[Samba] AD Functional Level vs very old SaMBa member server
Rowland Penny
rpenny at samba.org
Fri Mar 10 15:51:55 UTC 2023
On 10/03/2023 15:20, Tamás Németh via samba wrote:
> Well, thank you for still replying to me. The thing is that this particular
> SaMBa server is THE original Linux server of my working place, hosting tons
> of home made ancient perl and PHP programs written by former colleagues,
> and these programs interact with the dozens of SaMBa shares. This is why we
> never had the time to fully analyze its structure and upgrade it somehow
> while working on other projects. That PAM SMB module is used by the web
> server of the mentioned perl and PHP programs.
>
> Now we'd like to raise the functional level of our Windows domain, and
> we're afraid, we will have to completely analyze and replace this ancient
> server.
I think you already know the answer to that :-|
> The smb.conf is basically like the following
>
> [global]
> netbios name = samba1
> workgroup = AD
> interfaces = 192.168.0.8/24
> bind interfaces only = yes
> security = domain
> username level = 0
> password server = 192.168.0.8
> encrypt passwords = yes
> name resolve order = wins bcast
> browsable = yes
> strict allocate = yes
> unix extensions = no
> dos charset = 852
> unix charset = ISO8859-2
> display charset = ISO8859-2
> case sensitive = no
> default case = lower
> preserve case = yes
> short preserve case = yes
If (using 4.17.5) you remove the defaults, you get this:
[global]
workgroup = AD
interfaces = 192.168.0.8/24
bind interfaces only = yes
security = domain
strict allocate = yes
unix extensions = no
dos charset = 852
unix charset = ISO8859-2
display charset = ISO8859-2
But that isn't enough for AD and here comes the bit that is probably
going to make your hair turn white:
Your users are probably in /etc/passwd, you cannot do that on a Unix
domain member, all the users are in AD and winbind maps them to Unix
users. Your users probably have ID's that start at '1000' and if you
want to keep these ID's, then you are going to have to use the winbind
'ad' idmap backend, which means that, at a minimum, you will need to add
lines like these (and add uidNumber & gidNumber attributes to AD):
idmap config * : backend = tdb
idmap config * : range = 1000000-999999999
idmap config AD : backend = ad
idmap config AD : schema_mode = rfc2307
idmap config AD : unix_nss_info = yes
idmap config AD : range = 1000-999999
Though if you do not care about the existing ID's you could use the
'rid' idmap backend:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config AD : backend = rid
idmap config AD : range = 10000-999999
That will calculate the users Unix ID from the users AD RID plus 10000
You will also have to remove the users from /etc/passwd (same goes for
groups).
You will also have to add a line to your smb.conf:
realm = YOUR.DNS.DOMAIN.IN.UPPERCASE
I think that is enough for you to think about at the moment, except to
ask, what do all those scripts do ? You might not need some (or all) of
them with AD.
Rowland
More information about the samba
mailing list