samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Thanks Luis and Kris
I already transferred the FSMO roles to the new DC with the commands you
sent me; I have checked and they have been transferred successfully.

Was good that someone mentioned something about FSMO roles, otherwise I
would have passed it on completely.
Thanks for the links you sent me, I was able to understand more about FSMO
roles, this was really necessary to do before demoting the old server.

At the moment I would only have to solve some issues and confusion with a
member fileserver.

One of the member file servers have this on smb.conf

       idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>
>         username map = /usr/local/samba/etc/user.map
>
If i remember correctly  we used this ranges because de old acdc who also
works as file server didnt have any of that lines and the uid and gid
numbers was really long, when i installed the member server we used that to
make it work better-

I dont know if now, after sync the idmap.ldb from the old ad-dc to the new
ad-dc we will have the same long uid and gid. (Is not really important
because the new ad-dc will not work as file server but anyway)

Maybe it would have been better transferred the idmap of the member server
to the new ad-dc, or not because it is using information stored on the old
ad-dc.

On the member file server i can look owners with names instead of uid and
gid.

I think Rowland know a lot about this because he help me on that thing long
time ago..




El mi?, 23 nov 2022 a las 14:20, Luis Peromarta (<lperoma at icloud.com>)
escribi?:
> FSMO roles has little to do with sysvol replication.
>
>
>
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles
>
> https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles
>
> Your new DC can own the roles while your old DC still acts as a file
> server.
>
> If you demote your old DC, most likely it will stop acting as a file
> server too, so beware.
>
> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
>
> idmapping between your actual file server (old DC) and the new-to-be
> member server (file server) is likely to be different.  I don?t have a
> clear simple way to migrate the server from dc to member server.
>
> There?s a lot more knowledge in this list than mine.
>
> LP
> On 23 Nov 2022 at 18:09 +0100, Juan Ignacio <juan.ignacio.pazos at
gmail.com>,
> wrote:
>
>
> I wonder if to do:
> samba-tool fsmo transfer --role=all -UAdministrator
>
> Is it the same as doing it with Rsync or if it is better.
> --
>
> I haven't searched for information on how to remove the old server yet,
I
> don't know if it's just disconnecting it or if I should run some
command on
> the new DC or the old one.
>
> If you have any information on this it would be of great help.
>
>

On 23/11/2022 18:49, Juan Ignacio via samba wrote:
> Thanks Luis and Kris
> I already transferred the FSMO roles to the new DC with the commands you
> sent me; I have checked and they have been transferred successfully.
> 
> Was good that someone mentioned something about FSMO roles, otherwise I
> would have passed it on completely.
> Thanks for the links you sent me, I was able to understand more about FSMO
> roles, this was really necessary to do before demoting the old server.
Not really, if you had demoted the DC holding the FSMO roles, this would 
not have been a disaster, it wouldn't have helped, but it wouldn't have 
been a disaster. You would have been able to 'seize' the roles to 
another DC.
> 
> At the moment I would only have to solve some issues and confusion with a
> member fileserver.
> 
> One of the member file servers have this on smb.conf
> 
>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
Are you sure that there aren't any other 'idmap config' lines ?

I would have expected lines for your DOMAIN
>>
>>          username map = /usr/local/samba/etc/user.map
Self compiled version of Samba ?
That line is to map Administrator to root.
>>
> 
> If i remember correctly  we used this ranges because de old acdc who also
> works as file server didnt have any of that lines and the uid and gid
> numbers was really long, when i installed the member server we used that to
> make it work better-
A DC uses either the xidNumber attributes found in idmap.ldb (numbers in 
the 3000000 range) or any uidNumber & gidNumber found in AD (provided 
'idmap_ldb:use rfc2307  = yes' is set in the DC's
smb.conf
> 
> I dont know if now, after sync the idmap.ldb from the old ad-dc to the new
> ad-dc we will have the same long uid and gid. (Is not really important
> because the new ad-dc will not work as file server but anyway)
The whole idea behind syncing idmap.ldb between DC's is to ensure that 
they all use the ID's.
> 
> Maybe it would have been better transferred the idmap of the member server
> to the new ad-dc, or not because it is using information stored on the old
> ad-dc.
It doesn't work like that, Unix domain members get their ID's from the 
DC's. Provide that you use the same basic smb.conf on all Unix domain 
members, you will always get the same ID's and they will be different to 
a DC.
> 
> On the member file server i can look owners with names instead of uid and
> gid.
You should be able to do this on a DC as well.
> 
> I think Rowland know a lot about this because he help me on that thing long
> time ago..
Anything I can do to help.

Rowland