Hi Rowland, Rfc2307 is active on the main ad dc but, indeed, preserving id is not an issue for my organization. So must I reconfigure the file server from scratch? Andrea Il giorno 20 ago 2021, 13:09, alle ore 13:09, Rowland Penny via samba <samba at lists.samba.org> ha scritto:>On Fri, 2021-08-20 at 12:52 +0200, Andrea Ballarati via samba wrote: >> Hello, >> in my lan I have an ad dc samba and a file server that is ad dc too >> (Version 4.11.6-Ubuntu). >> I know this configuration is not recommended and I want to demote the >> ad >> dc file server to a simple domain member. >> What is the correct procedure to follow? I have googled a bit but >> coudn't find any suitable instructions. >> > >Your only hope is that you have added rfc2307 attributes to AD, >otherwise demoting the DC (which is easy) and setting it up as a Unix >domain member (which again is easy) will lead to your users & groups >being given new ID numbers. This will lead to all your data being >orphaned. This is one of the reasons why it is not recommended to use a >DC as a fileserver. > >I would suggest you retain the second DC (this is another Samba >recommendation) and set up a new Unix domain member and use this as a >fileserver. > >Rowland > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On Fri, 2021-08-20 at 13:56 +0200, andrea ballarati via samba wrote:> Hi Rowland, > Rfc2307 is active on the main ad dc but, indeed, preserving id is not > an issue for my organization.rfc2307 being active on the DC is not the same as using the rfc2307 attributes. If all your users have uidNumber attributes and groups have gidNumber attributes, then you can use the winbind 'ad' backend on Unix domain members and get the same users and groups as on the DC. However, if you just have 'idmap_ldb:use rfc2307 = yes' in a DC's smb.conf and no uidNumber or gidNumber attributes in AD, your users & groups will be using xidNumber attributes (note, the 'x' in 'xidNumber' is just that, an 'x', it doesn't replace anything), these numbers are in the '3000000' range and will never be used anywhere but on a DC.> So must I reconfigure the file server from scratch?Yes, how easy it is depends on whether you have uidNumbers/gidNumbers in AD or not. Rowland