[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
juan.ignacio.pazos at gmail.com
Fri Nov 25 20:45:44 UTC 2022
Rowland I did that setup for a new unix member server and test.
log file = /var/log/samba/%m.log
log level = 1
realm = OURDOMAIN.ORG <http://OURSERVER.ORG>
security = ADS
server role = member server
username map = /etc/samba/user.map
workgroup = OURDOMAIN
idmap config ourserver: range = 10000-9999999
idmap config ourserver: backend = rid
After install everything needed and start services and join i cannot get
nothing from getent passwd OURDOMAIN\\user
I got users if i use wbinfo -u
Another thing is when i check with the command wbinfo --ping-dc
checking the NETLOGON for domain[OURDOMAIN] dc connection to
DC1 is the old ad-dc who has Samba 4.1..
I want the new one DC2 why is not connected to this DC
I installed samba 4.17 from the backports repos.
El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:
> On 25/11/2022 13:01, Juan Ignacio wrote:
> > Well, apart from the fact you are not getting owner and group names
> > now,
> > yes, it will work without them, you just have to explicitly ask for
> > them. No 'getent passwd', you have to use 'getent passwd username'.
> > I'm getting owner and group names, when i use getent passwd i get all
> > users of the domain.
> That is because you have 'winbind enum users = yes' set, which you DO
> NOT NEED.
> > And on the files I'm getting domain usernames and domain groups names
> > when I do ls.
> > prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
> > krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
> > guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false
> When you posted your smb.conf it had these two 'idmap config' lines (and
> only those two lines):
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> If you will note, all the numbers above are between 3000 and 7999, the
> range set.
> But your domain users shouldn't have ID numbers in that range, but
> because you did not set the required 'OURDOMAIN' idmap config lines they
> are all being treated as if they are not members of the 'OURDOMAIN'
> domain and are getting ID's from the default '*' domain. THIS IS WRONG.
> > he problem is, Domain Users shouldn't be in the '3000' range, that
> > range is supposed to be for the BUILTIN domain.
> > On the WIKI it says to use those values.
> > |*| *3000-7999*
> > |DOMAIN| *10000-999999*
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
> Yes, I know, I wrote it.
> > Maybe at that moment I did not understand well what is the difference
> > between using the default domain "*" or DOMAIN.
> > Please help me clarify this.
> > Is there a lot of data on the Unix domain member ?
> > It will probably be easier to correctly setup a new Unix domain
> > and then drag & drop the data across.
> > Yes, I have a lot of info on that file server, homes and shares.
> > But it is virtualized and with disks in passthrough.
> > Creating a new virtual unix domain member and passthrough the disks is
> > not a difficult task for me.
> > The issue is how do we rewrite new uids and gids to the fs.
> You do not rewrite uid's & gid's on a Unix domain member, that is
> Samba's job and it does it based on the winbind idmap backend used.
> > We should convert the current ones to the new ones by using the correct
> > rid range.
> > The only way would be to pass them through windows if I am correct and
> > it will take too long.
> You can find out what numeric ID a user is using now. correct the
> smb.conf and restart Samba, then write a script to search for each ID,
> convert that to the username, then chown the file/directory. that will
> be a lot of work.
> Or you could do what I suggested, create a new Unix domain member with a
> correctly set smb.conf and then copy the files across, this should
> correct your problem.
> > On the other hand, I haven't had any major problems with this domain
> > member either, I could wait to demote the old ad-dc and then accommodate
> > a new member.
> If your number of users and groups grow, you are going to have problems.
> > About this demote task to the old ad-dc, can something happen with this
> > unix member server? I need to take care of that.
> If you have joined a new DC to the domain and replication, dns, etc are
> working, then your Unix domain member will be able to use either DC, it
> shouldn't notice a difference.
> > As for the idmap backend, there a few of them, but the main ones are:
> > autorid
> > rid
> > ad
> > Excellent explanation, thx you.
> > The thing is, why am I using samba's idmap_tdb Backend for Winbind?
> > idmap config * : backend = tdb
> > Maybe because the old ad-DC was misconfigured or something?
> > Or it was recommended before.
> > Now after those years I can't remember why I use tdb.
> That is what is used for the default domain, which is only supposed to
> be for the Well Known SIDs (there are less than 200 of those) and
> anything outside the DOMAIN domain (DOMAIN is just a placeholder for the
> real domain name, like you are using 'OURDOMAIN')
> > Any questions, please ask.
> > I think I'm asking a lot sometimes, I don't like to bother with things
> > that may seem basic.
> The only stupid question is the one you do not ask ;-)
> I would rather answer questions before something is done, than do what I
> am doing now, giving you bad news.
> > Thx for your patience.
> No problem
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba