Srikar Somineni
2017-Jun-02 11:55 UTC
[Samba] Unable_to_migrate_shares_from_AD_to_file_server
Hi Rowland, I followed your suggestions and changed the smb.conf file. Currently my smb.conf file looks like below. [global] workgroup = SAMDOM security = ADS realm = SAMDOM.LOCAL wins server = SAMDOM.LOCAL password server = SAMDOM.LOCAL domain master = no local master = no preferred master = no idmap backend = tdb idmap config *:range = 20000-99999 idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 2 passdb backend = tdbsam map untrusted to domain = Yes username map = /usr/local/samba/etc/user.map [demouser] path = /tmp/demouser users = @SAMDOM/Administrator force group = "domain users" writable = yes read only = no force create mode = 0660 create mask = 0777 directory mask = 0777 force directory mode = 0770 access based share enum = yes hide unreadable = yes I have mapped "Administrator" domain user to local root in user.map file and added the location of file to smb.conf. Also changed idmap config from "*" to AD Domain name. After making these changes restarted the samba and winbind servers, left the domain and joined again. Again restarted the samba and winbind servers. Later when I ran "net rpc share migrate shares" command, faced the same error (WERR_ACCESS_DENIED) again. Also for "net rpc share migrate files" command got the previous error(NT_STATUS_REVISION_MISMATCH). Am I still missing anything in the configuration file ? I went through Samba-HOWTO document and learned that, it is better to run "net rpc vampire" command prior to migrating shares or files with "net rpc" and got the below error. # net rpc vampire -U administrator -S samdom.local --force Cannot import users from samdom at this time, as the current domain: <Domain-Member-Server>: S-1-5-21-3946493590-2691586179-362208375 conflicts with the remote domain SAMDOM: S-1-5-21-3130717435-2775834446-724000085 Perhaps you need to set: security=user workgroup=SAMDOM in your smb.conf? Can you please tell me what the above error is? Thanks & Regards, S.Srikar.
Rowland Penny
2017-Jun-02 12:23 UTC
[Samba] Unable_to_migrate_shares_from_AD_to_file_server
On Fri, 2 Jun 2017 17:25:43 +0530 Srikar Somineni <srikars at vedams.com> wrote:> Hi Rowland, > I followed your suggestions and changed the smb.conf file. > Currently my smb.conf file looks like below. > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.LOCAL > wins server = SAMDOM.LOCAL > password server = SAMDOM.LOCALRemove the line above, your Unix domain member should find the password server by dns.> domain master = no > local master = no > preferred master = no > idmap backend = tdb > idmap config *:range = 20000-99999 > idmap config SAMDOM:backend = rid > idmap config SAMDOM:range = 10000-99999Your Ranges overlap, I suggest you replace '20000-99999' with '2000-9999'> winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nested groups = yes > winbind refresh tickets = yes > winbind offline logon = true > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yesYou do not need the line above, it is a default setting.> restrict anonymous = 2 > log file = /var/log/samba/samba.log > log level = 2 > passdb backend = tdbsamYou do not need the line above, it is a default setting.> map untrusted to domain = Yes > username map = /usr/local/samba/etc/user.map> [demouser] > path = /tmp/demouser > users = @SAMDOM/AdministratorI thought I had pointed out that 'Administrator' was a Windows user and shouldn't be used in smb.conf. You would be better off removing most of these lines and using ACLs set from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> force group = "domain users" > writable = yes > read only = no > force create mode = 0660 > create mask = 0777 > directory mask = 0777 > force directory mode = 0770 > access based share enum = yes > hide unreadable = yes > > I have mapped "Administrator" domain user to local root in user.map > file and added the location of file to smb.conf. > Also changed idmap config from "*" to AD Domain name. > After making these changes restarted the samba and winbind servers, > left the domain and joined again. Again restarted the samba and > winbind servers. Later when I ran "net rpc share migrate shares" > command, faced the same error (WERR_ACCESS_DENIED) again. > Also for "net rpc share migrate files" command got the previous > error(NT_STATUS_REVISION_MISMATCH). > Am I still missing anything in the configuration file ?Have you set up libnss_winbind and /etc/nsswitch.conf, does 'getent passwd' display the DOMAIN users ?> > I went through Samba-HOWTO document and learned that, it is better to > run "net rpc vampire" command prior to migrating shares or files with > "net rpc" and got the below error.Do not read the Samba-HOWTO documentation, read the wiki, the HOWTO is outdated, some of it is still valid, but a lot isn't.> > # net rpc vampire -U administrator -S samdom.local --force > Cannot import users from samdom at this time, as the current domain: > <Domain-Member-Server>: > S-1-5-21-3946493590-2691586179-362208375 conflicts with the remote > domain SAMDOM: S-1-5-21-3130717435-2775834446-724000085if you run 'net rpc --help' amongst the output, you will find this: net rpc vampire Sync a remote NT PDC's data into local passdb You do not have an NT PDC. Until 'getent passwd username' produces output, you will get nowhere i.e. getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Rowland
Hi Rowland, Thanks for the reply.>I thought I had pointed out that 'Administrator' was a Windows user andshouldn't be used in smb.conf. My requirement is to migrate shares present in AD to a domain member(Ubuntu machine). These migrated shares must be accessed with the domain users credentials previously assigned to the share. It was because of this reason I was using Windows user on them.>> force group = "domain users" >> writable = yes >> read only = no >> force create mode = 0660 >> create mask = 0777 >> directory mask = 0777 >> force directory mode = 0770 >> access based share enum = yes >> hide unreadable = yes>You would be better off removing most of these lines and using ACLs setfrom Windows, see here:>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsI went through the above wiki . It talks about "extended access control lists" and changing the acls of shares having "extended access control lists" on a windows system. I have almost hundred shares and changing the acls of each and every share manually by above method is complicated. I wanted to automate this process of migrating and preserving acls using "net rpc". Can you please help me with this.>Have you set up libnss_winbind and /etc/nsswitch.conf, does 'getent passwd'display the DOMAIN users ? I have already installed libnss_winbind before joining AD.Below is my /etc/nsswitch.conf file. passwd: files winbind group: files winbind shadow: files winbind gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis AD joining was also done successfully.>Until 'getent passwd username' produces output, you will get nowhere i.e.getent passwd rowland>rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash'getent passwd' is working successfully .Below is the output of 'getent passwd username' on my unix system. # getent passwd demouser demouser:*:11114:10513:demouser:/home/SAMDOM/demouser:/bin/bash Regards, S.Srikar. -- View this message in context: http://samba.2283325.n4.nabble.com/Unable-to-migrate-shares-from-AD-to-file-server-tp4719456p4719463.html Sent from the Samba - General mailing list archive at Nabble.com.
Possibly Parallel Threads
- Unable_to_migrate_shares_from_AD_to_file_server
- Unable_to_migrate_shares_from_AD_to_file_server
- XP error code 1326 on share (but smbclient works)
- XP error code 1326 on share (but smbclient works)
- Windows 10 spawning thousands of child processes on Samba 4.3.11 server