[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Juan Ignacio juan.ignacio.pazos at gmail.com
Fri Nov 25 20:45:44 UTC 2022


Rowland I did that setup for a new unix member server and test.

[global]
        log file = /var/log/samba/%m.log
        log level = 1
        realm = OURDOMAIN.ORG <http://OURSERVER.ORG>
        security = ADS
        server role = member server
        username map = /etc/samba/user.map
        workgroup = OURDOMAIN
        idmap config ourserver: range = 10000-9999999
                 idmap config ourserver: backend = rid


After install everything needed and start services and join i cannot get
nothing from getent passwd OURDOMAIN\\user

 I got users if i use wbinfo -u

Another thing is when i check with the command wbinfo --ping-dc

I got

checking the NETLOGON for domain[OURDOMAIN] dc connection to
"DC1.OURDOMAIN.ORG" succeeded

DC1 is the old ad-dc who has Samba 4.1..

I want the new one DC2 why is not connected to this DC

I installed  samba 4.17 from the backports repos.





El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:

>
>
> On 25/11/2022 13:01, Juan Ignacio wrote:
> >     Well, apart from the fact you are not getting owner and group names
> >     now,
> >     yes, it will work without them, you just have to explicitly ask for
> >     them. No 'getent passwd', you have to use 'getent passwd username'.
> >
> >
> > I'm getting owner and group names, when i use getent passwd i get all
> > users of the domain.
>
> That is because you have 'winbind enum users = yes' set, which you DO
> NOT NEED.
>
> > And on the files I'm getting domain usernames and domain groups names
> > when I do ls.
> >
> > prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
> > krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
> > guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false
>
> When you posted your smb.conf it had these two 'idmap config' lines (and
> only those two lines):
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>
> If you will note, all the numbers above are between 3000 and 7999, the
> range set.
>
> But your domain users shouldn't have ID numbers in that range, but
> because you did not set the required 'OURDOMAIN' idmap config lines they
> are all being treated as if they are not members of the 'OURDOMAIN'
> domain and are getting ID's from the default '*' domain. THIS IS WRONG.
>
> >
> >     he problem is, Domain Users shouldn't be in the '3000' range, that
> >     range is supposed to be for the BUILTIN domain.
> >
> > On the WIKI it says to use those values.
> > |*|   *3000-7999*
> > |DOMAIN|      *10000-999999*
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
>
> Yes, I know, I wrote it.
>
> >
> > Maybe at that moment I did not understand well what is the difference
> > between using the default domain "*"  or DOMAIN.
> > Please help me clarify this.
> >
> >     Is there a lot of data on the Unix domain member ?
> >
> >     It will probably be easier to correctly setup a new Unix domain
> member
> >     and then drag & drop the data across.
> >
> >
> > Yes, I have a lot of info on that file server, homes and shares.
> > But it is virtualized and with disks in passthrough.
> > Creating a new virtual unix domain member and passthrough the disks is
> > not a difficult task for me.
> >
> > The issue is how do we rewrite new uids and gids to the fs.
>
> You do not rewrite uid's & gid's on a Unix domain member, that is
> Samba's job and it does it based on the winbind idmap backend used.
>
> > We should convert the current ones to the new ones by using the correct
> > rid range.
> > The only way would be to pass them through windows if I am correct and
> > it will take too long.
>
> You can find out what numeric ID a user is using now. correct the
> smb.conf and restart Samba, then write a script to search for each ID,
> convert that to the username, then chown the file/directory. that will
> be a lot of work.
> Or you could do what I suggested, create a new Unix domain member with a
> correctly set smb.conf and then copy the files across, this should
> correct your problem.
>
> >
> > On the other hand, I haven't had any major problems with this domain
> > member either, I could wait to demote the old ad-dc and then accommodate
> > a new member.
>
> If your number of users and groups grow, you are going to have problems.
>
> > About this demote task to the old ad-dc, can something happen with this
> > unix member server? I need to take care of that.
>
> If you have joined a new DC to the domain and replication, dns, etc are
> working, then your Unix domain member will be able to use either DC, it
> shouldn't notice a difference.
>
> >
> >     As for the idmap backend, there a few of them, but the main ones are:
> >     autorid
> >     rid
> >     ad
> >
> >
> > Excellent explanation, thx you.
> >
> > The thing is, why am I using samba's idmap_tdb Backend for Winbind?
> >   idmap config * : backend = tdb
> > Maybe because the old ad-DC was misconfigured or something?
> > Or it was recommended before.
> > Now after those years I can't remember why I use tdb.
>
> That is what is used for the default domain, which is only supposed to
> be for the Well Known SIDs (there are less than 200 of those) and
> anything outside the DOMAIN domain (DOMAIN is just a placeholder for the
> real domain name, like you are using 'OURDOMAIN')
>
> >
> >     Any questions, please ask.
> >
> >
> >   I think I'm asking a lot sometimes, I don't like to bother with things
> > that may seem basic.
>
> The only stupid question is the one you do not ask ;-)
>
> I would rather answer questions before something is done, than do what I
> am doing now, giving you bad news.
>
> >
> > Thx for your patience.
> >
>
> No problem
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list