samba - Sep 2016 - samba to ad transition

On Tue, 20 Sep 2016 08:33:23 -0700 (PDT)
kajkoz via samba <samba at lists.samba.org> wrote:
> I did it again, mean. I followed the instruction
>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29
> then I tried to log in from the client computer. ANd again. If that
> user already existed on client computer there was not a problem with
> log it to the AD, but if user doesn't exist I got that message
> "The trust relationship  between this workstation AND the primary
> domain failed"
> 
> Of course I can add that computer to the domain again, but it is not a
> point.
> 
Very strange, the whole idea behind the classic upgrade is that the
clients aren't supposed to notice the difference.

Can you post the global part of the smb.conf from the NT4-style PDC you
are upgrading from.

Rowland

Yes, of course. It is my smb.conf

[global]
    workgroup = MYDOMAIN
    printing=cups
    printcap name =cups
    cups options = Raw

    load printers =yes

    server string = DOMAIN SERVER
    interfaces = eth0, eth1, lo
    bind interfaces only = yes
    passdb backend = tdbsam
    pam password change = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n
*Password*changed*
    username map = /etc/samba/smbusers
    unix password sync = yes

    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536
    hosts allow = 192.168.1. 192.168.7. 192.168.10.
    hosts deny = all
    syslog = 0
    log level = 4
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139 445
    strict locking = no

    notify:inofity=false

    show add printer wizard = yes
    add user script = /usr/sbin/useradd '%u' -n -g users
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd  -n -g computers -c "Workstation
(%u)" -M -d /nohome -s /bin/false '%u'
    shutdown script = /sbin/shutdown -c
    logon script = scripts\logon.cmd
    logon drive = X:
    logon path     logon home 
    domain logons = yes
    domain master = yes
    os level = 64
    preferred master = yes
    wins support = Yes
    name resolve order = wins bcast hosts
    dns proxy = yes
    utmp = Yes
    map acl inherit = Yes
    guest account = nobody

    veto oplock files = /*.doc/*.xls/*.mdb/*.MDB/*.ldb/*.LDB/*.xlsx/*.docx/

    time server=yes

    follow symlinks = yes
    wide links = yes
    unix extensions = no
    hide dot files = yes



[homes]
    comment = Home Directories
    valid users = %S
    read only = no
    writable = Yes
    browseable = No
    create mode = 0600
    directory mode = 0700


[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = No
    public = Yes
    guest ok = Yes
    writable = No
    printable = Yes
    use client driver = No
#    default devmode = Yes
    printer admin = @ntadmin

[print$]
    comment = Printer Driver Download Area
    path=/var/lib/samba/printers
    browseable= yes
    guest ok = no
    read only = yes
    write list = kzurad, at ntadmin


[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
    browseable = No
    read only = no

[profiles]
    comment = Profile Share
    create mode = 0600
    directory mode = 0700
    profile acls = Yes
    path = /home/%U
    read only = No
    writable = Yes


[public]
    comment = Public Files
    path = /data/public
    read only = No
    guest ok = Yes
    create mask = 0777
    directory mask = 0777
    oplocks = no
    level2 oplocks = no
    strict locking = no
    fake oplocks = no
    veto oplock files
/*.MDB/*.mdb/*.LDB/*.ldb/*.DOC/*.doc/*.XLS/*.xls/*.DOCX/*.docx/*.XLSX/*.xlsx

    vfs objects = recycle
    recycle:repository =.RECYCLE_BIN
    recycle:keeptree = True
    recycle:version = True
    recycle:touch = True
    recycle:exclude
?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP,*.ldb,*.LDB




[Automation]
    valid users = @automation, at root
    path = /data/automation
    read only=No

    create mask = 0770
    directory mask = 0770
        vfs objects = recycle
    recycle:repository =.RECYCLE_BIN
    recycle:keeptree = True
    recycle:version = True
    recycle:touch = True
    recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP



On Tue, Sep 20, 2016 at 10:55 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 20 Sep 2016 08:33:23 -0700 (PDT)
> kajkoz via samba <samba at lists.samba.org> wrote:
>
> > I did it again, mean. I followed the instruction
> > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_
> domain_to_a_Samba_AD_domain_%28classic_upgrade%29
> > then I tried to log in from the client computer. ANd again. If that
> > user already existed on client computer there was not a problem with
> > log it to the AD, but if user doesn't exist I got that message
> > "The trust relationship  between this workstation AND the primary
> > domain failed"
> >
> > Of course I can add that computer to the domain again, but it is not a
> > point.
> >
>
> Very strange, the whole idea behind the classic upgrade is that the
> clients aren't supposed to notice the difference.
>
> Can you post the global part of the smb.conf from the NT4-style PDC you
> are upgrading from.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Kaz

