[Samba] Winbind help - with domain migration.

Daniel Lopes de Carvalho daniel at cepetro.unicamp.br
Mon Jun 22 21:12:53 UTC 2020 

On Mon, Jun 22, 2020 at 5:34 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote:
> > Hello guys
> > I need some lights to migrate a Winbind/Samba share to a new AD.
> > My scenario is:
> > I have an old AD running on a Debian 9 and Samba 4.5.16 with many
> > replication issues.
> > Then I decided to create a new one from the scratch using Debian 10 and
> > Samba 4.12.2 (and everything is working perfectly). I have migrated all
> the
> > accounts/machines/etc from old to new domain without any problem.
> > Both the ADs has the same domain name and realm.
> >
> > The problem is:
> > I have another machine running Debian 9 and Samba 4.5.16 (I can't update
> > this server).
> Why not ?
>

Because I have and application that does not exec on different kernel. The
only way is to downgrade the kernel on Debian 10. And I would't like to do
that...


> >   Here I use nslcd and use AD as a LDAP server to get users and
> > groups. And I have a samba share on it.
> > I already updated the /etc/resolv.conf and point it to the new AD/DNS,
> > restarted samba and winbind services, but the winbind still working on
> old
> > AD. If I stop the Samba service on old AD, the samba share stops working.
> Having two domains with the same name but different SID's is bound to
> cause problems.
> >
> > I don't know If I missed something...
> >
> > Find below my smb.conf, nsswitch.conf and nslcd.conf.
> >
> > Thanks
> >
> > ####################################
> >
> > SMB.CONF
> > security = ads
> >    workgroup = EXAMPLE
> >    realm = EXAMPLE.COM
> >    netbios name = hn01
> >
> >    #ntlm auth = no
> >
> >    idmap config * : backend = tdb
> >    idmap config * : range = 10000-99999
> >
> >    idmap config UNISIM : default = yes
> >    idmap config UNISIM : backend = ad
> >    idmap config UNISIM : schema_mode = rfc2307
> >    idmap config UNISIM : range = 0-9999
> >    idmap config UNISIM : unix_nss_info = yes
> Two things, why are you using '0-9999' for the DOMAIN 'idmap config'
> lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ?


Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, I
took it on internet...


> (or is this bad sanitisation)
> >    winbind offline logon = false
> >    winbind nss info = rfc2307
> >    winbind enum users = yes
> >    winbind enum groups = yes
> You do not need the four lines above.
>

It is also from internet (I don't remember the reference).


> >
> > ####################################
> >
> > NSSWITCH.CONF
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd:         compat ldap
> > group:          compat ldap
> > shadow:         compat ldap
> You do not use 'ldap' on the 'shadow' line
> > ####################################
> >
> > NSLCD.CONF
> > filter passwd (&(objectClass=user)(!(objectClass=computer)))
> > map passwd gecos            displayName
> > map passwd homeDirectory    "/home/$sAMAccountName"
> > map passwd loginShell       "/bin/bash"
> > map passwd uid              sAMAccountName
> >
> > filter shadow (&(objectClass=user)(!(objectClass=computer)))
> > map shadow uid              sAMAccountName
> > map shadow shadowLastChange pwdLastSet
> >
> > filter group (&(objectClass=group)(!(objectClass=computer)))
>
> It has been sometime since I used nslcd, but the above didn't look
> correct, so I dug into the 'attic' and this is how I used to set it:
>
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri             ldap://dc1.samdom.example.com/
> base            dc=samdom,dc=example,dc=com
> pagesize        1000
> referrals       off
> nss_nested_groups yes
>
> # Kerberos authentication to AD
> sasl_mech       GSSAPI
> sasl_realm      SAMDOM.EXAMPLE.COM
> krb5_ccname     /tmp/nslcd.tkt
>
> # Filters. Disable, if your:
> filter  passwd  (objectClass=user)
> filter  group   (objectClass=group)
>
> # Attribute mappings
> map     passwd  uid                sAMAccountName
> map     passwd  homeDirectory      unixHomeDirectory
> map     passwd  gecos              displayName
> # Uncomment the following line to use Domain Users as the users primary
> group
> #map     passwd  gidNumber          primaryGroupID
>
> I also used to use 'kstart' to keep the kerberos ticket valid.
>
> Rowland
>
>
>

I will try to correct this line as you pointed me.
Thanks


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

Daniel Lopes de Carvalho
http://www.unisim.cepetro.unicamp.br
daniel at cepetro.unicamp.br
19 3521-1221

More information about the samba mailing list