samba - Dec 2016 - Samba on Debian 8; NT4 domain, win10

Am 2016-12-12 um 10:56 schrieb Stefan G. Weichinger via
samba:
> Am 2016-12-12 um 10:41 schrieb Rowland Penny via samba:
> 
>> Try removing the mapping between the 'root' group and
'Domain Admins'.
>> The AD user Administrator will be mapped to the 'root' user on
the DC
>> and Administrator is automatically made a member of Domain Admins.
> 
> Doesn't help, sorry.
I just moved all the configs etc over to another VM, and started over,
looks better now. No clue ... thanks anyway :-)

Am 2016-12-12 um 15:37 schrieb Stefan G. Weichinger via samba:
> I just moved all the configs etc over to another VM, and started over,
> looks better now. No clue ... thanks anyway :-)
I am sure that all of you wait thrilled for the next news from my
migration(s) ;-)

Yesterday we did tests with 2 Win7-Test-VMs and the migrated
Debian-ADS-PDC. Looks good to me.

We were able to login with old and new users, access shares on the pdc,
join a new client, and even deploy the first GPOs to the clients. RSAT
access works so far ... feels good to me.

As you may assume new questions arised:

* kinit: Do I have to run that after every reboot of the PDC? I don't
plan to do that all the time but we have to *know* what to do in case.
In my tests I had the impression that this wasn't kept up by itself.

* we had to change the IP of the Test-PDC after classicupgrade, I then
noticed some loglines around samba_dnsupdate trying to contact the DNS
under the old IP. How can I fix that? yesterday I reran classicupgrade
as we hadn't done any new work yet, but that is no solution for
production ;-)

* I have to move over the test-config to another VM then for production,
this also means changing the IP and maybe the linux-hostname. Is that a
problem, should that be avoided?

* What is the recommended way to pull backups of the PDC? Just tar up
/var/lib/samba ? Run some export script or so?

* and what is the recommended way of actually swapping PDC from NT4 to ADS?

turn down all clients, and NT4-PDC, then turn up ADS-PDC, and client
after client?

Thanks a lot, I am looking forward to actually rolling this out in
january ...

one more!

We plan to run the PDC inside a (KVM-)VM first and run the fileserver on
the (KVM-)host as member server.

Is it a problem that the PDC will come up *after* the fileserver in case
of rebooting etc ?

I assume clients can't connect to the fileserver until the PDC is up,
not more ... and as soon the PDC is available things just work?

On Wed, 14 Dec 2016 10:50:22 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-12 um 15:37 schrieb Stefan G. Weichinger via samba:
> 
> > I just moved all the configs etc over to another VM, and started
> > over, looks better now. No clue ... thanks anyway :-)
> 
> I am sure that all of you wait thrilled for the next news from my
> migration(s) ;-)
> 
> Yesterday we did tests with 2 Win7-Test-VMs and the migrated
> Debian-ADS-PDC. Looks good to me.
> 
> We were able to login with old and new users, access shares on the
> pdc, join a new client, and even deploy the first GPOs to the
> clients. RSAT access works so far ... feels good to me.
> 
> As you may assume new questions arised:
> 
> * kinit: Do I have to run that after every reboot of the PDC? I don't
> plan to do that all the time but we have to *know* what to do in case.
> In my tests I had the impression that this wasn't kept up by itself.
No you don't and please stop calling it a PDC, your old domain
controller was a PDC, your new one is just a DC. All AD DCs are equal
except for the FSMO roles and these can be on any DC.
> 
> * we had to change the IP of the Test-PDC after classicupgrade, I then
> noticed some loglines around samba_dnsupdate trying to contact the DNS
> under the old IP. How can I fix that? yesterday I reran classicupgrade
> as we hadn't done any new work yet, but that is no solution for
> production ;-)
There is a wiki page for this:
https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
> 
> * I have to move over the test-config to another VM then for
> production, this also means changing the IP and maybe the
> linux-hostname. Is that a problem, should that be avoided?
Whilst I have never done this, changing the hostname should be fairly
easy, do the classicupgrade on the machine that has the hostname you
require and then change to the 'netbios name' in smb.conf to reflect
the new hostname.
 