On Tue, 20 Sep 2016 13:00:15 -0500
Kaz Staleman <kajkoz at gmail.com> wrote:
> Yes, of course. It is my smb.conf
> 
> [global]
>     workgroup = MYDOMAIN
>     printing=cups
>     printcap name =cups
>     cups options = Raw
> 
>     load printers =yes
> 
>     server string = DOMAIN SERVER
>     interfaces = eth0, eth1, lo
>     bind interfaces only = yes
>     passdb backend = tdbsam
>     pam password change = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n
> *Password*changed*
>     username map = /etc/samba/smbusers
>     unix password sync = yes
> 
>     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
> SO_SNDBUF=65536
>     hosts allow = 192.168.1. 192.168.7. 192.168.10.
>     hosts deny = all
>     syslog = 0
>     log level = 4
>     log file = /var/log/samba/%m
>     max log size = 50
>     smb ports = 139 445
>     strict locking = no
> 
>     notify:inofity=false
> 
>     show add printer wizard = yes
>     add user script = /usr/sbin/useradd '%u' -n -g users
>     delete user script = /usr/sbin/userdel -r '%u'
>     add group script = /usr/sbin/groupdel '%g'
>     add user to group script = /usr/sbin/usermod -G '%g'
'%u'
>     add machine script = /usr/sbin/useradd  -n -g computers -c
> "Workstation (%u)" -M -d /nohome -s /bin/false '%u'
>     shutdown script = /sbin/shutdown -c
>     logon script = scripts\logon.cmd
>     logon drive = X:
>     logon path >     logon home > 
>     domain logons = yes
>     domain master = yes
>     os level = 64
>     preferred master = yes
>     wins support = Yes
>     name resolve order = wins bcast hosts
>     dns proxy = yes
>     utmp = Yes
>     map acl inherit = Yes
>     guest account = nobody
> 
>     veto oplock files
> = /*.doc/*.xls/*.mdb/*.MDB/*.ldb/*.LDB/*.xlsx/*.docx/
> 
>     time server=yes
> 
>     follow symlinks = yes
>     wide links = yes
>     unix extensions = no
>     hide dot files = yes
> 
> 
> 
> [homes]
>     comment = Home Directories
>     valid users = %S
>     read only = no
>     writable = Yes
>     browseable = No
>     create mode = 0600
>     directory mode = 0700
> 
> 
> [printers]
>     comment = All Printers
>     path = /var/spool/samba
>     browseable = No
>     public = Yes
>     guest ok = Yes
>     writable = No
>     printable = Yes
>     use client driver = No
> #    default devmode = Yes
>     printer admin = @ntadmin
> 
> [print$]
>     comment = Printer Driver Download Area
>     path=/var/lib/samba/printers
>     browseable= yes
>     guest ok = no
>     read only = yes
>     write list = kzurad, at ntadmin
> 
> 
> [netlogon]
>     comment = Network Logon Service
>     path = /var/lib/samba/netlogon
>     guest ok = Yes
>     locking = No
>     browseable = No
>     read only = no
> 
> [profiles]
>     comment = Profile Share
>     create mode = 0600
>     directory mode = 0700
>     profile acls = Yes
>     path = /home/%U
>     read only = No
>     writable = Yes
> 
> 
> [public]
>     comment = Public Files
>     path = /data/public
>     read only = No
>     guest ok = Yes
>     create mask = 0777
>     directory mask = 0777
>     oplocks = no
>     level2 oplocks = no
>     strict locking = no
>     fake oplocks = no
>     veto oplock files >
/*.MDB/*.mdb/*.LDB/*.ldb/*.DOC/*.doc/*.XLS/*.xls/*.DOCX/*.docx/*.XLSX/*.xlsx
> 
>     vfs objects = recycle
>     recycle:repository =.RECYCLE_BIN
>     recycle:keeptree = True
>     recycle:version = True
>     recycle:touch = True
>     recycle:exclude >
?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP,*.ldb,*.LDB
> 
> 
> 
> 
> [Automation]
>     valid users = @automation, at root
>     path = /data/automation
>     read only=No
> 
>     create mask = 0770
>     directory mask = 0770
>         vfs objects = recycle
>     recycle:repository =.RECYCLE_BIN
>     recycle:keeptree = True
>     recycle:version = True
>     recycle:touch = True
>     recycle:exclude
> = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
> 
Did you do the update on the original PDC, or did you (as I think) do
it on a test machine ?
If the later, did you set 'netbios name = <THE NAME OF THE NEW
DC>' in
smb.conf, as described here:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29#Domain_Controller_name

Did you get any errors in the output from the classicupgrade command ?

Rowland

On Tue, 20 Sep 2016 13:35:16 -0500
Kaz Staleman <kajkoz at gmail.com> wrote:
> I do it on test machine. I do also set up a localsid and domainsid.
> 
That is probably your problem, the new AD domain has to use the old
SID, or it is another domain.
I suggest you try again, remove any duplicate users or groups, then
follow the wiki page, do not create any new SIDs

Rowland

I set the local and domainsid the same as on my existing domain.

On Tue, Sep 20, 2016 at 1:45 PM, Samba - General mailing list [via Samba] <
ml-node+s2283325n4708407h17 at n4.nabble.com> wrote:
> On Tue, 20 Sep 2016 13:35:16 -0500
> Kaz Staleman <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=4708407&i=0>>
wrote:
>
> > I do it on test machine. I do also set up a localsid and domainsid.
> >
>
> That is probably your problem, the new AD domain has to use the old
> SID, or it is another domain.
> I suggest you try again, remove any duplicate users or groups, then
> follow the wiki page, do not create any new SIDs
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://samba.2283325.n4.nabble.com/samba-to-ad-
> transition-tp4708209p4708407.html
> To unsubscribe from samba to ad transition, click here
>
<http://samba.2283325.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4708209&code=a2Fqa296QGdtYWlsLmNvbXw0NzA4MjA5fDExNDAyNDk5NjE=>
> .
> NAML
>
<http://samba.2283325.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>


-- 
Kaz




--
View this message in context:
http://samba.2283325.n4.nabble.com/samba-to-ad-transition-tp4708209p4708409.html
Sent from the Samba - General mailing list archive at Nabble.com.