samba - Apr 2015 - Noob question: user moved to a OU dissapear from getent, but groups don't

Thanks for your reply.

I've migrated the domain copying all files in /var/lib/samba and /etc/samba
from original domain to new domain, I've edit the smb file to change the
"passdb backend" line to match the old server (because original is
localhost and give me an error connecting), and then I run this command:

samba-tool domain classicupgrade --dbdir=/home/user/samba --use-xattrs=yes
--realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf

After all the progress i change the bind config file to add the samba file
(matching with the Bind Version 9.9).

When I connect to new domain all users and groups are in "Users"
folder,
then if i move all groups to new OU "getent group" works perfect, but
if i
move some users to new OU then it dissapear from "getent passwd".
I've done
some test and is strange because I've 100 users:

   - I've moved some users and have dissapear from getent (88 users).
   - Later i've move some other users and the result was 94 users.
   - Later without touch anything it goes back to 100 users.
   - Later again i've move another user and has changed to ~74 users (i
   don't remember the exact number).
   - And now it's back to 100 users and for now is not changing...

Maybe is a problem of cache, but i don't know why the cache wasn't be
updated after all i did. Even i've purged the winbind package and deleted
the cache files to install a clean version of winbind and the problem
persist...

Is an AD, but if I use the smb.conf provided by classicupgrade then getent
don't show the AD users/groups (it don't have any info about Winbind).
Maybe I should create a hybrid adding only the Winbind entries?
Anyway, tomorrow i'll try because i've to revert again to the backup
image
and is late.

Greetings!!



2015-04-21 18:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 21/04/15 17:45, Daniel Carrasco Mar?n wrote:
>
>> Hi, first of all i'm sorry for my english.
>>
>> I'm triyng to migrate a Samba 3.6 domain to Samba 4 and I've a
question
>> about OU and Winbind:
>>
>
> How are you trying to migrate the domain ?
>
>
>> OU affects to something more besides GPO in AD and Winbind?. Because
I've
>> moved all users to an OU and all less one (strangely) have dissapear
from
>> "getent passwd" and the other SO tools.
>> If i run "wbinfo -u" all users are showed but I've tried
a lot of things
>> like:
>>
>>     - Reboot
>>     - Restart Winbind and Samba daemons
>>     - Stop daemons, clear winbind cache and start daemons again.
>>     - Move the users back to "Users" folder and repeat the
above steps.
>>
>>
>> But none of above has worked. Finally i've restored the server to
an old
>> state to make it work again.
>>
>> I've done something wrong?. I've to configure something to make
the
>> winbind
>> read the OU?
>>
>> Now i've moved some disabled users to a new OU and have dissapear
from
>> getent, then the problem still there.
>>
>>
>> Here's my samba cfg:
>>
>> [global]
>>          workgroup = CASA
>>          realm = casa.red
>>          netbios name = PDC.CASA.RED
>>          server string = %h server
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>> winbind, ntp_signd, kcc, dnsupdate
>>          idmap_ldb:use rfc2307 = yes
>>          preferred master = Yes
>>          domain master = Yes
>>          wins support = Yes
>>          encrypt passwords = yes
>>
>>
>>          # Winbind para mostrar grupos y usuarios del dominio en Linux
>>          winbind nss info = rfc2307
>>          winbind enum users = Yes
>>          winbind enum groups = Yes
>>          winbind use default domain = Yes
>>          winbind refresh tickets = Yes
>>          winbind nested groups = No
>>          winbind separator = +
>>          winbind normalize names = yes
>>
>>          idmap config CASA : backend  = ad
>>          idmap config * : backend = tdb
>>          idmap config * : range =  1000-20000000
>>
>>          # Desactivar Cups en este servidor
>>          printcap name = /etc/printcap
>>          load printers = no
>>
>>          name resolve order = wins hosts lmhosts bcast
>>
>>
>> ??Thanks!!
>>
>
> What do you think you have ?
> An AD DC or a member server ?
> If it is  an AD DC, please put the smb.conf back to what it was, just
> after the upgrade (provided you ran the classicupgrade)
> If it is supposed to be a member server, remove the 'service role'
&
> 'server services' lines.
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 21/04/15 18:34, Daniel Carrasco Mar?n wrote:
> Thanks for your reply.
>
> I've migrated the domain copying all files in /var/lib/samba and 
> /etc/samba from original domain to new domain, I've edit the smb file 
> to change the "passdb backend" line to match the old server
(because
> original is localhost and give me an error connecting), and then I run 
> this command:
>
> samba-tool domain classicupgrade --dbdir=/home/user/samba 
> --use-xattrs=yes --realm=casa.red --dns-backend=BIND9_DLZ 
> /home/user/smb.conf
>
Did you follow the instructions on this wiki page:

