[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Juan Ignacio juan.ignacio.pazos at gmail.com
Fri Nov 25 13:01:14 UTC 2022 

>
> Well, apart from the fact you are not getting owner and group names now,
> yes, it will work without them, you just have to explicitly ask for
> them. No 'getent passwd', you have to use 'getent passwd username'.
>

I'm getting owner and group names, when i use getent passwd i get all users
of the domain.
And on the files I'm getting domain usernames and domain groups names when
I do ls.

prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false

he problem is, Domain Users shouldn't be in the '3000' range, that
> range is supposed to be for the BUILTIN domain.
>

On the WIKI it says to use those values.
* *3000-7999*
DOMAIN *10000-999999*
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Maybe at that moment I did not understand well what is the difference
between using the default domain "*"  or DOMAIN.
Please help me clarify this.

Is there a lot of data on the Unix domain member ?
>
> It will probably be easier to correctly setup a new Unix domain member
> and then drag & drop the data across.
>

Yes, I have a lot of info on that file server, homes and shares.
But it is virtualized and with disks in passthrough.
Creating a new virtual unix domain member and passthrough the disks is not
a difficult task for me.

The issue is how do we rewrite new uids and gids to the fs.
We should convert the current ones to the new ones by using the correct rid
range.
The only way would be to pass them through windows if I am correct and it
will take too long.

On the other hand, I haven't had any major problems with this domain member
either, I could wait to demote the old ad-dc and then accommodate a new
member.
About this demote task to the old ad-dc, can something happen with this
unix member server? I need to take care of that.

As for the idmap backend, there a few of them, but the main ones are:
> autorid
> rid
> ad
>

Excellent explanation, thx you.

The thing is, why am I using samba's idmap_tdb Backend for Winbind?
 idmap config * : backend = tdb
Maybe because the old ad-DC was misconfigured or something?
Or it was recommended before.
Now after those years I can't remember why I use tdb.

Any questions, please ask.
>

 I think I'm asking a lot sometimes, I don't like to bother with things
that may seem basic.

Thx for your patience.


El jue, 24 nov 2022 16:27, Rowland Penny via samba <samba at lists.samba.org>
escribió:

>
>
> On 24/11/2022 18:51, Juan Ignacio wrote:
>
> >     You do not need the 'winbind enum' lines, they can just slow things
> >     down, winbind has to enumerate all users and groups.
> >
> >
> > Ok, so if i remove those lines i can stillcorrectly see owner and group
> > names in unix?
>
> Well, apart from the fact you are not getting owner and group names now,
> yes, it will work without them, you just have to explicitly ask for
> them. No 'getent passwd', you have to use 'getent passwd username'.
>
>
> >
> >
> > I had read that, but I didn't quite understand what it meant,
>
>
> If you do not understand something, please ask.
>
> > what would
> > you recommend doing with those lines?
> > Maybe if it's no bother for you explain to me a bit how it works or send
> > me a link with info.
> >
> > When I look at the uid of the files on the member it seems they are
> > correct, and if I check files it shows correctly.
> > I haven't checked that smb.conf in years,so I thought it worked ok, but
> > it seems not.
> >
> > ls -n
> > drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
> > -rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
> > -rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi
> >
> > ls -lh
> > drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
> > -rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
> > -rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip
> >
> > That seems correct.
>
> The problem is, Domain Users shouldn't be in the '3000' range, that
> range is supposed to be for the BUILTIN domain.
>
> Is there a lot of data on the Unix domain member ?
>
> It will probably be easier to correctly setup a new Unix domain member
> and then drag & drop the data across.
>
> As for the idmap backend, there a few of them, but the main ones are:
> autorid
> rid
> ad
>
> The first two are the easiest to set up, they calculate the Unix ID from
> the RID and the low range you set in smb.conf . The main difference
> between the two is that autorid is meant for multiple domains and you
> cannot use 'winbind use default domain = yes' with it. The rid backend
> calculates the Unix ID in a similar way and is meant for a single domain
> and you can use 'winbind use default domain = yes'. With either idmap
> backend, you do not add anything to AD.
>
> The 'ad' idmap backend works in a totally different way, you must add
> uidNumber attributes to Users that you require visible on Unix domain
> members. You must also add gidNumber attributes to groups, the group
> 'Domain Users' must be given a gidNumber attribute or no users will be
> visible. All uidNumber and gidNumber attributes set, must be within the
> range set in the smb.conf . You can use 'winbind use default domain =
> yes' with the 'ad' backend.
>
> Any questions, please ask.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list