[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Juan Ignacio juan.ignacio.pazos at gmail.com
Thu Nov 24 17:25:45 UTC 2022


>
> What is a 'member dc' ??


Sorry I must say a member of the DC or domain member as i said before.
Language Troubles.

If your 'member dc' is just another DC, then that smb.conf is not valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>

No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.

I didn't make any changes on it, I must know if maybe I need to check
resolv.conf and hosts and other info before demoting the primary old
ad-dc...

If your 'member dc' is actually a Unix domain member, then that smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config' lines.
>

Yea but we put these lines a long time ago, this is the complete global of
the member file server.


[global]
       netbios name = FILESERVER
       security = ADS
       workgroup = OURDOMAIN
       realm = OURDOMAIN.ORG

       log file = /var/log/samba/%m.log
       log level = 10

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        #WINBIND
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind cache time = 60


       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

        username map = /usr/local/samba/etc/user.map

The samba was built from sources.


El jue, 24 nov 2022 a las 13:59, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:

>
>
> On 24/11/2022 15:54, Juan Ignacio wrote:
> >
> > Are you sure that there aren't any other 'idmap config' lines ?
> >
> > I would have expected lines for your DOMAIN
> >
> >
> > All the lines on the member file server are these.
> >
> > vfs objects = acl_xattr map acl inherit = yes store dos attributes =
> > yes
> >
> > #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> > refresh tickets = yes winbind use default domain = yes winbind cache
> > time = 60
> >
> >
> > # Default ID mapping configuration for local BUILTIN accounts # and
> > groups on a domain member. The default (*) domain: # - must not
> > overlap with any domain ID mapping configuration! # - must use a
> > read-write-enabled back end, such as tdb. # - Adding just this is not
> > enough # - You must set a DOMAIN backend configuration, see below
> > idmap config * : backend = tdb idmap config * : range = 3000-7999
> >
> > username map = /usr/local/samba/etc/user.map
> >
> > The whole idea behind syncing idmap.ldb between DC's is to ensure
> > that they all use the ID's.
> >
> >
> > Yea but i have some differences between the ad-dc and member dc,
>
>
> What is a 'member dc' ??
>
> In Samba AD, you have DC's (which are all equal except for the FSMO
> roles, this include RODC's) and Unix & Windows domain members.
>
> The domain members get their ID's from the DC's, Windows uses the RID
> and Unix uses whatever winbind idmap backend that is chosen.
>
> If your 'member dc' is just another DC, then that smb.conf is not valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>
> If your 'member dc' is actually a Unix domain member, then that smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config' lines.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list