https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
> After all the progress i change the bind config file to add the samba 
> file (matching with the Bind Version 9.9).
>
> When I connect to new domain all users and groups are in "Users" 
> folder, then if i move all groups to new OU "getent group" works 
> perfect, but if i move some users to new OU then it dissapear from 
> "getent passwd". I've done some test and is strange because
I've 100
> users:
>
getent should show your users where ever they are, in CN=Users or an OU. 
However 'getent group' doesn't show groups, you need to run
'getent
group groupname'
>   * Later without touch anything it goes back to 100 users.
>   * Later again i've move another user and has changed to ~74 users (i
>     don't remember the exact number).
>   * And now it's back to 100 users and for now is not changing...
>
> Maybe is a problem of cache, but i don't know why the cache wasn't
be
> updated after all i did. Even i've purged the winbind package and 
> deleted the cache files to install a clean version of winbind and the 
> problem persist...
>
>
What version of samba4 are you running, versions before 4.2.0 did not 
run with a separate winbind daemon, from 4.2.0 onwards the same winbindd 
deamon that is used with a 'classic' setup is used, but in all cases, 
you should only start the 'samba' daemon, this will start any other 
required daemons.
> Is an AD, but if I use the smb.conf provided by classicupgrade then 
> getent don't show the AD users/groups (it don't have any info about
> Winbind). Maybe I should create a hybrid adding only the Winbind entries?
> Anyway, tomorrow i'll try because i've to revert again to the
backup
> image and is late.
>
I have a feeling that you are using 4.2.0 , if so getent will not 
display any users or groups unless you explicitly ask for one, i.e. 
'getent passwd' will only show local users, but 'getent passwd
fred'
would display the info for 'fred'. I should also point out now you are 
using AD, you shouldn't retain any local users that are also in AD, pick 
one or the other, but don't try and keep both.

Rowland
> Greetings!!
>
>
>
> 2015-04-21 18:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>:
>
>     On 21/04/15 17:45, Daniel Carrasco Mar?n wrote:
>
>         Hi, first of all i'm sorry for my english.
>
>         I'm triyng to migrate a Samba 3.6 domain to Samba 4 and
I've a
>         question
>         about OU and Winbind:
>
>
>     How are you trying to migrate the domain ?
>
>
>         OU affects to something more besides GPO in AD and Winbind?.
>         Because I've
>         moved all users to an OU and all less one (strangely) have
>         dissapear from
>         "getent passwd" and the other SO tools.
>         If i run "wbinfo -u" all users are showed but I've
tried a lot
>         of things
>         like:
>
>             - Reboot
>             - Restart Winbind and Samba daemons
>             - Stop daemons, clear winbind cache and start daemons again.
>             - Move the users back to "Users" folder and repeat
the
>         above steps.
>
>
>         But none of above has worked. Finally i've restored the server
>         to an old
>         state to make it work again.
>
>         I've done something wrong?. I've to configure something to
>         make the winbind
>         read the OU?
>
>         Now i've moved some disabled users to a new OU and have
>         dissapear from
>         getent, then the problem still there.
>
>
>         Here's my samba cfg:
>
>         [global]
>                  workgroup = CASA
>                  realm = casa.red
>                  netbios name = PDC.CASA.RED
>                  server string = %h server
>                  server role = active directory domain controller
>                  server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>         kdc, drepl,
>         winbind, ntp_signd, kcc, dnsupdate
>                  idmap_ldb:use rfc2307 = yes
>                  preferred master = Yes
>                  domain master = Yes
>                  wins support = Yes
>                  encrypt passwords = yes
>
>
>                  # Winbind para mostrar grupos y usuarios del dominio
>         en Linux
>                  winbind nss info = rfc2307
>                  winbind enum users = Yes
>                  winbind enum groups = Yes
>                  winbind use default domain = Yes
>                  winbind refresh tickets = Yes
>                  winbind nested groups = No
>                  winbind separator = +
>                  winbind normalize names = yes
>
>                  idmap config CASA : backend  = ad
>                  idmap config * : backend = tdb
>                  idmap config * : range =  1000-20000000
>
>                  # Desactivar Cups en este servidor
>                  printcap name = /etc/printcap
>                  load printers = no
>
>                  name resolve order = wins hosts lmhosts bcast
>
>
>         ??Thanks!!
>
>
>     What do you think you have ?
>     An AD DC or a member server ?
>     If it is  an AD DC, please put the smb.conf back to what it was,
>     just after the upgrade (provided you ran the classicupgrade)
>     If it is supposed to be a member server, remove the 'service
role'
>     & 'server services' lines.
>
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

