lperoma at icloud.com
2022-Oct-29 09:44 UTC
[Samba] DCs demote / change IP / re-join mistakes
Hi guys, Greetings. My first post to the list. I have had a working Samba environment for years with no major problems, 3 DCs + 2 Member servers. Some history: DC1 was the initial DC, provisioned with --use-rfc2307. (Debian 9 initially) All worked fine. Second DC, DC2, was joined with: samba-tool domain join mad.mater.int DC -U"MAD\luis" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes? , Debian 9 too, idmap.ldb was backed up from DC1 and copied to DC2, and Rsync SYSVOL replication in place. Some time later another DC, DC3 was installed in another subnet for resiliency purposes and joined in a similar manner to DC2, including replication and idmap.ldb copied from DC1 (DC1 has always had the FSMO roles) In the next few years, all DCs were upgraded to Bullseye and Samba 4.16.5 from backports , no problem, everything has been working with zero issues. In the last few weeks a change of IP was necessary for DC1 and DC2. I proceeded as follows, starting with DC2: - Demote DC2, - Change IP - Remove old files (tdb and ldb) - rejoin AD with: samba-tool domain join mad.mater.int DC -U"MAD\Luis" I completely forgot about a) --option='idmap_ldb:use rfc2307 = yes?, b) replace idmap.ldb from DC1. I tested SYSVOL replication, and the actual DC2 (by turning off DC1 and DC3) and all seems to work fine. To make things worse, a few days later I changed the IP of DC1: - Transfer FSMO roles to DC2 - Demote DC1 - Change IP - Remove old files (tdb and ldb) - rejoin AD with: samba-tool domain join mad.mater.int DC -U"MAD\Luis? Again, without --option='idmap_ldb:use rfc2307 = yes? and replacing idmap.ldb. - All FSMO roles were transferred back to DC1. DC3 has not been reconfigured in any way, except that it is still syncing SYSVOL from DC1. All seems to work fine but fear these mistakes will somehow give me grief in the future. What is my best way to sort this AD ? Let me know if you need configuration files, I thought it would not be necessary. Thank you very much for the help, All the best, LP
On 29/10/2022 10:44, Luis via samba wrote:> Hi guys, > > Greetings. My first post to the list. I have had a working Samba environment for years with no major problems, 3 DCs + 2 Member servers. Some history: > > DC1 was the initial DC, provisioned with --use-rfc2307. (Debian 9 initially) All worked fine.First you have got understand what happens when you provision with '--use-rfc2307'. It adds a line to the smb.conf idmap_ldb:use rfc2307 = yes But more importantly it adds an ldif to AD /usr/share/samba/setup/ypServ30.ldif That is what happens, but what does it do ? It does what it says. if you add uidNumber & gidNumber attributes to AD, these will be used instead of the xidNumber attributes found in idmap.ldb, but only on a DC. You will need to configure the smb.conf on Unix domain members to use the 'ad' idmap backend.> > Second DC, DC2, was joined with: > > samba-tool domain join mad.mater.int DC -U"MAD\luis" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes? , Debian 9 too, idmap.ldb was backed up from DC1 and copied to DC2, and Rsync SYSVOL replication in place.All that option does is to add 'idmap_ldb:use rfc2307 = yes' to the DC's smb.conf, so if you didn't use the option during the DC join, you can just add it manually, but you only need the line if you have added uidNumber & gidNumber attributes to AD and then only if your users will login to the DC. Rowland