[Samba] nt4/sssd to AD/winbind migration fail

Dale samba at txschroeder.family
Tue Jan 19 02:51:27 UTC 2021 

On 1/18/21 5:04 PM, Dale wrote:
> On 1/18/21 4:45 PM, Rowland penny via samba wrote:
>> On 18/01/2021 22:11, Dale via samba wrote:
>>> I had an LMDE2 NT4 domain member using Samba 4.2.x with SSSD.  I 
>>> upgraded LMDE to version 3 then 4 which brings me up to Samba 4.9.5, 
>>> as LMDE4 is based on Debian Buster.  All SSSD packages were purged, 
>>> as well as a Heimdal kerberos package.  I attempted to add Louis' 
>>> repo, but when the dist-upgrade was run, the process wanted to 
>>> remove a GUI text editor that I didn't want to lose; therefore, I 
>>> stayed at 4.9.5.
>> I am fairly sure that removing the editor had nothing to do with 
>> Louis's repo. I suggest you find out what is causing this, fix it and 
>> then upgrade Samba.
> The editor is somehow tied to the distro's Samba.  Simply removing the 
> existing Samba packages causes the editor to be removed. Perhaps, it 
> can be reinstalled after upgrading.
>>>
>>> The issue I am having is that samba is still seeing the old domain, 
>>> causing it to ignore my idmap_ad range for the domain and giving 
>>> users a value in the built-in range.  In fact, testparm tells me 
>>> that I have an invalid domain range for the new domain:
>>>
>>> idmap range not specified for domain 'old_domain'
>>> ERROR: Invalid idmap range for domain WORKGROUP!
>>
>> It sounds like you created a new AD domain, so did your Unix domain 
>> member leave the old domain and then join the new one ?
> Yes, a new AD domain.  The old domain was using security=domain, and I 
> don't know of an equivalent to "net ads leave" for that configuration, 
> so no, I didn't leave the domain.  For what it's worth, I didn't 
> "leave" the domain on the other system either. That migration just 
> worked, but it was much easier, not have all the GUI issues that 
> desktop distros have.
>
> I think I'll try starting over with a fresh install of samba.  At this 
> point there's nothing to lose.
>
> Thanks,
> Dale
>>
>> Rowland

Completely purged samba.  Checked to see that there was no 
/var/lib/samba, /var/cache/samba, or /etc/samba.  Installed Louis' 
packages and followed the wiki again.  Once more, all tests succeeded 
until it was time to do a getent passwd.  The users were still in the 
built-in range, and samba wanted an idmap for what I originally thought 
was the old domain.  (In my haste, I misread the domain name, as old and 
new are very similar.)

As it turns out, the value that samba wanted was the new domain name in 
lower case.  So, I gave samba what it wanted - idmap config <DOMAIN> 
became idmap config <domain> and now getent returns all the correct 
values, identical to the Debian server.  I have no explanation, but will 
try on another LMDE system to see if it's an LMDE thing or an anomaly to 
this system.

For now, I consider the issue resolved.

Dale

More information about the samba mailing list