samba - Nov 2019 - moved DM config to new server : gids different etc

On 27/11/2019 09:52, Stefan G. Weichinger via samba
wrote:
> Am 26.11.19 um 18:06 schrieb Stefan G. Weichinger via samba:
>> Am 26.11.19 um 17:19 schrieb L.P.H. van Belle:
>>> Hai Stefan,
>>>
>>> Remove the netbios alias and then put that as CNAME in the DNS
>>> Verify if the server its PTR is set also.
>>>
>>> And yeah, your totaly correct that your ACL is messed up..
>>> Because your using backend RID.
>>>
>>> The "advantage" of backend AD.
>>> Consistent IDs on all Samba clients and servers using the ad back
end.
>>>
>>> Which is also the DISAVANTAGE of RID.
>>> IN-Consistent IDs on all Samba clients and servers with RID.
>>>
>>>
>>> Maybe im bit wrong here, with recent updates, .. Then Rowland will
correct me.. ;-)
>>> But this is exactly why i ONLY use AD backends.
>>>
>>> I suggest, setup a folder, correct the rights, and use get-set facl
to apply them again on the filesystem/folders/files.
>> Not now, not today.
>>
>> That server will be replaced in the next days, and today is a stressful
>> and long day already.
>>
>> Things *worked* fine with this smb.conf for quite some time, so even
>> when I understand the better approach you recommend, I won't do
these
>> changes right now.
> OK; new server comes today, I get access to it in the next hours and
> will start installing Debian Buster and run my provisioning on it first.
>
> I now have the name of the domain and the IPs of the DCs etc ... so I
> could theoretically start from scratch more or less and *maybe* switch
> to backend AD here.
>
Do you use the AD DCs for anything other than authentication and GPOs ?

If you do, then the 'ad' backend is the way to go, if you don't,
then
stick to the 'rid' backend, it is a lot less work, you do not need to 
add anything to AD, the only real downside is that all users get the 
same home directory path and login shell on each Unix domain member.

Rowland

(resend 2 ... blocked again)

Am 27.11.19 um 11:02 schrieb Rowland penny via samba:
>> I now have the name of the domain and the IPs of the DCs etc ... so I
>> could theoretically start from scratch more or less and *maybe* switch
>> to backend AD here.
>>
> Do you use the AD DCs for anything other than authentication and GPOs ?
> 
> If you do, then the 'ad' backend is the way to go, if you
don't, then
> stick to the 'rid' backend, it is a lot less work, you do not need
to
> add anything to AD, the only real downside is that all users get the
> same home directory path and login shell on each Unix domain member.
I also prefer staying with 'rid', yes. thanks.

Just checking with krb and resolv.conf etc (correcting the domain).

How would you recommend to proceed here:

right now the "fallback hardware" is running as DM, with the server
name
"samba" and the final IP.

Unjoin the fallback server before shutting it down ... ? To move the
name and IP over to the new system?

I mean, I will have to prepare the new system in parallel and keep the
downtime low ... and avoid duplicate names etc

Maybe I overcomplicate things ;-)

On 27/11/2019 10:12, Stefan G. Weichinger via samba
wrote:
> (resend 2 ... blocked again)
>
> Am 27.11.19 um 11:02 schrieb Rowland penny via samba:
>
>>> I now have the name of the domain and the IPs of the DCs etc ... so
I
>>> could theoretically start from scratch more or less and *maybe*
switch
>>> to backend AD here.
>>>
>> Do you use the AD DCs for anything other than authentication and GPOs ?
>>
>> If you do, then the 'ad' backend is the way to go, if you
don't, then
>> stick to the 'rid' backend, it is a lot less work, you do not
need to
>> add anything to AD, the only real downside is that all users get the
>> same home directory path and login shell on each Unix domain member.
> I also prefer staying with 'rid', yes. thanks.
>
> Just checking with krb and resolv.conf etc (correcting the domain).
>
> How would you recommend to proceed here:
>
> right now the "fallback hardware" is running as DM, with the
server name
> "samba" and the final IP.
>
> Unjoin the fallback server before shutting it down ... ? To move the
> name and IP over to the new system?
Yes, I would 'leave' the domain and then give it a new IP and possibly a
new hostname (depending on what you are going to call the new Unix 
domain member). You could then re-join the domain.
>
> I mean, I will have to prepare the new system in parallel and keep the
> downtime low ... and avoid duplicate names etc
Now prepare your new Unix domain member, join it to the domain and then 
copy the required data from the old machine to the new machine. Once you 
have transferred everything from 'old' to 'new', you can
'leave' the
domain on the 'old' machine and turn it off.
>
> Maybe I overcomplicate things ;-)
>
Not really ;-)

Rowland