[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Rowland Penny rpenny at samba.org
Fri Nov 25 13:46:53 UTC 2022 


On 25/11/2022 13:01, Juan Ignacio wrote:
>     Well, apart from the fact you are not getting owner and group names
>     now,
>     yes, it will work without them, you just have to explicitly ask for
>     them. No 'getent passwd', you have to use 'getent passwd username'.
> 
> 
> I'm getting owner and group names, when i use getent passwd i get all 
> users of the domain.

That is because you have 'winbind enum users = yes' set, which you DO 
NOT NEED.

> And on the files I'm getting domain usernames and domain groups names 
> when I do ls.
> 
> prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
> krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
> guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false

When you posted your smb.conf it had these two 'idmap config' lines (and 
only those two lines):

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

If you will note, all the numbers above are between 3000 and 7999, the 
range set.

But your domain users shouldn't have ID numbers in that range, but 
because you did not set the required 'OURDOMAIN' idmap config lines they 
are all being treated as if they are not members of the 'OURDOMAIN' 
domain and are getting ID's from the default '*' domain. THIS IS WRONG.

> 
>     he problem is, Domain Users shouldn't be in the '3000' range, that
>     range is supposed to be for the BUILTIN domain.
> 
> On the WIKI it says to use those values.
> |*| 	*3000-7999*
> |DOMAIN| 	*10000-999999*
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>

Yes, I know, I wrote it.

> 
> Maybe at that moment I did not understand well what is the difference 
> between using the default domain "*"  or DOMAIN.
> Please help me clarify this.
> 
>     Is there a lot of data on the Unix domain member ?
> 
>     It will probably be easier to correctly setup a new Unix domain member
>     and then drag & drop the data across. 
> 
> 
> Yes, I have a lot of info on that file server, homes and shares.
> But it is virtualized and with disks in passthrough.
> Creating a new virtual unix domain member and passthrough the disks is 
> not a difficult task for me.
> 
> The issue is how do we rewrite new uids and gids to the fs.

You do not rewrite uid's & gid's on a Unix domain member, that is 
Samba's job and it does it based on the winbind idmap backend used.

> We should convert the current ones to the new ones by using the correct 
> rid range.
> The only way would be to pass them through windows if I am correct and 
> it will take too long.

You can find out what numeric ID a user is using now. correct the 
smb.conf and restart Samba, then write a script to search for each ID, 
convert that to the username, then chown the file/directory. that will 
be a lot of work.
Or you could do what I suggested, create a new Unix domain member with a 
correctly set smb.conf and then copy the files across, this should 
correct your problem.

> 
> On the other hand, I haven't had any major problems with this domain 
> member either, I could wait to demote the old ad-dc and then accommodate 
> a new member.

If your number of users and groups grow, you are going to have problems.

> About this demote task to the old ad-dc, can something happen with this 
> unix member server? I need to take care of that.

If you have joined a new DC to the domain and replication, dns, etc are 
working, then your Unix domain member will be able to use either DC, it 
shouldn't notice a difference.

> 
>     As for the idmap backend, there a few of them, but the main ones are:
>     autorid
>     rid
>     ad 
> 
> 
> Excellent explanation, thx you.
> 
> The thing is, why am I using samba's idmap_tdb Backend for Winbind?
>   idmap config * : backend = tdb
> Maybe because the old ad-DC was misconfigured or something?
> Or it was recommended before.
> Now after those years I can't remember why I use tdb.

That is what is used for the default domain, which is only supposed to 
be for the Well Known SIDs (there are less than 200 of those) and 
anything outside the DOMAIN domain (DOMAIN is just a placeholder for the 
real domain name, like you are using 'OURDOMAIN')

> 
>     Any questions, please ask. 
> 
> 
>   I think I'm asking a lot sometimes, I don't like to bother with things 
> that may seem basic.

The only stupid question is the one you do not ask ;-)

I would rather answer questions before something is done, than do what I 
am doing now, giving you bad news.

> 
> Thx for your patience.
> 

No problem

Rowland

More information about the samba mailing list