[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Thu Nov 24 17:38:52 UTC 2022

On 24/11/2022 17:25, Juan Ignacio wrote:
>     What is a 'member dc' ?? 
> 
> 
> Sorry I must say a member of the DC or domain member as i said before.  
> Language Troubles.
> 
>     If your 'member dc' is just another DC, then that smb.conf is not valid
>     because you do not use the 'idmap config' lines in a DC smb.conf 
> 
> 
> No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.

Sorry, but no it doesn't.

> 
> I didn't make any changes on it, I must know if maybe I need to check 
> resolv.conf and hosts and other info before demoting the primary old 
> ad-dc...
> 
>     If your 'member dc' is actually a Unix domain member, then that smb.conf
>     is not valid because there are no 'DOMAIN' 'idmap config' lines. 
> 
> 
> Yea but we put these lines a long time ago, this is the complete global 
> of the member file server.
> 
> 

Lets walk through your smb.conf:

> [global]
>         netbios name = FILESERVER

You do not need to set 'netbios name', Samba will fill it in for you.

>         security = ADS
>         workgroup = OURDOMAIN
>         realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> 
>         log file = /var/log/samba/%m.log
>         log level = 10
> 
>          vfs objects = acl_xattr
>          map acl inherit = yes
>          store dos attributes = yes
> 
>          #WINBIND
>          winbind enum users = yes
>          winbind enum groups = yes

You do not need the 'winbind enum' lines, they can just slow things 
down, winbind has to enumerate all users and groups.

>          winbind refresh tickets = yes
>          winbind use default domain = yes
>          winbind cache time = 60
> 
> 
>         # Default ID mapping configuration for local BUILTIN accounts
>         # and groups on a domain member. The default (*) domain:
>         # - must not overlap with any domain ID mapping configuration!
>         # - must use a read-write-enabled back end, such as tdb.
>         # - Adding just this is not enough
>         # - You must set a DOMAIN backend configuration, see below
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999

Now we come to the 'biggy', did you actually read the line above 'You 
must set a DOMAIN backend configuration' ?

Obviously not, because you do not appear to have done so, I would expect 
as a minimum:

idmap config OURDOMAIN : backend = rid
idmap config OURDOMAIN : range = 10000-999999

There are other idmap backends and you could use a different range, but 
the ranges must not overlap.

> 
>          username map = /usr/local/samba/etc/user.map
> 
> The samba was built from sources.

Doesn't matter where Samba comes from, you set it up the same, just 
different paths.

Rowland