I?m testing moving a current Samba PDC configuration from an existing Unix server to a new Debian server, and as expected, can?t login to the new PDC from a PC which had been connected to the old PDC. The new Debian Samba configuration is working okay in that I can join a new PC to it, login, and access shares. In a test environment I renamed the Debian server?s host and domain names to be the same as that of the Unix server, and manually created a user account in Debian and Samba for an existing test user and PC. I noted that the UIDs and GIDs are within different ranges on the two servers ? In Unix they?re allocated from 100, whereas in Debian they?re allocated from 1000, so the test user and machine have been allocated different IDs on the two servers. Also, the SIDs are obviously different between the two servers. I used ?net getlocalsid? to find the two SIDs, and ?net setlocalsid? to set the SID of the new server to that of the old server. I?d appreciate some pointers on what to do. I don?t want to have the exact same users on the new Debian server (some of the users on the Unix server have left) so was hoping to just create users and groups manually rather than copy existing files across. Do I need to edit the UIDs and GIDs somehow, and then export/import some password/security files? I?ve seen that on the Unix server there?s a file named /etc/smbpasswd, but that isn?t on the Debian server, so I?m wondering if they?re using a different type of security back- end? Is there a command which will report this, or which smb.conf parameters will identify this? I don?t do a lot of this stuff, so any help would be appreciated.
Sorry, forgot to say that the Unix server has Samba 3.0.10, and the Debian server is 3.5.6.
Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn?t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d
Also, here are the 'global' sections from the 'testparm'
command.
Existing Unix server
[global]
workgroup = DDOMAIN
server string = Samba Server PDC
smb passwd file = /etc/smbpasswd
log file = /usr/lib/samba/var/log.%m
max log size = 50
time server = Yes
keepalive = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
disable spoolss = Yes
logon script = %U.bat
logon drive = G:
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
hosts allow = 192.0.0., 127.
New Debian server
[global]
workgroup = DDOMAIN
server string = %h server (Samba %v)
interfaces = 127.0.0.0/8, eth0
bind interfaces only = Yes
obey pam restrictions = Yes
smb passwd file = /etc/smbpasswd ### I added this, but the
file
doesn?t exit
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
.
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = %U.bat
logon drive = G:
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
panic action = /usr/share/samba/panic-action %d
Thanks very much for your detailed reply. I?m sure it will be very helpful. Is there an easy way to search for your earlier posts? I?m looking in the archives, and opening them by month, then searching for your name. It just seems a bit long-winded ? I?m not sure when you would have posted them! Thanks again. On Mon, 29 Jul 2013 16:49:48 +0100 "Gaiseric Vandal" <gaiseric.vandal at gmail.com> wrote:>Run the "testparm -v" to see full details, including defaults that >may >not have been explicitly specified in smb.conf. You want to >look >out for the "passdb backend" value. On samba 3.4 or later tdbsam >is >probably the only valid local option. If you were using the >smbpasswd >file (text?) format on 3.0.x you may need to use the smbpasswd >command >to export / import to the TDB (trivial data base) format. > > > >With the old primary domain server running you should join the new >machine to the domain as a member server. (net join.) The >localsid on >all dc's should match the domainsid. You can probably then >make the >new machine a DC by changing the smb.conf to allow domain logons >and by >changing the localsid to be the domain sid. Verify that they >user >accounts are the same on each DC with "pdbedit -Lv." You may find >that >some accounts did not export properly. > >Also make sure that each domain controller has the same group >mappings >(net rpc groupmap list ?) From 3.0. to 3.4 or later you may find >you >need to explicitly some of the well known groups. You may also >need to >create an explicit nobody user in linux (and specify guest >account >= nobody in smb.conf.) > > >Search for earlier post by me that cover DC migration and 3.0x to >3.4. >upgrades. > > > > > > >On 07/29/13 11:24, samba1 at nym.hush.com wrote: >> Also, here are the 'global' sections from the 'testparm' command. >> >> Existing Unix server >> >> [global] >> workgroup = DDOMAIN >> server string = Samba Server PDC >> smb passwd file = /etc/smbpasswd >> log file = /usr/lib/samba/var/log.