samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't
have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>
That's good to know. :-)

Are you sure that there aren't any other 'idmap config' lines
?
>
> I would have expected lines for your DOMAIN
>
All the lines on the member file server are these.

 vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        #WINBIND
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind cache time = 60


       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

        username map = /usr/local/samba/etc/user.map

The whole idea behind syncing idmap.ldb between DC's is to ensure
that
> they all use the ID's.
>
Yea but i have some differences between the ad-dc and member dc, the uid
gid on the member are correct, maybe if i connect another member file
server "MDC2" i must sync the member file server  "MDC1".
>
> > On the member file server i can look owners with names instead of uid
and
> > gid.
>
> You should be able to do this on a DC as well.
>
No, I don't know why but on the new ad-dc if I look at the files I see the
uid gid numbers instead of the user or group of the domain. I didn't see
any winbind setup on the smb.conf of the new addc also.
I am getting these errors on samba-ad-dc on the service.

nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.425540,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 24 07:24:05 kronos samba[6340]:   /usr/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
nov 24 07:24:05 kronos samba[6340]: [2022/11/24 07:24:05.484656,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 07:24:05 kronos samba[6340]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 1
nov 24 09:04:20 kronos samba[6340]: [2022/11/24 09:04:20.195750,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 24 09:04:20 kronos samba[6340]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 110
nov 24 09:04:37 kronos smbd[10503]: [2022/11/24 09:04:37.576919,  0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:37 kronos smbd[10503]:   chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012
nov 24 09:04:52 kronos smbd[10503]: [2022/11/24 09:04:52.575581,  0]
../../source3/smbd/service.c:168(chdir_current_service)
nov 24 09:04:52 kronos smbd[10503]:   chdir_current_service:
vfs_ChDir(/domain/samba/roaming/profiles) failed: Permiso denegado. Current
token: uid=3000084, gid=3000014, 7 groups: 3000084 3000014 3000005 3000006
3000011 3000001 3000012

>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>
Because you are a cool samba guru. ?



El mi?, 23 nov 2022 a las 16:13, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 23/11/2022 18:49, Juan Ignacio via samba wrote:
> > Thanks Luis and Kris
> > I already transferred the FSMO roles to the new DC with the commands
you
> > sent me; I have checked and they have been transferred successfully.
> >
> > Was good that someone mentioned something about FSMO roles, otherwise
I
> > would have passed it on completely.
> > Thanks for the links you sent me, I was able to understand more about
> FSMO
> > roles, this was really necessary to do before demoting the old server.
>
> Not really, if you had demoted the DC holding the FSMO roles, this would
> not have been a disaster, it wouldn't have helped, but it wouldn't
have
> been a disaster. You would have been able to 'seize' the roles to
> another DC.
>
> >
> > At the moment I would only have to solve some issues and confusion
with a
> > member fileserver.
> >
> > One of the member file servers have this on smb.conf
> >
> >         idmap config * : backend = tdb
> >>         idmap config * : range = 3000-7999
>
> Are you sure that there aren't any other 'idmap config' lines ?
>
> I would have expected lines for your DOMAIN
>
> >>
> >>          username map = /usr/local/samba/etc/user.map
>
> Self compiled version of Samba ?
> That line is to map Administrator to root.
>
> >>
> >
> > If i remember correctly  we used this ranges because de old acdc who
also
> > works as file server didnt have any of that lines and the uid and gid
> > numbers was really long, when i installed the member server we used
that
> to
> > make it work better-
>
> A DC uses either the xidNumber attributes found in idmap.ldb (numbers in
> the 3000000 range) or any uidNumber & gidNumber found in AD (provided
> 'idmap_ldb:use rfc2307  = yes' is set in the DC's smb.conf
> >
> > I dont know if now, after sync the idmap.ldb from the old ad-dc to the
> new
> > ad-dc we will have the same long uid and gid. (Is not really important
> > because the new ad-dc will not work as file server but anyway)
>
> The whole idea behind syncing idmap.ldb between DC's is to ensure that
> they all use the ID's.
>
> >
> > Maybe it would have been better transferred the idmap of the member
> server
> > to the new ad-dc, or not because it is using information stored on the
> old
> > ad-dc.
>
> It doesn't work like that, Unix domain members get their ID's from
the
> DC's. Provide that you use the same basic smb.conf on all Unix domain
> members, you will always get the same ID's and they will be different
to
> a DC.
>
> >
> > On the member file server i can look owners with names instead of uid
and
> > gid.
>
> You should be able to do this on a DC as well.
>
> >
> > I think Rowland know a lot about this because he help me on that thing
> long
> > time ago..
>
> Anything I can do to help.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 24/11/2022 15:54, Juan Ignacio wrote:
> 
> Are you sure that there aren't any other 'idmap config' lines ?
> 
> I would have expected lines for your DOMAIN
> 
> 
> All the lines on the member file server are these.
> 
> vfs objects = acl_xattr map acl inherit = yes store dos attributes > yes
> 
> #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> refresh tickets = yes winbind use default domain = yes winbind cache
> time = 60
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts # and
> groups on a domain member. The default (*) domain: # - must not
> overlap with any domain ID mapping configuration! # - must use a
> read-write-enabled back end, such as tdb. # - Adding just this is not
> enough # - You must set a DOMAIN backend configuration, see below 
> idmap config * : backend = tdb idmap config * : range = 3000-7999
> 
> username map = /usr/local/samba/etc/user.map
> 
> The whole idea behind syncing idmap.ldb between DC's is to ensure
> that they all use the ID's.
> 
> 
> Yea but i have some differences between the ad-dc and member dc,

What is a 'member dc' ??

In Samba AD, you have DC's (which are all equal except for the FSMO
roles, this include RODC's) and Unix & Windows domain members.

The domain members get their ID's from the DC's, Windows uses the RID
and Unix uses whatever winbind idmap backend that is chosen.

If your 'member dc' is just another DC, then that smb.conf is not valid
because you do not use the 'idmap config' lines in a DC smb.conf

If your 'member dc' is actually a Unix domain member, then that smb.conf
is not valid because there are no 'DOMAIN' 'idmap config' lines.

Rowland