Greetings, Daniel Carrasco Mar?n!
> I've migrated the domain copying all files in /var/lib/samba and
/etc/samba
> from original domain to new domain, I've edit the smb file to change
the
> "passdb backend" line to match the old server (because original
is
> localhost and give me an error connecting), and then I run this command:
> samba-tool domain classicupgrade --dbdir=/home/user/samba --use-xattrs=yes
> --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf
> After all the progress i change the bind config file to add the samba file
> (matching with the Bind Version 9.9).
> When I connect to new domain all users and groups are in "Users"
folder,
> then if i move all groups to new OU "getent group" works perfect,
but if i
> move some users to new OU then it dissapear from "getent passwd".
I've done
> some test and is strange because I've 100 users:
>    - I've moved some users and have dissapear from getent (88 users).
>    - Later i've move some other users and the result was 94 users.
>    - Later without touch anything it goes back to 100 users.
>    - Later again i've move another user and has changed to ~74 users (i
>    don't remember the exact number).
>    - And now it's back to 100 users and for now is not changing...
If you rely on "getent passwd" enumerating whole winbind userlist...
I have news for you - you shouldn't. Depends on the winbind configuration,
it
may or may not list users, and do so in a very lean manner.
If you REALLY want to know if certain users are accessible to the system,
specify user name or uid as a filter.
> Maybe is a problem of cache, but i don't know why the cache wasn't
be
> updated after all i did. Even i've purged the winbind package and
deleted
> the cache files to install a clean version of winbind and the problem
> persist...
> Is an AD, but if I use the smb.conf provided by classicupgrade then getent
> don't show the AD users/groups (it don't have any info about
Winbind).
> Maybe I should create a hybrid adding only the Winbind entries?
> Anyway, tomorrow i'll try because i've to revert again to the
backup image
> and is late.
As has been said, place your smb.conf back to where it was, and don't touch
it
unless you know what you are doing.
A number of issues apparent even for my untrained eye.
>>> Here's my samba cfg:
>>>
>>> [global]
>>>          workgroup = CASA
>>>          realm = casa.red
Realm in all caps.
>>>          netbios name = PDC.CASA.RED
netbios name = PDC
Dots are not allowed in host names.
>>>          winbind nested groups = No
>>>          winbind separator = +
>>>          winbind normalize names = yes
These will bite you. Soon.
>>>
>>>          idmap config CASA : backend  = ad
>>>          idmap config * : backend = tdb
>>>          idmap config * : range =  1000-20000000
Where's idmap range for CASA ?
>>>
>>>          # Desactivar Cups en este servidor
>>>          printcap name = /etc/printcap
>>>          load printers = no
printcap name = /dev/null
printing = BSD


-- 
With best regards,
Andrey Repin
Tuesday, April 21, 2015 21:01:29

Sorry for my terrible english...

Thanks to both for answers.

