[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Juan Ignacio juan.ignacio.pazos at gmail.com
Thu Nov 24 15:54:59 UTC 2022 

>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>

That's good to know. :-)

Are you sure that there aren't any other 'idmap config' lines ?
>
> I would have expected lines for your DOMAIN
>

All the lines on the member file server are these.

 vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        #WINBIND
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind cache time = 60


       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

        username map = /usr/local/samba/etc/user.map

The whole idea behind syncing idmap.ldb between DC's is to ensure that
> they all use the ID's.
>

Yea but i have some differences between the ad-dc and member dc, the uid
gid on the member are correct, maybe if i connect another member file
server "MDC2" i must sync the member file server  "MDC1".

>
> > On the member file server i can look owners with names instead of uid and
> > gid.
>
> You should be able to do this on a DC as well.
>

No, I don't know why but on the new ad-dc if I look at the files I see the
uid gid numbers instead of the user or group of the domain. I didn't see
any winbind setup on the smb.conf of the new addc also.
I am getting these errors on samba-ad-dc on the service.

nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.425540,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 24 07:24:05 kronos samba[6340]:   /usr/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.484656,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 07:24:05 kronos samba[6340]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 1
nov 24 09:04:20 kronos samba[6340]: [2022/11/24 09:04:20.195750,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 09:04:20 kronos samba[6340]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 110
nov 24 09:04:37 kronos smbd[10503]: [2022/11/24 09:04:37.576919,  0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:37 kronos smbd[10503]:   chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012
nov 24 09:04:52 kronos smbd[10503]: [2022/11/24 09:04:52.575581,  0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:52 kronos smbd[10503]:   chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012


>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>

Because you are a cool samba guru. 😆



El mié, 23 nov 2022 a las 16:13, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:

>
>
> On 23/11/2022 18:49, Juan Ignacio via samba wrote:
> > Thanks Luis and Kris
> > I already transferred the FSMO roles to the new DC with the commands you
> > sent me; I have checked and they have been transferred successfully.
> >
> > Was good that someone mentioned something about FSMO roles, otherwise I
> > would have passed it on completely.
> > Thanks for the links you sent me, I was able to understand more about
> FSMO
> > roles, this was really necessary to do before demoting the old server.
>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>
> >
> > At the moment I would only have to solve some issues and confusion with a
> > member fileserver.
> >
> > One of the member file servers have this on smb.conf
> >
> >         idmap config * : backend = tdb
> >>         idmap config * : range = 3000-7999
>
> Are you sure that there aren't any other 'idmap config' lines ?
>
> I would have expected lines for your DOMAIN
>
> >>
> >>          username map = /usr/local/samba/etc/user.map
>
> Self compiled version of Samba ?
> That line is to map Administrator to root.
>
> >>
> >
> > If i remember correctly  we used this ranges because de old acdc who also
> > works as file server didnt have any of that lines and the uid and gid
> > numbers was really long, when i installed the member server we used that
> to
> > make it work better-
>
> A DC uses either the xidNumber attributes found in idmap.ldb (numbers in
> the 3000000 range) or any uidNumber & gidNumber found in AD (provided
> 'idmap_ldb:use rfc2307  = yes' is set in the DC's smb.conf
> >
> > I dont know if now, after sync the idmap.ldb from the old ad-dc to the
> new
> > ad-dc we will have the same long uid and gid. (Is not really important
> > because the new ad-dc will not work as file server but anyway)
>
> The whole idea behind syncing idmap.ldb between DC's is to ensure that
> they all use the ID's.
>
> >
> > Maybe it would have been better transferred the idmap of the member
> server
> > to the new ad-dc, or not because it is using information stored on the
> old
> > ad-dc.
>
> It doesn't work like that, Unix domain members get their ID's from the
> DC's. Provide that you use the same basic smb.conf on all Unix domain
> members, you will always get the same ID's and they will be different to
> a DC.
>
> >
> > On the member file server i can look owners with names instead of uid and
> > gid.
>
> You should be able to do this on a DC as well.
>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list