[Samba] Winbind help - with domain migration.
Daniel Lopes de Carvalho
daniel at cepetro.unicamp.br
Mon Jun 22 21:12:53 UTC 2020
On Mon, Jun 22, 2020 at 5:34 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote:
> > Hello guys
> > I need some lights to migrate a Winbind/Samba share to a new AD.
> > My scenario is:
> > I have an old AD running on a Debian 9 and Samba 4.5.16 with many
> > replication issues.
> > Then I decided to create a new one from the scratch using Debian 10 and
> > Samba 4.12.2 (and everything is working perfectly). I have migrated all
> the
> > accounts/machines/etc from old to new domain without any problem.
> > Both the ADs has the same domain name and realm.
> >
> > The problem is:
> > I have another machine running Debian 9 and Samba 4.5.16 (I can't update
> > this server).
> Why not ?
>
Because I have and application that does not exec on different kernel. The
only way is to downgrade the kernel on Debian 10. And I would't like to do
that...
> > Here I use nslcd and use AD as a LDAP server to get users and
> > groups. And I have a samba share on it.
> > I already updated the /etc/resolv.conf and point it to the new AD/DNS,
> > restarted samba and winbind services, but the winbind still working on
> old
> > AD. If I stop the Samba service on old AD, the samba share stops working.
> Having two domains with the same name but different SID's is bound to
> cause problems.
> >
> > I don't know If I missed something...
> >
> > Find below my smb.conf, nsswitch.conf and nslcd.conf.
> >
> > Thanks
> >
> > ####################################
> >
> > SMB.CONF
> > security = ads
> > workgroup = EXAMPLE
> > realm = EXAMPLE.COM
> > netbios name = hn01
> >
> > #ntlm auth = no
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 10000-99999
> >
> > idmap config UNISIM : default = yes
> > idmap config UNISIM : backend = ad
> > idmap config UNISIM : schema_mode = rfc2307
> > idmap config UNISIM : range = 0-9999
> > idmap config UNISIM : unix_nss_info = yes
> Two things, why are you using '0-9999' for the DOMAIN 'idmap config'
> lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ?
Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, I
took it on internet...
> (or is this bad sanitisation)
> > winbind offline logon = false
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
> You do not need the four lines above.
>
It is also from internet (I don't remember the reference).
> >
> > ####################################
> >
> > NSSWITCH.CONF
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: compat ldap
> > group: compat ldap
> > shadow: compat ldap
> You do not use 'ldap' on the 'shadow' line
> > ####################################
> >
> > NSLCD.CONF
> > filter passwd (&(objectClass=user)(!(objectClass=computer)))
> > map passwd gecos displayName
> > map passwd homeDirectory "/home/$sAMAccountName"
> > map passwd loginShell "/bin/bash"
> > map passwd uid sAMAccountName
> >
> > filter shadow (&(objectClass=user)(!(objectClass=computer)))
> > map shadow uid sAMAccountName
> > map shadow shadowLastChange pwdLastSet
> >
> > filter group (&(objectClass=group)(!(objectClass=computer)))
>
> It has been sometime since I used nslcd, but the above didn't look
> correct, so I dug into the 'attic' and this is how I used to set it:
>
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://dc1.samdom.example.com/
> base dc=samdom,dc=example,dc=com
> pagesize 1000
> referrals off
> nss_nested_groups yes
>
> # Kerberos authentication to AD
> sasl_mech GSSAPI
> sasl_realm SAMDOM.EXAMPLE.COM
> krb5_ccname /tmp/nslcd.tkt
>
> # Filters. Disable, if your:
> filter passwd (objectClass=user)
> filter group (objectClass=group)
>
> # Attribute mappings
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> # Uncomment the following line to use Domain Users as the users primary
> group
> #map passwd gidNumber primaryGroupID
>
> I also used to use 'kstart' to keep the kerberos ticket valid.
>
> Rowland
>
>
>
I will try to correct this line as you pointed me.
Thanks
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Daniel Lopes de Carvalho
http://www.unisim.cepetro.unicamp.br
daniel at cepetro.unicamp.br
19 3521-1221
More information about the samba
mailing list