[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Dale samba at txschroeder.family
Fri Nov 25 21:08:25 UTC 2022


The full idmap configuration should be

idmap config * : backend = tdb
idmap config * : range = 3000-3999
idmap config OURDOMAIN : backend = rid
idmap config OURDOMAIN : range = 10000-9999999

Also, /etc/nsswitch.conf should include winbind on the passwd and group 
lines, similar to the following:

passwd: files winbind
group: files winbind

This is all assuming you have already installed libpam-winbind and 


There are other steps mentioned in the wiki

On 11/25/22 2:45 PM, Juan Ignacio via samba wrote:
> Rowland I did that setup for a new unix member server and test.
> [global]
>          log file = /var/log/samba/%m.log
>          log level = 1
>          realm = OURDOMAIN.ORG <http://OURSERVER.ORG>
>          security = ADS
>          server role = member server
>          username map = /etc/samba/user.map
>          workgroup = OURDOMAIN
>          idmap config ourserver: range = 10000-9999999
>                   idmap config ourserver: backend = rid
> After install everything needed and start services and join i cannot get
> nothing from getent passwd OURDOMAIN\\user
>   I got users if i use wbinfo -u
> Another thing is when i check with the command wbinfo --ping-dc
> I got
> checking the NETLOGON for domain[OURDOMAIN] dc connection to
> "DC1.OURDOMAIN.ORG" succeeded
> DC1 is the old ad-dc who has Samba 4.1..
> I want the new one DC2 why is not connected to this DC
> I installed  samba 4.17 from the backports repos.
> El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (<
> samba at lists.samba.org>) escribió:
>> On 25/11/2022 13:01, Juan Ignacio wrote:
>>>      Well, apart from the fact you are not getting owner and group names
>>>      now,
>>>      yes, it will work without them, you just have to explicitly ask for
>>>      them. No 'getent passwd', you have to use 'getent passwd username'.
>>> I'm getting owner and group names, when i use getent passwd i get all
>>> users of the domain.
>> That is because you have 'winbind enum users = yes' set, which you DO
>>> And on the files I'm getting domain usernames and domain groups names
>>> when I do ls.
>>> prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
>>> krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
>>> guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false
>> When you posted your smb.conf it had these two 'idmap config' lines (and
>> only those two lines):
>>          idmap config * : backend = tdb
>>          idmap config * : range = 3000-7999
>> If you will note, all the numbers above are between 3000 and 7999, the
>> range set.
>> But your domain users shouldn't have ID numbers in that range, but
>> because you did not set the required 'OURDOMAIN' idmap config lines they
>> are all being treated as if they are not members of the 'OURDOMAIN'
>> domain and are getting ID's from the default '*' domain. THIS IS WRONG.
>>>      he problem is, Domain Users shouldn't be in the '3000' range, that
>>>      range is supposed to be for the BUILTIN domain.
>>> On the WIKI it says to use those values.
>>> |*|   *3000-7999*
>>> |DOMAIN|      *10000-999999*
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>> <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
>> Yes, I know, I wrote it.
>>> Maybe at that moment I did not understand well what is the difference
>>> between using the default domain "*"  or DOMAIN.
>>> Please help me clarify this.
>>>      Is there a lot of data on the Unix domain member ?
>>>      It will probably be easier to correctly setup a new Unix domain
>> member
>>>      and then drag & drop the data across.
>>> Yes, I have a lot of info on that file server, homes and shares.
>>> But it is virtualized and with disks in passthrough.
>>> Creating a new virtual unix domain member and passthrough the disks is
>>> not a difficult task for me.
>>> The issue is how do we rewrite new uids and gids to the fs.
>> You do not rewrite uid's & gid's on a Unix domain member, that is
>> Samba's job and it does it based on the winbind idmap backend used.
>>> We should convert the current ones to the new ones by using the correct
>>> rid range.
>>> The only way would be to pass them through windows if I am correct and
>>> it will take too long.
>> You can find out what numeric ID a user is using now. correct the
>> smb.conf and restart Samba, then write a script to search for each ID,
>> convert that to the username, then chown the file/directory. that will
>> be a lot of work.
>> Or you could do what I suggested, create a new Unix domain member with a
>> correctly set smb.conf and then copy the files across, this should
>> correct your problem.
>>> On the other hand, I haven't had any major problems with this domain
>>> member either, I could wait to demote the old ad-dc and then accommodate
>>> a new member.
>> If your number of users and groups grow, you are going to have problems.
>>> About this demote task to the old ad-dc, can something happen with this
>>> unix member server? I need to take care of that.
>> If you have joined a new DC to the domain and replication, dns, etc are
>> working, then your Unix domain member will be able to use either DC, it
>> shouldn't notice a difference.
>>>      As for the idmap backend, there a few of them, but the main ones are:
>>>      autorid
>>>      rid
>>>      ad
>>> Excellent explanation, thx you.
>>> The thing is, why am I using samba's idmap_tdb Backend for Winbind?
>>>    idmap config * : backend = tdb
>>> Maybe because the old ad-DC was misconfigured or something?
>>> Or it was recommended before.
>>> Now after those years I can't remember why I use tdb.
>> That is what is used for the default domain, which is only supposed to
>> be for the Well Known SIDs (there are less than 200 of those) and
>> anything outside the DOMAIN domain (DOMAIN is just a placeholder for the
>> real domain name, like you are using 'OURDOMAIN')
>>>      Any questions, please ask.
>>>    I think I'm asking a lot sometimes, I don't like to bother with things
>>> that may seem basic.
>> The only stupid question is the one you do not ask ;-)
>> I would rather answer questions before something is done, than do what I
>> am doing now, giving you bad news.
>>> Thx for your patience.
>> No problem
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list