samba - Jun 2017 - Unable_to_migrate_shares_from_AD_to_file_server

Hi Rowland,
            I followed your suggestions and changed the smb.conf file.
Currently my smb.conf file looks like below.
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.LOCAL
    wins server = SAMDOM.LOCAL
    password server = SAMDOM.LOCAL
    domain master = no
    local master = no
    preferred master = no
    idmap backend = tdb
    idmap config *:range = 20000-99999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/samba.log
    log level = 2
    passdb backend = tdbsam
    map untrusted to domain = Yes
    username map = /usr/local/samba/etc/user.map
[demouser]
    path = /tmp/demouser
    users = @SAMDOM/Administrator
    force group = "domain users"
    writable = yes
    read only = no
    force create mode = 0660
    create mask = 0777
    directory mask = 0777
    force directory mode = 0770
    access based share enum = yes
    hide unreadable = yes

I have mapped "Administrator" domain user to local root in user.map
file
and added the location of file to smb.conf.
Also changed idmap config from "*" to AD Domain name.
After making these changes restarted the samba and winbind servers, left
the domain and joined again. Again restarted the samba and winbind servers.
Later when I ran "net rpc share migrate shares" command, faced the
same
error (WERR_ACCESS_DENIED) again.
Also for "net rpc share migrate files" command got the previous
error(NT_STATUS_REVISION_MISMATCH).
Am I still missing anything in the configuration file ?

I went through Samba-HOWTO document and learned that, it is better to run
"net rpc vampire" command prior to migrating shares or files with
"net rpc"
and got the below error.

# net rpc vampire -U administrator -S samdom.local --force
Cannot import users from samdom at this time, as the current domain:
        <Domain-Member-Server>: S-1-5-21-3946493590-2691586179-362208375
conflicts with the remote domain
        SAMDOM: S-1-5-21-3130717435-2775834446-724000085
Perhaps you need to set:

        security=user
        workgroup=SAMDOM

 in your smb.conf?

Can you please tell me what the above error is?


Thanks & Regards,
S.Srikar.

On Fri, 2 Jun 2017 17:25:43 +0530
Srikar Somineni <srikars at vedams.com> wrote:
> Hi Rowland,
>             I followed your suggestions and changed the smb.conf file.
> Currently my smb.conf file looks like below.
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.LOCAL
>     wins server = SAMDOM.LOCAL
>     password server = SAMDOM.LOCAL
Remove the line above, your Unix domain member should find the password
server by dns.
>     domain master = no
>     local master = no
>     preferred master = no
>     idmap backend = tdb
>     idmap config *:range = 20000-99999
>     idmap config SAMDOM:backend = rid
>     idmap config SAMDOM:range = 10000-99999
Your Ranges overlap, I suggest you replace '20000-99999' with
'2000-9999'
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>     winbind nested groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = true
>     template shell = /bin/bash
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     encrypt passwords = yes
You do not need the line above, it is a default setting.
>     restrict anonymous = 2
>     log file = /var/log/samba/samba.log
>     log level = 2
>     passdb backend = tdbsam
You do not need the line above, it is a default setting.
>     map untrusted to domain = Yes
>     username map = /usr/local/samba/etc/user.map
> [demouser]
>     path = /tmp/demouser
>     users = @SAMDOM/Administrator
I thought I had pointed out that 'Administrator' was a Windows user and
shouldn't be used in smb.conf.

You would be better off removing most of these lines and using ACLs set
from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>     force group = "domain users"
>     writable = yes
>     read only = no
>     force create mode = 0660
>     create mask = 0777
>     directory mask = 0777
>     force directory mode = 0770
>     access based share enum = yes
>     hide unreadable = yes
> 
> I have mapped "Administrator" domain user to local root in
user.map
> file and added the location of file to smb.conf.
> Also changed idmap config from "*" to AD Domain name.
> After making these changes restarted the samba and winbind servers,
> left the domain and joined again. Again restarted the samba and
> winbind servers. Later when I ran "net rpc share migrate shares"
> command, faced the same error (WERR_ACCESS_DENIED) again.
> Also for "net rpc share migrate files" command got the previous
> error(NT_STATUS_REVISION_MISMATCH).
> Am I still missing anything in the configuration file ?
Have you set up libnss_winbind and /etc/nsswitch.conf, does 'getent
passwd' display the DOMAIN users ?
> 
> I went through Samba-HOWTO document and learned that, it is better to
> run "net rpc vampire" command prior to migrating shares or files
with
> "net rpc" and got the below error.
Do not read the Samba-HOWTO documentation, read the wiki, the HOWTO is
outdated, some of it is still valid, but a lot isn't.
> 
> # net rpc vampire -U administrator -S samdom.local --force
> Cannot import users from samdom at this time, as the current domain:
>         <Domain-Member-Server>:
> S-1-5-21-3946493590-2691586179-362208375 conflicts with the remote
> domain SAMDOM: S-1-5-21-3130717435-2775834446-724000085
if you run 'net rpc --help' amongst the output, you will find this:

net rpc vampire
    Sync a remote NT PDC's data into local passdb

You do not have an NT PDC.

Until 'getent passwd username' produces output, you will get nowhere
i.e. getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Rowland

Hi Rowland,
               Thanks for the reply.
>I thought I had pointed out that 'Administrator' was a Windows user
and
shouldn't be used in smb.conf. 
 My requirement is to migrate shares present in AD to a domain member(Ubuntu
machine). These migrated shares must be accessed with the domain users
credentials previously assigned to the share. It was because of this reason
I was using Windows user on them.
>>     force group = "domain users"
>>     writable = yes
>>     read only = no
>>     force create mode = 0660
>>     create mask = 0777
>>     directory mask = 0777
>>     force directory mode = 0770
>>     access based share enum = yes
>>     hide unreadable = yes 
>You would be better off removing most of these lines and using ACLs set
from Windows, see here:
>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
I went through the above wiki . It talks about  "extended access control
lists"  and changing the acls of shares having "extended access
control
lists" on a windows system. I have almost hundred shares and 
changing the acls of each and every share manually by above method is
complicated. I wanted to automate this process of migrating and preserving
acls using "net rpc". Can you please help me with this.
>Have you set up libnss_winbind and /etc/nsswitch.conf, does 'getent
passwd'
display the DOMAIN users ? 
 I have already installed libnss_winbind before joining AD.Below is my
/etc/nsswitch.conf file. 

passwd:         files winbind
group:          files winbind
shadow:         files winbind
gshadow:        files

hosts:          files dns
networks:     files 

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

AD joining was also done successfully.
>Until 'getent passwd username' produces output, you will get nowhere
i.e.
getent passwd rowland
>rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash 
'getent passwd' is working successfully .Below is the output of 
'getent
passwd username' on my unix system.
# getent passwd demouser
demouser:*:11114:10513:demouser:/home/SAMDOM/demouser:/bin/bash 

Regards,
S.Srikar.



--
View this message in context:
http://samba.2283325.n4.nabble.com/Unable-to-migrate-shares-from-AD-to-file-server-tp4719456p4719463.html
Sent from the Samba - General mailing list archive at Nabble.com.