[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Dale
samba at txschroeder.family
Fri Nov 25 21:08:25 UTC 2022
Juan,
The full idmap configuration should be
idmap config * : backend = tdb
idmap config * : range = 3000-3999
idmap config OURDOMAIN : backend = rid
idmap config OURDOMAIN : range = 10000-9999999
Also, /etc/nsswitch.conf should include winbind on the passwd and group
lines, similar to the following:
passwd: files winbind
group: files winbind
This is all assuming you have already installed libpam-winbind and
libnss-winbind
Dale
There are other steps mentioned in the wiki
On 11/25/22 2:45 PM, Juan Ignacio via samba wrote:
> Rowland I did that setup for a new unix member server and test.
>
> [global]
> log file = /var/log/samba/%m.log
> log level = 1
> realm = OURDOMAIN.ORG <http://OURSERVER.ORG>
> security = ADS
> server role = member server
> username map = /etc/samba/user.map
> workgroup = OURDOMAIN
> idmap config ourserver: range = 10000-9999999
> idmap config ourserver: backend = rid
>
>
> After install everything needed and start services and join i cannot get
> nothing from getent passwd OURDOMAIN\\user
>
> I got users if i use wbinfo -u
>
> Another thing is when i check with the command wbinfo --ping-dc
>
> I got
>
> checking the NETLOGON for domain[OURDOMAIN] dc connection to
> "DC1.OURDOMAIN.ORG" succeeded
>
> DC1 is the old ad-dc who has Samba 4.1..
>
> I want the new one DC2 why is not connected to this DC
>
> I installed samba 4.17 from the backports repos.
>
>
>
>
>
> El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (<
> samba at lists.samba.org>) escribió:
>
>>
>> On 25/11/2022 13:01, Juan Ignacio wrote:
>>> Well, apart from the fact you are not getting owner and group names
>>> now,
>>> yes, it will work without them, you just have to explicitly ask for
>>> them. No 'getent passwd', you have to use 'getent passwd username'.
>>>
>>>
>>> I'm getting owner and group names, when i use getent passwd i get all
>>> users of the domain.
>> That is because you have 'winbind enum users = yes' set, which you DO
>> NOT NEED.
>>
>>> And on the files I'm getting domain usernames and domain groups names
>>> when I do ls.
>>>
>>> prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
>>> krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
>>> guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false
>> When you posted your smb.conf it had these two 'idmap config' lines (and
>> only those two lines):
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>>
>> If you will note, all the numbers above are between 3000 and 7999, the
>> range set.
>>
>> But your domain users shouldn't have ID numbers in that range, but
>> because you did not set the required 'OURDOMAIN' idmap config lines they
>> are all being treated as if they are not members of the 'OURDOMAIN'
>> domain and are getting ID's from the default '*' domain. THIS IS WRONG.
>>
>>> he problem is, Domain Users shouldn't be in the '3000' range, that
>>> range is supposed to be for the BUILTIN domain.
>>>
>>> On the WIKI it says to use those values.
>>> |*| *3000-7999*
>>> |DOMAIN| *10000-999999*
>>>
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>> <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
>> Yes, I know, I wrote it.
>>
>>> Maybe at that moment I did not understand well what is the difference
>>> between using the default domain "*" or DOMAIN.
>>> Please help me clarify this.
>>>
>>> Is there a lot of data on the Unix domain member ?
>>>
>>> It will probably be easier to correctly setup a new Unix domain
>> member
>>> and then drag & drop the data across.
>>>
>>>
>>> Yes, I have a lot of info on that file server, homes and shares.
>>> But it is virtualized and with disks in passthrough.
>>> Creating a new virtual unix domain member and passthrough the disks is
>>> not a difficult task for me.
>>>
>>> The issue is how do we rewrite new uids and gids to the fs.
>> You do not rewrite uid's & gid's on a Unix domain member, that is
>> Samba's job and it does it based on the winbind idmap backend used.
>>
>>> We should convert the current ones to the new ones by using the correct
>>> rid range.
>>> The only way would be to pass them through windows if I am correct and
>>> it will take too long.
>> You can find out what numeric ID a user is using now. correct the
>> smb.conf and restart Samba, then write a script to search for each ID,
>> convert that to the username, then chown the file/directory. that will
>> be a lot of work.
>> Or you could do what I suggested, create a new Unix domain member with a
>> correctly set smb.conf and then copy the files across, this should
>> correct your problem.
>>
>>> On the other hand, I haven't had any major problems with this domain
>>> member either, I could wait to demote the old ad-dc and then accommodate
>>> a new member.
>> If your number of users and groups grow, you are going to have problems.
>>
>>> About this demote task to the old ad-dc, can something happen with this
>>> unix member server? I need to take care of that.
>> If you have joined a new DC to the domain and replication, dns, etc are
>> working, then your Unix domain member will be able to use either DC, it
>> shouldn't notice a difference.
>>
>>> As for the idmap backend, there a few of them, but the main ones are:
>>> autorid
>>> rid
>>> ad
>>>
>>>
>>> Excellent explanation, thx you.
>>>
>>> The thing is, why am I using samba's idmap_tdb Backend for Winbind?
>>> idmap config * : backend = tdb
>>> Maybe because the old ad-DC was misconfigured or something?
>>> Or it was recommended before.
>>> Now after those years I can't remember why I use tdb.
>> That is what is used for the default domain, which is only supposed to
>> be for the Well Known SIDs (there are less than 200 of those) and
>> anything outside the DOMAIN domain (DOMAIN is just a placeholder for the
>> real domain name, like you are using 'OURDOMAIN')
>>
>>> Any questions, please ask.
>>>
>>>
>>> I think I'm asking a lot sometimes, I don't like to bother with things
>>> that may seem basic.
>> The only stupid question is the one you do not ask ;-)
>>
>> I would rather answer questions before something is done, than do what I
>> am doing now, giving you bad news.
>>
>>> Thx for your patience.
>>>
>> No problem
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list