samba - Apr 2023 - (no subject)

Dear All!

 (As I wrote earlier) I'm working on removing an ancient (3.2.5) SaMBa
member server from an Active Directory domain, and replacing it with SaMBa
4.16.4 running on AlmaLinux 9. The domain controllers are Windows servers,
and the old SaMBa is joined to the domain with "security = domain"
type of
security (the old NT4 type).

 I'm afraid once I remove the old server from the domain, there is now way
back for it, however it will have to be removed, since the new server has
to have the same name.

 There are millions of files on the old server with 8bit encoded filenames
(pre-UTF8) and UIDs and GIDs stored in local files.

 The new SaMBa server is already running with RID idmap backend, and I've
probably found a way to rename all files to have UTF-8 names and remap all
UIDs and GIDs on the files to the new ones, even in POSIX ACLs, and all the
necessary user and group names do exist on the new server either locally,
or in the AD.

 My question is the following:

After removing the old SaMBa server from the domain, do I have to remove,
rename and rejoin the new one, or is there a way to rename it while being
part of the domain? Either way, what is the correct way to change the name
of a SaMBa member server in a Windows controlled AD domain? What files do I
have to delete (if any) during the operation? Will the RID backend give me
a 100% guarantee that Linux UIDs and GIDs will remain unchanged on the new
server during this "rename" process?

Thank you in advance.

On 05/04/2023 09:59, Tam?s N?meth via samba wrote:
> Dear All!
> 
>   (As I wrote earlier) I'm working on removing an ancient (3.2.5) SaMBa
> member server from an Active Directory domain, and replacing it with SaMBa
> 4.16.4 running on AlmaLinux 9. The domain controllers are Windows servers,
> and the old SaMBa is joined to the domain with "security =
domain" type of
> security (the old NT4 type).
> 
>   I'm afraid once I remove the old server from the domain, there is now
way
> back for it, however it will have to be removed, since the new server has
> to have the same name.
I take that everything is hard wired to the old servers hostname and 
yes, once it has gone, it has gone.
> 
>   There are millions of files on the old server with 8bit encoded filenames
> (pre-UTF8) and UIDs and GIDs stored in local files.
> 
>   The new SaMBa server is already running with RID idmap backend, and
I've
> probably found a way to rename all files to have UTF-8 names and remap all
> UIDs and GIDs on the files to the new ones, even in POSIX ACLs, and all the
> necessary user and group names do exist on the new server either locally,
> or in the AD.
It would be better if ALL the users and groups were in AD.
> 
>   My question is the following:
> 
> After removing the old SaMBa server from the domain, do I have to remove,
> rename and rejoin the new one, or is there a way to rename it while being
> part of the domain?
Not that I am aware, part of the join involves creating an AD object for 
the computer, so you have to leave the domain, rename the computer and 
then rejoin the domain. (Hint: do not specify 'netbios name' in the 
smb.conf, Samba will set it for you).
> Either way, what is the correct way to change the name
> of a SaMBa member server in a Windows controlled AD domain?
See above.

< What files do I
> have to delete (if any) during the operation?
You will probably have to modify /etc/hostname and /etc/hosts
> Will the RID backend give me
> a 100% guarantee that Linux UIDs and GIDs will remain unchanged on the new
> server during this "rename" process?
Provided you use the same 'idmap config' lines on a Unix domain member, 
the 'rid' idmap backend will always return the same ID's. This is 
because they are calculated from the AD objects RID and the DOMAIN low 
range.

Rowland