[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Rowland Penny rpenny at samba.org
Thu Nov 24 19:26:35 UTC 2022

On 24/11/2022 18:51, Juan Ignacio wrote:

>     You do not need the 'winbind enum' lines, they can just slow things
>     down, winbind has to enumerate all users and groups.
> Ok, so if i remove those lines i can stillcorrectly see owner and group 
> names in unix?

Well, apart from the fact you are not getting owner and group names now, 
yes, it will work without them, you just have to explicitly ask for 
them. No 'getent passwd', you have to use 'getent passwd username'.

> I had read that, but I didn't quite understand what it meant, 

If you do not understand something, please ask.

> what would 
> you recommend doing with those lines?
> Maybe if it's no bother for you explain to me a bit how it works or send 
> me a link with info.
> When I look at the uid of the files on the member it seems they are 
> correct, and if I check files it shows correctly.
> I haven't checked that smb.conf in years,so I thought it worked ok, but 
> it seems not.
> ls -n
> drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
> -rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
> -rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi
> ls -lh
> drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
> -rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
> -rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip
> That seems correct.

The problem is, Domain Users shouldn't be in the '3000' range, that 
range is supposed to be for the BUILTIN domain.

Is there a lot of data on the Unix domain member ?

It will probably be easier to correctly setup a new Unix domain member 
and then drag & drop the data across.

As for the idmap backend, there a few of them, but the main ones are:

The first two are the easiest to set up, they calculate the Unix ID from 
the RID and the low range you set in smb.conf . The main difference 
between the two is that autorid is meant for multiple domains and you 
cannot use 'winbind use default domain = yes' with it. The rid backend 
calculates the Unix ID in a similar way and is meant for a single domain 
and you can use 'winbind use default domain = yes'. With either idmap 
backend, you do not add anything to AD.

The 'ad' idmap backend works in a totally different way, you must add 
uidNumber attributes to Users that you require visible on Unix domain 
members. You must also add gidNumber attributes to groups, the group 
'Domain Users' must be given a gidNumber attribute or no users will be 
visible. All uidNumber and gidNumber attributes set, must be within the 
range set in the smb.conf . You can use 'winbind use default domain = 
yes' with the 'ad' backend.

Any questions, please ask.


More information about the samba mailing list