samba - Jun 2017 - Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> He did not post smb.conf ;-) 
It is full of comment, now, because i'm moving some settings from my
old 'NT' domain...


[From other thread...]
> If he has added 'security = user' to his smb.conf, he needs to
remove
> it, you do not use this on a DC.
Clearly, i've removed that; i've added exclusively to finish the
post-installation task of debian package.
Sorry if iwas not clear.

> It looks like he got hit by the 'winbind package not installed on
> debian unless you ask for it' error.
?!

> The rest is shown because he used testparm not samba-tool testparm 
I don't know about that. ;-)

 root at lupus:~# samba-tool testparm 
 Press enter to see a dump of your service definitions
 # Global parameters
 [global]
	bind interfaces only = Yes
	interfaces = lo eth0.17
	netbios aliases = CUPS FILE MEDIA TIME
	netbios name = LUPUS
	realm = AD.CORSI.SV.LNF.IT
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
	workgroup = SVCORSI
	ldap server require strong auth = allow_sasl_over_tls
	logon drive = p:
	logon home = \\LUPUS\%U
	logon path = \\LUPUS\profiles\%U
	logon script = startup.bat
	load printers = Yes
	printcap name = cups
	server role = active directory domain controller
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	idmap config svcorsi : schema_mode = rfc2307
	idmap config svcorsi : backend = ad
	idmap_ldb:use rfc2307 = yes
	dsdb:schema update allowed = true
	comment = 
	printing = cups

effectively it is simpler. I've added surely 'ldap server require strong
auth allow_sasl_over_tls' to make exim work, and 'dsdb:schema update
allowed true' to modify schema.
Clearly i've added 'logon *' options bacause i need it. ;)

Other things probably added to make windbind NSS and PAM providers
work, but finally i've switched to SSSD.


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 21 Jun 2017 18:06:45 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > He did not post smb.conf ;-) 
> 
> It is full of comment, now, because i'm moving some settings from my
> old 'NT' domain...
> 
> 
> [From other thread...]
> 
> > If he has added 'security = user' to his smb.conf, he needs to
> > remove it, you do not use this on a DC.
> 
> Clearly, i've removed that; i've added exclusively to finish the
> post-installation task of debian package.
> Sorry if iwas not clear.
> 
> 
> > It looks like he got hit by the 'winbind package not installed on
> > debian unless you ask for it' error.
> 
> ?!
> 
> 
> > The rest is shown because he used testparm not samba-tool testparm 
Well, you learn something new every day, I never use 'testparm', I
always use 'samba-tool testparm' and I thought they would give the same
output, obviously not ;-)
> 
> I don't know about that. ;-)
> 
>  root at lupus:~# samba-tool testparm 
>  Press enter to see a dump of your service definitions
>  # Global parameters
>  [global]
> 	bind interfaces only = Yes
> 	interfaces = lo eth0.17
> 	netbios aliases = CUPS FILE MEDIA TIME
> 	netbios name = LUPUS
> 	realm = AD.CORSI.SV.LNF.IT
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI
> 	ldap server require strong auth = allow_sasl_over_tls
> 	logon drive = p:
> 	logon home = \\LUPUS\%U
> 	logon path = \\LUPUS\profiles\%U
> 	logon script = startup.bat
> 	load printers = Yes
> 	printcap name = cups
> 	server role = active directory domain controller
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	idmap config svcorsi : schema_mode = rfc2307
> 	idmap config svcorsi : backend = ad
> 	idmap_ldb:use rfc2307 = yes
> 	dsdb:schema update allowed = true
> 	comment = 
> 	printing = cups
> 
> effectively it is simpler. 
No it isn't, you should definitely remove the 'idmap config' lines.
> I've added surely 'ldap server require
> strong auth = allow_sasl_over_tls' to make exim work, and
> 'dsdb:schema update allowed = true' to modify schema.
You should only have the 'dsdb' line active in smb.conf when you need to
modify the schema, you should turn it off when not required.
> Clearly i've added 'logon *' options bacause i need it. ;)
No you don't ;-)
Read up on the Windows and RFC2307 attributes you now have at your
disposal
 
> 
> Other things probably added to make windbind NSS and PAM providers
> work, but finally i've switched to SSSD.
Your decision, but everything that sssd can do, winbind can do and
using sssd is not supported by Samba.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> No it isn't, you should definitely remove the 'idmap config'
lines.
OK, removed. Thanks.

> You should only have the 'dsdb' line active in smb.conf when you
need to
> modify the schema, you should turn it off when not required.
Ok.

> > Clearly i've added 'logon *' options bacause i need it. ;)
> No you don't ;-)
> Read up on the Windows and RFC2307 attributes you now have at your
> disposal
	https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
	https://wiki.samba.org/index.php/User_Home_Folders

WOW! Thanks!
I've keeped that row from old 'NT like' config file, but never
tested...

> > Other things probably added to make windbind NSS and PAM providers
> > work, but finally i've switched to SSSD.
> Your decision, but everything that sssd can do, winbind can do and
> using sssd is not supported by Samba.
I supposed SSSD, altought not a samba project, originated from samba
developers... anyway, at least using samba 4.2, i was not able to have
winbind working properly, on detail there's no way to make winbind read
the rfc2307 data.

Now, on samba 4.5, i'll give it another try...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)