%m >> max log size = 50 >> time server = Yes >> keepalive = 0 >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> load printers = No >> disable spoolss = Yes >> logon script = %U.bat >> logon drive = G: >> domain logons = Yes >> os level = 64 >> preferred master = Yes >> domain master = Yes >> dns proxy = No >> wins support = Yes >> hosts allow = 192.0.0., 127. >> >> >> New Debian server >> >> [global] >> workgroup = DDOMAIN >> server string = %h server (Samba %v) >> interfaces = 127.0.0.0/8, eth0 >> bind interfaces only = Yes >> obey pam restrictions = Yes >> smb passwd file = /etc/smbpasswd ### I added this, but the >> file >> doesn?t exit >> pam password change = Yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n >*password\supdated\ssuccessfully* >> . >> unix password sync = Yes >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> logon script = %U.bat >> logon drive = G: >> domain logons = Yes >> os level = 64 >> preferred master = Yes >> domain master = Yes >> dns proxy = No >> wins support = Yes >> panic action = /usr/share/samba/panic-action %d >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On Mon, Jul 29, 2013 at 6:47 AM, <samba1 at nym.hush.com> wrote:> I?d appreciate some pointers on what to do. I don?t want to have > the exact same users on the new Debian server (some of the users on > the Unix server have left) so was hoping to just create users and > groups manually rather than copy existing files across. Do I need > to edit the UIDs and GIDs somehow, and then export/import some > password/security files? I?ve seen that on the Unix server there?s > a file named /etc/smbpasswd, but that isn?t on the Debian server, > so I?m wondering if they?re using a different type of security back- > end? Is there a command which will report this, or which smb.conf > parameters will identify this? I don?t do a lot of this stuff, so > any help would be appreciated.Most likely is that It would have simplest to copy the old Samba configuration to the new system. Update the smb.conf for necessary changes (review all of the Changelog's from the old version to the new version), change from the smbpasswd backend to the tdbsam backend (the new default), then remove the users you no longer want or need. Having said that I just finished migrating an NT4 PDC with Exchange 5.5 to two new VM's; the PDC part to a new Debian Samba installation "by hand" (the long way), and the Exchange 5.5 part to a new NT4 server install (sounds like fun, right?). Fortunately the client install base was under 25 so doing it the long way was not out of the question. Had I been moving between Samba version I would not even have been tempted to do anything except follow the first paragraph above. Basically, in the long way, you need the same domain SID, the same user SID's and I believe also the same machine SID's (I manually set all of these as well), etc. and the proper group mappings (no longer automatic, see chapter 9 of the official howto). Then you'll have to "rejoin" all machines to the new PDC although really you are just resetting the trust password. The UID/GID's are meaningless to the Windows side, no need to mess with those, although I prefer to use different ranges for Windows users, and Machines (and also a different group for Machines - just a nicety for scripting later on). Done properly the users will see no difference when they login to the domain, same profile, etc. Chris
Thanks for all the info. It sounds like the process might be more involved than I?d hoped, although I had a feeling it might not be totally straightforward. I need to do a bit of reading up on Samba so that I have a better idea of how it hangs together with regard to passwords, groups and SIDs etc. At least I?ve got a bit of time to do the upgrade. Thanks also for the info about the Sernet build ? I did think it would be nicer to have a later version of Samba than the one packaged by Debian, so I?ll look into that. On Tue, 30 Jul 2013 18:56:51 +0100 "Chris Smith" <smb_77 at chrissmith.org> wrote:>On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith ><smb_77 at chrissmith.org> wrote: >> Only problem I had was that I needed to add Samba to run level 2 >as it >> appears my CLI only install of Wheezy doesn't boot into run >level 3 >> (as Debian claims is their default). > >Just read somewhere else the run level 2 is the default for Debian >- >in that case I think Sernet should modify the init script.
Actually, I seem to have it working now! I?ll need to document what I did, and will have to test it again from scratch as I may have done one or two things which weren?t necessary etc. The PC is logging onto the Debian server with no nasty warnings or errors, the server-side login script is working, and I can access the test network share. I think it might be slightly slow to login, but it is an ancient test PC, and it might also be trying to do other things requiring a DNS server and internet connection (I?ve just got the test PC and Debian server on a crossover cable). Once I have it documented I might post again to check that the process I?m using is good practice etc. On Tue, 30 Jul 2013 18:56:51 +0100 "Chris Smith" <smb_77 at chrissmith.org> wrote:>On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith ><smb_77 at chrissmith.org> wrote: >> Only problem I had was that I needed to add Samba to run level 2 >as it >> appears my CLI only install of Wheezy doesn't boot into run >level 3 >> (as Debian claims is their default). > >Just read somewhere else the run level 2 is the default for Debian >- >in that case I think Sernet should modify the init script.