Am 10.04.2018 um 18:46 schrieb Rowland Penny via samba:> Thanks for the updates, I just wish more people would report errors &
> typo's
I can send some more, this time from classicupgrade.
Again I do not want to do these changes myself, a samba expert should
have a look.
Feedback for wiki page
Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
Tried on Devuan 1 with compiled samba 4.7.6.
---
When going the classicupgrade route, there is no mention of DNS forwarder.
The "setting up" page points to the classicupgrade page before
forwarders are mentioned, and the jump back happens to a section behind it.
The classicupgrade page itself does not mention forwarders.
---
The description of provision says that the file /etc/krb5.conf needs to
be deleted before retrying, and copied there after provisioning. The
description of classicupgrade does not mention these.
Also classicupgrade recommends only to delete smb.conf and the private
directory.
Provision recommends to delete additionally *.tdb and *.ldb files from
LOCKDIR: /usr/local/samba/var/lock/
STATEDIR: /usr/local/samba/var/locks/
CACHEDIR: /usr/local/samba/var/cache/
And the samba processes should also be killed before retrying.
Failure to do so can completely mess everything up, should be mentioned.
---
The page says:
"To find duplicate SID's on other passdb backends (smbpasswd, tdbsam),
you have to script around the output of the following two commands:
pdbedit -Lv, net groupmap list"
Is that really so difficult? How about these two commands:
pdbedit -Lv | grep "User SID" | sort | uniq -d
net groupmap list | cut -d- -f8 | sort | uniq -d
Is it enough when these both return nothing?
Maybe I misunderstand it.
---
The sample upgrade command creates this error message:
error: no such option: --use-xattrs
It does work when the option --use-xattrs is left out.
---
The command "samba-tool domain classicupgrade" complains about missing
file wins.dat.
Should that file be copied from the old server as well?
If so the command for that would probably be:
cp -p /usr/local/samba.PDC/var/locks/wins.dat /usr/local/samba.PDC/dbdir/
---
The description of doing classicupgrade on a new server should mention
that /etc/passwd and /etc/group must contain the samba users.
Yes it is obvious, but it should be mentioned.
---
I have no idea what this sentence wants to tell me:
"It used to be thought that setting the Unix ID to the windows RID was
acceptable, time has proven otherwise. If you have users and groups that
use the Windows RID as their Unix ID, you should consider changing these
before carrying out the upgrade. You should also consider removing any
Unix IDs from the 'Well known SIDs', except for the 'Domain
Users' group."
Is this referring to "net groupmap" ?
That lists in my case more than just Domain Users below 1000.
It also shows 512 as Domain Admins, and 514 as nobody.
Is this a problem?
---
"If any of your users have a RID less than '1000' and you wish
these to
exist in the new AD domain, you will need to change their RID, see below
for how to do this."
How about this command:
pdbedit -Lv | grep SID | grep -v Group | cut -d- -f8
Does it do the right thing? Then it could be added as example.
---
The description of classicupgrade should tell that doing so affects the
choice of workgroup name:
Provisioning sets the workgroup to the domain, which is the first part
of the realm.
Classicupgrade keeps the old workgroup name from the PDC.
It affects the login names, they are workgroup\user instead of domain\user.
---
The last line of the output of classicupgrade claims that the password
for administrator is set to the password of root.
This is not true, the administrator accounts keeps its password.
---
And one unrelated note:
The last three "restrict" lines on
wiki.samba.org/index.php/Time_Synchronisation
could probably be replaced with one line "restrict source".
And "mask 255.255.255.255" appears to be the default, is thus not
necessary.
Klaus