I'm using the latest version of wheezy-backports (Version 4.1.17-Debian)
and in this server i don't need to map the AD users to linux tools (i'm
doing tests before change anything in production servers), but i'm planing
to use a File Server and a Print Server in separated machines and I need to
have access to AD users. If I disable winbind entries on that servers then
all OS tools like getent, chown, setfacl... cannot use the AD users (i've
done some test and I've got a non existent user/group error), and I need
it, then: can i use Winbind without problems in client machines?
>>>>>>          netbios name = PDC.CASA.RED
>>> netbios name = PDC
>>> Dots are not allowed in host names.
Ok, good to know it. Was copied from the old samba domain.
>>>          winbind normalize names = yes
Why this entrie can be problematic? it changes the spaces in names for
underscores, usefull with Cups (i can't add a group with spaces to allowed
groups). I've curiosity.

For now I know that I've to change the netbios name in smb.conf before the
classic upgrade (the old server netbios is wrong), I've to delete some tdb
files, and I've to leave the smb.conf without change anything after the
upgrade.

Tomorrow i'll do some test and i'll report here how it was.

Thanks again to both and greetings!!


2015-04-21 20:08 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
> Greetings, Daniel Carrasco Mar?n!
>
> > I've migrated the domain copying all files in /var/lib/samba and
> /etc/samba
> > from original domain to new domain, I've edit the smb file to
change the
> > "passdb backend" line to match the old server (because
original is
> > localhost and give me an error connecting), and then I run this
command:
>
> > samba-tool domain classicupgrade --dbdir=/home/user/samba
> --use-xattrs=yes
> > --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf
>
> > After all the progress i change the bind config file to add the samba
> file
> > (matching with the Bind Version 9.9).
>
> > When I connect to new domain all users and groups are in
"Users" folder,
> > then if i move all groups to new OU "getent group" works
perfect, but if
> i
> > move some users to new OU then it dissapear from "getent
passwd". I've
> done
> > some test and is strange because I've 100 users:
>
> >    - I've moved some users and have dissapear from getent (88
users).
> >    - Later i've move some other users and the result was 94 users.
> >    - Later without touch anything it goes back to 100 users.
> >    - Later again i've move another user and has changed to ~74
users (i
> >    don't remember the exact number).
> >    - And now it's back to 100 users and for now is not changing...
>
> If you rely on "getent passwd" enumerating whole winbind
userlist...
> I have news for you - you shouldn't. Depends on the winbind
configuration,
> it
> may or may not list users, and do so in a very lean manner.
> If you REALLY want to know if certain users are accessible to the system,
> specify user name or uid as a filter.
>
> > Maybe is a problem of cache, but i don't know why the cache
wasn't be
> > updated after all i did. Even i've purged the winbind package and
deleted
> > the cache files to install a clean version of winbind and the problem
> > persist...
>
> > Is an AD, but if I use the smb.conf provided by classicupgrade then
> getent
> > don't show the AD users/groups (it don't have any info about
Winbind).
> > Maybe I should create a hybrid adding only the Winbind entries?
> > Anyway, tomorrow i'll try because i've to revert again to the
backup
> image
> > and is late.
>
> As has been said, place your smb.conf back to where it was, and don't
> touch it
> unless you know what you are doing.
> A number of issues apparent even for my untrained eye.
>
> >>> Here's my samba cfg:
> >>>
> >>> [global]
> >>>          workgroup = CASA
> >>>          realm = casa.red
>
> Realm in all caps.
>
>
>
> >>>          winbind nested groups = No
> >>>          winbind separator = +
> >>>          winbind normalize names = yes
>
> These will bite you. Soon.
>
> >>>
> >>>          idmap config CASA : backend  = ad
> >>>          idmap config * : backend = tdb
> >>>          idmap config * : range =  1000-20000000
>
> Where's idmap range for CASA ?
>
> >>>
> >>>          # Desactivar Cups en este servidor
> >>>          printcap name = /etc/printcap
> >>>          load printers = no
>
> printcap name = /dev/null
> printing = BSD
>
>
> --
> With best regards,
> Andrey Repin
> Tuesday, April 21, 2015 21:01:29
>
> Sorry for my terrible english...