[Samba] Winbind help - with domain migration.
Rowland penny
rpenny at samba.org
Mon Jun 22 20:31:48 UTC 2020
On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote:
> Hello guys
> I need some lights to migrate a Winbind/Samba share to a new AD.
> My scenario is:
> I have an old AD running on a Debian 9 and Samba 4.5.16 with many
> replication issues.
> Then I decided to create a new one from the scratch using Debian 10 and
> Samba 4.12.2 (and everything is working perfectly). I have migrated all the
> accounts/machines/etc from old to new domain without any problem.
> Both the ADs has the same domain name and realm.
>
> The problem is:
> I have another machine running Debian 9 and Samba 4.5.16 (I can't update
> this server).
Why not ?
> Here I use nslcd and use AD as a LDAP server to get users and
> groups. And I have a samba share on it.
> I already updated the /etc/resolv.conf and point it to the new AD/DNS,
> restarted samba and winbind services, but the winbind still working on old
> AD. If I stop the Samba service on old AD, the samba share stops working.
Having two domains with the same name but different SID's is bound to
cause problems.
>
> I don't know If I missed something...
>
> Find below my smb.conf, nsswitch.conf and nslcd.conf.
>
> Thanks
>
> ####################################
>
> SMB.CONF
> security = ads
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> netbios name = hn01
>
> #ntlm auth = no
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-99999
>
> idmap config UNISIM : default = yes
> idmap config UNISIM : backend = ad
> idmap config UNISIM : schema_mode = rfc2307
> idmap config UNISIM : range = 0-9999
> idmap config UNISIM : unix_nss_info = yes
Two things, why are you using '0-9999' for the DOMAIN 'idmap config'
lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ?
(or is this bad sanitisation)
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
You do not need the four lines above.
>
> ####################################
>
> NSSWITCH.CONF
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
You do not use 'ldap' on the 'shadow' line
> ####################################
>
> NSLCD.CONF
> filter passwd (&(objectClass=user)(!(objectClass=computer)))
> map passwd gecos displayName
> map passwd homeDirectory "/home/$sAMAccountName"
> map passwd loginShell "/bin/bash"
> map passwd uid sAMAccountName
>
> filter shadow (&(objectClass=user)(!(objectClass=computer)))
> map shadow uid sAMAccountName
> map shadow shadowLastChange pwdLastSet
>
> filter group (&(objectClass=group)(!(objectClass=computer)))
It has been sometime since I used nslcd, but the above didn't look
correct, so I dug into the 'attic' and this is how I used to set it:
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://dc1.samdom.example.com/
base dc=samdom,dc=example,dc=com
pagesize 1000
referrals off
nss_nested_groups yes
# Kerberos authentication to AD
sasl_mech GSSAPI
sasl_realm SAMDOM.EXAMPLE.COM
krb5_ccname /tmp/nslcd.tkt
# Filters. Disable, if your:
filter passwd (objectClass=user)
filter group (objectClass=group)
# Attribute mappings
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
# Uncomment the following line to use Domain Users as the users primary
group
#map passwd gidNumber primaryGroupID
I also used to use 'kstart' to keep the kerberos ticket valid.
Rowland
More information about the samba
mailing list