>>
>> if i have share:
>>
>> [global]
>>
>>         workgroup = WSISIZ.EDU.PL
>
> Is that really your workgroup name ?
yes
>
> I would have expected something like 'AD' based on your realm (which 
> incidentally should be in uppercase)
>
>> realm = ad.wsisiz.edu.pl
>>         server role = member server
>>         security = ads
>>  ....
>>
>>         winbind use default domain = Yes
>>
>> [admin]
>>
>>  valid users = +laboratoria
>>  write list = +laboratoria
>>  force group = laboratoria
>>
>> i cannot connect:
>>
>> oceanic:~# smbclient \\oceanic\admins -U solarz
>> Enter WSISIZ.EDU.PL\solarz's password:
>> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>>
>> BUT
>>
>> if i change "force group" to:
>>
>>  force group = unix group\laboratoria
>>
>> it works! (prefix unix group is not documented?)
> I think you had better post your full smb.conf from the Unix domain 
> member.
>>
>> Samba is at version:
>>
>> Name        : samba
>> Epoch       : 2
>> Version     : 4.10.7
>> Release     : 0.fc30
>> Architecture: x86_64
>>
>>
>> I have some strange problems with AD:
>>
>> at domain member:
>>
>> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
>> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
>> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 
>> to gid
>>
>> oceanic:~# wbinfo  --online-status
>> BUILTIN : active connection
>> OCEANIC : active connection
>> WSISIZ.EDU.PL : active connection
>>
>> wbinfo -u and -g works as expected....
> Bit meaningless on a Unix computer
>>
>> at DC AD server:
>>
>> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
>> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
>> 1038
>> root at themes:~# wbinfo  --online-status
>> BUILTIN : active connection
>> WSISIZ.EDU.PL : active connection
>>
>>
>> It looks very strange ... Those conversion from sid to gid is an 
>> essential one?
>>
> As I said, post your smb.conf
>
> Rowland
>
>
>
>
[global]
         dos charset = CP852
         unix charset = UTF8
         workgroup = WSISIZ.EDU.PL
         realm = ad.wsisiz.edu.pl
         server role = member server
         security = ads
         allow trusted domains = No
         log level = 0
         time server = Yes
         deadtime = 60
         hostname lookups = Yes
         printcap cache time = 600
         printcap name = cups
         wins proxy = Yes
         wins support = Yes
         remote browse sync = oxygene.ibspan.waw.pl antarctica china 
spiral direct odyssey
         winbind use default domain = Yes
         create mask = 0644
         inherit acls = Yes
         hosts allow = 127., 10.100.0.0/255.255.0.0 
213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 
213.135.48.0/255.255.254.0, 2001:1a68:a::/48
         ea support = Yes
         map acl inherit = Yes
         cups options = raw
         hide dot files = No
         store dos attributes = Yes
         wide links = Yes
         acl allow execute always = yes


[admins]

         comment = oceanic:/opt/windows/staff/admins - katalog Adminow!
         path = /opt/windows/staff/admins
         valid users = +laboratoria
         write list = +laboratoria
         force group = unix group\laboratoria
         create mask = 0660
         directory mask = 0770
         vfs objects = recycle
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch_mtime = yes
         recycle:maxsize = 10000000
         recycle:exclude = 
*.tmp|*.temp|*.o|*.obj|~$*|*.lst|*.rcv|*.RCV|*.TMP
         recycle:exclude_dir = /tmp|/temp|/cache
         recycle:noversions = *.doc|*.xls|*.ppt

/etc/krb5.conf

[libdefaults]
         default_realm = AD.WSISIZ.EDU.PL
         dns_lookup_realm = false
         dns_lookup_kdc = true


Best Regards

-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz



More information about the samba mailing list