> 
> * What is the recommended way to pull backups of the PDC? Just tar up
> /var/lib/samba ? Run some export script or so?
The best way of doing backups is not to do them ;-)
Add a second DC and replication will do it for you. There is a script
that comes with Samba, but it is a bit basic, you will find a better
one here:

https://github.com/thctlo/samba4/tree/master/backup-script
> 
> * and what is the recommended way of actually swapping PDC from NT4
> to ADS?
> 
> turn down all clients, and NT4-PDC, then turn up ADS-PDC, and client
> after client?
If you have done it correctly, your windows clients shouldn't really
notice the difference, but there is a gotcha, it appears that once your
windows clients connect an AD domain, they will never go back to the
NT4-style domain.
> 
> Thanks a lot, I am looking forward to actually rolling this out in
> january ...
> 
> 
Hope everything goes all right for you.

Rowland

Hai, 

Thats a setup i really dont advice. Should work, but expect problems.

You can happy run both in VMs.
Can you explain maybe why your setting up like this, 
so we can maybe help you to get a better setup? 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
> Weichinger via samba
> Verzonden: woensdag 14 december 2016 11:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba on Debian 8: ADS domain questions
> 
> 
> one more!
> 
> We plan to run the PDC inside a (KVM-)VM first and run the fileserver on
> the (KVM-)host as member server.
> 
> Is it a problem that the PDC will come up *after* the fileserver in case
> of rebooting etc ?
> 
> I assume clients can't connect to the fileserver until the PDC is up,
> not more ... and as soon the PDC is available things just work?
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Wed, Dec 14, 2016 at 10:50:22AM +0100, Stefan G. Weichinger via samba
wrote:
> Am 2016-12-12 um 15:37 schrieb Stefan G. Weichinger via samba:
> 
> > I just moved all the configs etc over to another VM, and started over,
> > looks better now. No clue ... thanks anyway :-)
> 
> I am sure that all of you wait thrilled for the next news from my
> migration(s) ;-)
Actually, it *IS* really good to hear occasionally from
a satisfied user :-).

You have to remember that we only ever see error reports
on the Samba lists, no one ever says "yeah it just worked" (because,
well, why would they :-) :-).

Thanks for the feedback !

Jeremy.
> Yesterday we did tests with 2 Win7-Test-VMs and the migrated
> Debian-ADS-PDC. Looks good to me.
> 
> We were able to login with old and new users, access shares on the pdc,
> join a new client, and even deploy the first GPOs to the clients. RSAT
> access works so far ... feels good to me.
> 
> As you may assume new questions arised:
> 
> * kinit: Do I have to run that after every reboot of the PDC? I don't
> plan to do that all the time but we have to *know* what to do in case.
> In my tests I had the impression that this wasn't kept up by itself.
> 
> * we had to change the IP of the Test-PDC after classicupgrade, I then
> noticed some loglines around samba_dnsupdate trying to contact the DNS
> under the old IP. How can I fix that? yesterday I reran classicupgrade
> as we hadn't done any new work yet, but that is no solution for
> production ;-)
> 
> * I have to move over the test-config to another VM then for production,
> this also means changing the IP and maybe the linux-hostname. Is that a
> problem, should that be avoided?
> 
> * What is the recommended way to pull backups of the PDC? Just tar up
> /var/lib/samba ? Run some export script or so?
> 
> * and what is the recommended way of actually swapping PDC from NT4 to ADS?
> 
> turn down all clients, and NT4-PDC, then turn up ADS-PDC, and client
> after client?
> 
> Thanks a lot, I am looking forward to actually rolling this out in
> january ...
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba