On Wed, 30 May 2018 09:48:04 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-05-30 um 09:21 schrieb L.P.H. van Belle: > > Hai Stefan, > > > > Yes, its always better to ask the list, that way everybody can > > learn from it. ;-) > > > >> Do you think I will have to rejoin it to the domain? > > No i dont think so. > > Good, I don't have the ADS-Admin-password (yet) ;-) > I could ask them but for now it's better to not have to. > > > Please note, o dont know anything about gentoo except that they > > have a good wiki/info pages. If this was debian, then in this case, > > what i would extra do here, run : samba -b and backup all folders > > of samba and any thing samba related. Export the installed packages > > list. > > > > Now if you install a new gentoo, import the packages list, and you > > need the same hostname and ip and the samba backup. The files : > > hosts resolv.conf nsswitch.conf, this is also a bit depending on > > the use and setup, but review these. > > > > ! Install a the new server, and only pull the packages from the > > server dont install yet. ! On debian thats apt-get install packages > > -d ( download only ) > > > > Place the backups on this server and now pull the network > > connection. Install all needed packages, stop samba, put the backup > > back, start samba. > > > > Reboot the server, "still network detached", review logs and clean > > up logs, powerdown. Power off the old server, so nothing is changed > > there, change the network cable to the new server, and power up new > > server. If the old server is only used for and with samba, above > > setups will give a clean installed server with an old samba > > upgraded. > > > > If moveing to a new isnt an option the make sure you do make a full > > system backup. Clone the harddisk to an other hdd, fasted with > > minimal chance on error when you restore. And this is an fast way > > to backup, i just attach a bit sata disk and clone the disk. > > This will happen in place, no new hardware. > We have backups on tapes everyday, that is part of my job as well.Make sure the backups contain everything but the OS, from my experience, tape backups only contain some of the data. Whilst we are talking about tape backups, hasn't anybody realised that tape backups are so last century and from my experience very unreliable.> > > > The config below is really outdated yes. This is what i would start > > with. > > > > [global] > > netbios name = U1SECRETCUSTOMER > > netbios aliases = samba > > server string = U1SECRETCUSTOMER > > > > security = ads > > workgroup = SECRETCUSTOMER > > realm = SECRETCUSTOMER.INTRA > > > > domain master = no > > local master = no > > preferred master = no > > > > interfaces = 192.168.100.4/24 > > bind interfaces only = Yes > > > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > idmap config SECRETCUSTOMER : backend = rid > > idmap config SECRETCUSTOMER : range = 10000-20000 > > > > # depending on the samba version. You might need these.You missed a line Louis ;-) # but only if you use the 'ad' backend> > #idmap config SECRETCUSTOMER : unix_nss_info = yes > > #idmap config SECRETCUSTOMER : unix_primary_group = yes > > > > winbind use default domain = yes > > > > winbind nss info = template > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > template shell = /bin/falseTwo out of the three lines above are defaults> > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > unix extensions = no > > follow symlinks= yes > > wide links= yes > > unix charset = iso8859-15 > > force unknown acl user = Yes > > > > load printers = no > > printcap name = /dev/null > > disable spoolss = yes > > > > # Audit settings > > vfs objects = full_audit > > full_audit:prefix = %u|%I|%S > > full_audit:failure = connect > > full_audit:success = mkdir rmdir write pwrite rename unlink > > chmod fchmod chown fchown ftruncate full_audit:facility = local5 > > full_audit:priority = notice > > Yes, thanks. > The idmap stuff scares me the most ;-)Why ? Once you get your head around it, you will probably wonder why yourself ;-)> > I will see when to start that, I have to keep the downtime at minimum > etc > > Would it make sense to do some intermediate step to a lower 4.x > version or go straight from 3.6.25 to 4.8.2 ?On a Unix domain member it won't make any difference, just go direct to 4.8.2 Rowland
Am 2018-05-30 um 10:08 schrieb Rowland Penny via samba:>> We have backups on tapes everyday, that is part of my job as well. > > Make sure the backups contain everything but the OS, from my > experience, tape backups only contain some of the data. Whilst we are > talking about tape backups, hasn't anybody realised that tape backups > are so last century and from my experience very unreliable.Not from my experience. Tapes have less moving parts and a way longer lifetime than (rotating) disks (spinning rust). OK, ymmv but LTO works reliably here. And yes, we have / on tape. I am the amanda backup admin there as well so we have that ;-) thanks for the pointer, though>>> The config below is really outdated yes. This is what i would start >>> with. >>> >>> [global] >>> netbios name = U1SECRETCUSTOMER >>> netbios aliases = samba >>> server string = U1SECRETCUSTOMER >>> >>> security = ads >>> workgroup = SECRETCUSTOMER >>> realm = SECRETCUSTOMER.INTRA >>> >>> domain master = no >>> local master = no >>> preferred master = no >>> >>> interfaces = 192.168.100.4/24 >>> bind interfaces only = Yes >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config SECRETCUSTOMER : backend = rid >>> idmap config SECRETCUSTOMER : range = 10000-20000 >>> >>> # depending on the samba version. You might need these. > > You missed a line Louis ;-) > > # but only if you use the 'ad' backend > >>> #idmap config SECRETCUSTOMER : unix_nss_info = yes >>> #idmap config SECRETCUSTOMER : unix_primary_group = yes >>> >>> winbind use default domain = yes >>> >>> winbind nss info = template >>> template homedir = /mnt/MSA2040/smb/Homes/%D/%U >>> template shell = /bin/false > > Two out of the three lines above are defaults > >>> >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> unix extensions = no >>> follow symlinks= yes >>> wide links= yes >>> unix charset = iso8859-15 >>> force unknown acl user = Yes >>> >>> load printers = no >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> # Audit settings >>> vfs objects = full_audit >>> full_audit:prefix = %u|%I|%S >>> full_audit:failure = connect >>> full_audit:success = mkdir rmdir write pwrite rename unlink >>> chmod fchmod chown fchown ftruncate full_audit:facility = local5 >>> full_audit:priority = notice >> >> Yes, thanks. >> The idmap stuff scares me the most ;-) > > Why ? Once you get your head around it, you will probably wonder why > yourself ;-)Why? because I had to readjust that >3 times at another site, every time was like "this is correct" and after a while something else popped up.>> I will see when to start that, I have to keep the downtime at minimum >> etc >> >> Would it make sense to do some intermediate step to a lower 4.x >> version or go straight from 3.6.25 to 4.8.2 ? > > On a Unix domain member it won't make any difference, just go direct to > 4.8.2great I asked them for a maintenance slot, we will see. Holiday tmrw, I am injured from sports ... so I have time for that ;-) Stefan
On Wed, 30 May 2018 14:17:19 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Not from my experience. > Tapes have less moving parts and a way longer lifetime than (rotating) > disks (spinning rust). OK, ymmv but LTO works reliably here. >Your experience is different from mine ;-) Either the backup didn't work at all (mostly because of the backup program, but occasionally because of a tape or minor drive problem) or the drive would, without notice, just decide to die. Mind you this was on a Unix machine running the OS that decided it owned Linux ;-)> >> The idmap stuff scares me the most ;-) > > > > Why ? Once you get your head around it, you will probably wonder why > > yourself ;-) > > Why? because I had to readjust that >3 times at another site, every > time was like "this is correct" and after a while something else > popped up.There are three main winbind backends, but only two are really used on Unix domain members, the 'ad' and the 'rid' backends. Which you use is really down to a simple choice, do you want to add posix attrs to AD or not. If you don't want to add anything to AD, then use the 'rid' backend. If you do add the posix attrs to AD, then use the 'ad' backend. Having decided which backend, you then have to decide on the ranges to use. If you use the 'rid' backend, then good ranges would be 3000-7999 for the '*' domain and 10000-whatever_upper_limit_you_decide for your DOMAIN (there is a slight problem with this on Debian, they thought it was a good idea to use the ID 65534 for nobody/nogroup, but you can work around this). This will lead to to user & group IDs starting from '11000' If you use the 'ad' backend, things are a little different, you probably can use the same '*' range as the 'rid' backend, but the DOMAIN range will depend on the posix attrs in AD, so if the lowest uidNumber or gidNumber in AD is '10000', you could start at '10000' Things to note: If you place the '*' range below the 'DOMAIN' range, you can easily expand the 'DOMAIN' range by increasing the upper range. A user can have the same ID as a group, they will never be mixed up. A 'rid' user with the ID 11000 is very very unlikely to be the same user as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on one Unix domain member, but the 'rid' backend on another, your users will have different ID numbers. If you do not have the 'netbios name' line in smb.conf, you can use the smb.conf on all Unix domain members in the domain and you will always get the same numeric IDs. Rowland