[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Juan Ignacio juan.ignacio.pazos at gmail.com
Thu Nov 24 18:51:39 UTC 2022 

>
>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf is not
> valid
> >     because you do not use the 'idmap config' lines in a DC smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf seems
> OK.
>
> Sorry, but no it doesn't.
>

Ok, let's try to fix that server too.😑

You do not need the 'winbind enum' lines, they can just slow things
> down, winbind has to enumerate all users and groups.
>

Ok, so if i remove those lines i can still correctly see owner and group
names in unix?


>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for you.
>

Ok, that's good to know.

Now we come to the 'biggy', did you actually read the line above 'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>

I had read that, but I didn't quite understand what it meant, what would
you recommend doing with those lines?
Maybe if it's no bother for you explain to me a bit how it works or send me
a link with info.

When I look at the uid of the files on the member it seems they are
correct, and if I check files it shows correctly.
I haven't checked that smb.conf in years,so I thought it worked ok, but it
seems not.

ls -n
drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
-rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
-rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi

ls -lh
drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
-rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
-rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip

That seems correct.

Thx in advance.

Thx in advance.


El jue, 24 nov 2022 a las 14:39, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:

>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf is not
> valid
> >     because you do not use the 'idmap config' lines in a DC smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf seems
> OK.
>
> Sorry, but no it doesn't.
>
> >
> > I didn't make any changes on it, I must know if maybe I need to check
> > resolv.conf and hosts and other info before demoting the primary old
> > ad-dc...
> >
> >     If your 'member dc' is actually a Unix domain member, then that
> smb.conf
> >     is not valid because there are no 'DOMAIN' 'idmap config' lines.
> >
> >
> > Yea but we put these lines a long time ago, this is the complete global
> > of the member file server.
> >
> >
>
> Lets walk through your smb.conf:
>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for you.
>
> >         security = ADS
> >         workgroup = OURDOMAIN
> >         realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> >
> >         log file = /var/log/samba/%m.log
> >         log level = 10
> >
> >          vfs objects = acl_xattr
> >          map acl inherit = yes
> >          store dos attributes = yes
> >
> >          #WINBIND
> >          winbind enum users = yes
> >          winbind enum groups = yes
>
> You do not need the 'winbind enum' lines, they can just slow things
> down, winbind has to enumerate all users and groups.
>
> >          winbind refresh tickets = yes
> >          winbind use default domain = yes
> >          winbind cache time = 60
> >
> >
> >         # Default ID mapping configuration for local BUILTIN accounts
> >         # and groups on a domain member. The default (*) domain:
> >         # - must not overlap with any domain ID mapping configuration!
> >         # - must use a read-write-enabled back end, such as tdb.
> >         # - Adding just this is not enough
> >         # - You must set a DOMAIN backend configuration, see below
> >         idmap config * : backend = tdb
> >         idmap config * : range = 3000-7999
>
> Now we come to the 'biggy', did you actually read the line above 'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>
> >
> >          username map = /usr/local/samba/etc/user.map
> >
> > The samba was built from sources.
>
> Doesn't matter where Samba comes from, you set it up the same, just
> different paths.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list