On Tue, 2016-11-29 at 10:16 +0100, Stefan G. Weichinger wrote:> Am 2016-11-29 um 09:56 schrieb Andrew Bartlett: > > > > > While your comments on the RID < 1000 issue are correct, your > > interpretation of the pdbedit output is not correct. That value is > > not > > the RID, but in deference to the smbpasswd file format from long > > before > > you joined Samba, it is the unix UID value for the username > > specified. > > That is probably also why the -1 / 4294967295 values show up, if > > the > > user doens't exist locally where the tool is being run. > > > > Listing with --verbose will show the full SID, and so the > > applicable > > RID. > > > > Hopefully these are not below 1000, as changing the SID has > > annoying > > implications for profiles and other things. > > > > I hope this helps, > > > > Andrew Bartlett > > thanks, Andrew > > as it dawns on me it is the fact that some of the users there are > very > very old. I think we started with samba-2.x there. > > As I understand this you point me at: > > # pdbedit -L --verbose pl04 > Unix username: pl04 > [..] > User SID: S-1-5-21-2940660672-4062535256-4144655499-2008 > > ----------------------------------------------------------------^^^^ > ? > > When I run > > # pdbedit -L --verbose | grep "User SID" > > I only get one user with that part <1000, and that is "nobody".Good. That user will be replaced by the guest account in AD, so that should be fine.> - > > I think that these "pl??" users there aren't used much anymore, maybe > I > can get rid of most of them or simply recreate them after the > conversion > (just some minor services related, I hope). > > Thanks, Stefan, the "we never had this before" guy ;-)I'll let you choose the way forward for your site, but if you can just re-create what fails to convert because it is just a service account, that seems quite reasonable. In the days of passdb on the NT4-like domain controller, there wasn't and still isn't any kind of fsck for the database. That means that all manner of incorrect, odd or unexpected combinations of entries can persist, without warning or notice. Duplicate SIDs, which is not an issue you have faced thankfully, are quite common it seems. I suspect Rowland jumped on the rid < 1000 suggestion quite reasonably because we have seen that too, but usually just because of confusion around the Administrator account. (Samba won't normally create such sids). When users are transferred to Samba's AD DC, they get put into a quite strict database. The reason why we strictly suggest migration on an isolated test network is that this almost never goes smoothly, and manual intervention is almost always required. I wish you all the best with your migration. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Am 2016-11-29 um 19:12 schrieb Andrew Bartlett:> I'll let you choose the way forward for your site, but if you can just > re-create what fails to convert because it is just a service account, > that seems quite reasonable. > > In the days of passdb on the NT4-like domain controller, there wasn't > and still isn't any kind of fsck for the database. That means that all > manner of incorrect, odd or unexpected combinations of entries can > persist, without warning or notice. Duplicate SIDs, which is not an > issue you have faced thankfully, are quite common it seems. > > I suspect Rowland jumped on the rid < 1000 suggestion quite reasonably > because we have seen that too, but usually just because of confusion > around the Administrator account. (Samba won't normally create such > sids). > > When users are transferred to Samba's AD DC, they get put into a quite > strict database. The reason why we strictly suggest migration on an > isolated test network is that this almost never goes smoothly, and > manual intervention is almost always required. > > I wish you all the best with your migration.Thanks a lot for your wishes and the explanations. Is there any good list of what to check in the test network before deciding to go productive? I would think of: * try to logon to a member-PC with an old domain-user * create new user, try logon * try to add a new member pc ... then logins ... * test login-scripts Any killer-test to get a really good feeling ? ;-) For the real switch: turn off all PCs, turn down old samba-config, switch on ADS-PDC, join file server, switch on test PC ... ? - One reason for me keeping this NT4-based for so long is the fact that I now need an additional machine for the PDC: you samba-guys recommend to run the PDC separated from the file server. So I have to deal with that without having to buy new hardware (the customer stopped understanding all the work around swapping server-hardware weeks ago). We talk small office here: ~25-30 PCs. I consider placing the PDC-part on the existing backup server (gentoo linux, running Amanda backup suite), I assume this might do the trick? Although this introduces the possibility of mismatches between the samba-release gentoo provides as stable vs. the one in Debian (current file server). Way too much moving parts, and I have to decide and proceed soon: -> I have problems with 2 existing Win10-Clients, one can't be joined anymore, another doesn't let domain users login .... Thankfully the rest works fine so far. Stefan
On Tue, 29 Nov 2016 19:26:30 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-11-29 um 19:12 schrieb Andrew Bartlett: > > > I'll let you choose the way forward for your site, but if you can > > just re-create what fails to convert because it is just a service > > account, that seems quite reasonable. > > > > In the days of passdb on the NT4-like domain controller, there > > wasn't and still isn't any kind of fsck for the database. That > > means that all manner of incorrect, odd or unexpected combinations > > of entries can persist, without warning or notice. Duplicate SIDs, > > which is not an issue you have faced thankfully, are quite common > > it seems. > > > > I suspect Rowland jumped on the rid < 1000 suggestion quite > > reasonably because we have seen that too, but usually just because > > of confusion around the Administrator account. (Samba won't > > normally create such sids). > > > > When users are transferred to Samba's AD DC, they get put into a > > quite strict database. The reason why we strictly suggest > > migration on an isolated test network is that this almost never > > goes smoothly, and manual intervention is almost always required. > > > > I wish you all the best with your migration. > > Thanks a lot for your wishes and the explanations. > > Is there any good list of what to check in the test network before > deciding to go productive? > > I would think of: > > * try to logon to a member-PC with an old domain-user > * create new user, try logon > * try to add a new member pc ... then logins ... > * test login-scripts > > Any killer-test to get a really good feeling ? ;-) > > For the real switch: turn off all PCs, turn down old samba-config, > switch on ADS-PDC, join file server, switch on test PC ... ? > > - > > One reason for me keeping this NT4-based for so long is the fact that > I now need an additional machine for the PDC: you samba-guys > recommend to run the PDC separated from the file server.You can use the DC as a fileserver, it is only for minor technical reasons that it isn't recommended, amongst which is that you have to use windows ACLs.>So I have to > deal with that without having to buy new hardware (the customer > stopped understanding all the work around swapping server-hardware > weeks ago). We talk small office here: ~25-30 PCs.Your DC should be able to easily deal with that amount of PCs (provided it is a reasonable spec and not out of the ark ;-) Rowland