[Samba] Migrating Samba NT4 Domain to Samba AD

Rowland penny rpenny at samba.org
Thu Sep 19 19:23:58 UTC 2019 

On 19/09/2019 20:04, Bartłomiej Solarz-Niesłuchowski via samba wrote:
> W dniu 19.09.2019 o 20:49, Rowland penny via samba pisze:
>> On 19/09/2019 19:33, Bartłomiej Solarz-Niesłuchowski via samba wrote:
>>> Dear List,
>>>
>>> After migration I have found some problems:
>>>
>>> 1.
>>>
>>> directives in /etc/samba/smb.conf
>>>
>>> force user
>>>
>>> force group
>> You shouldn't be using those anymore, you should use Windows ACLs
>>>
>>> I have found similar problems like here: 
>>> https://bugzilla.samba.org/show_bug.cgi?id=11320
>>>
>>> if i have share:
>>>
>>> [global]
>>>
>>>         workgroup = WSISIZ.EDU.PL
>>
>> Is that really your workgroup name ?
> yes
>>
>> I would have expected something like 'AD' based on your realm (which 
>> incidentally should be in uppercase)
>>
>>> realm = ad.wsisiz.edu.pl
>>>         server role = member server
>>>         security = ads
>>>  ....
>>>
>>>         winbind use default domain = Yes
>>>
>>> [admin]
>>>
>>>  valid users = +laboratoria
>>>  write list = +laboratoria
>>>  force group = laboratoria
>>>
>>> i cannot connect:
>>>
>>> oceanic:~# smbclient \\oceanic\admins -U solarz
>>> Enter WSISIZ.EDU.PL\solarz's password:
>>> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>>>
>>> BUT
>>>
>>> if i change "force group" to:
>>>
>>>  force group = unix group\laboratoria
>>>
>>> it works! (prefix unix group is not documented?)
>> I think you had better post your full smb.conf from the Unix domain 
>> member.
>>>
>>> Samba is at version:
>>>
>>> Name        : samba
>>> Epoch       : 2
>>> Version     : 4.10.7
>>> Release     : 0.fc30
>>> Architecture: x86_64
>>>
>>>
>>> I have some strange problems with AD:
>>>
>>> at domain member:
>>>
>>> oceanic:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
>>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
>>> oceanic:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
>>> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not convert sid S-1-5-21-3156691614-3416019035-1284015310-3077 
>>> to gid
>>>
>>> oceanic:~# wbinfo  --online-status
>>> BUILTIN : active connection
>>> OCEANIC : active connection
>>> WSISIZ.EDU.PL : active connection
>>>
>>> wbinfo -u and -g works as expected....
>> Bit meaningless on a Unix computer
>>>
>>> at DC AD server:
>>>
>>> root at themes:~# wbinfo -n "WSISIZ.EDU.PL\\laboratoria"
>>> S-1-5-21-3156691614-3416019035-1284015310-3077 SID_DOM_GROUP (2)
>>> root at themes:~# wbinfo -Y S-1-5-21-3156691614-3416019035-1284015310-3077
>>> 1038
>>> root at themes:~# wbinfo  --online-status
>>> BUILTIN : active connection
>>> WSISIZ.EDU.PL : active connection
>>>
>>>
>>> It looks very strange ... Those conversion from sid to gid is an 
>>> essential one?
>>>
>> As I said, post your smb.conf
>>
>> Rowland
>>
>>
>>
>>
> [global]
>         dos charset = CP852
>         unix charset = UTF8
>         workgroup = WSISIZ.EDU.PL
>         realm = ad.wsisiz.edu.pl
>         server role = member server
>         security = ads
>         allow trusted domains = No
>         log level = 0
>         time server = Yes
>         deadtime = 60
>         hostname lookups = Yes
>         printcap cache time = 600
>         printcap name = cups
>         wins proxy = Yes
>         wins support = Yes
>         remote browse sync = oxygene.ibspan.waw.pl antarctica china 
> spiral direct odyssey
>         winbind use default domain = Yes
>         create mask = 0644
>         inherit acls = Yes
>         hosts allow = 127., 10.100.0.0/255.255.0.0 
> 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 
> 213.135.48.0/255.255.254.0, 2001:1a68:a::/48
>         ea support = Yes
>         map acl inherit = Yes
>         cups options = raw
>         hide dot files = No
>         store dos attributes = Yes
>         wide links = Yes
>         acl allow execute always = yes
>
>
> [admins]
>
>         comment = oceanic:/opt/windows/staff/admins - katalog Adminow!
>         path = /opt/windows/staff/admins
>         valid users = +laboratoria
>         write list = +laboratoria
>         force group = unix group\laboratoria
>         create mask = 0660
>         directory mask = 0770
>         vfs objects = recycle
>         recycle:keeptree = yes
>         recycle:versions = yes
>         recycle:touch_mtime = yes
>         recycle:maxsize = 10000000
>         recycle:exclude = 
> *.tmp|*.temp|*.o|*.obj|~$*|*.lst|*.rcv|*.RCV|*.TMP
>         recycle:exclude_dir = /tmp|/temp|/cache
>         recycle:noversions = *.doc|*.xls|*.ppt

There are a few parameters that should be removed, but your main problem 
is that you appear to be using sssd (either that or you have no auth method)

Samba does not support sssd, because we do not produce it. You need to 
ask on the sssd-users mailing list, but there is a problem with that, 
Red-Hat no longer supports  using sssd with winbind and you must use 
winbind on a Unix domain member.

Can I suggest you do two things:

yum remove sssd*

Read this: 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list