Hi, In reading https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller it says "If the other DCs are Samba DCs and were provisioned with --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' to the join command" So does this mean that rfc2307 should not be used if the other DCs are MS DCs? Does the answer change if the ultimate goal is to decommission the MS DCs? In addition, https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings states that "you must Create a hot-backup of the /usr/local/samba/private/idmap.ldb file on the existing DC:" and import into the new DC. If The existing DC is an MS DC, how do I accomplish this step? The ultimate goal is to migrate from the MS DCs to Samba DC's. I am thinking I can use robocopy to sync the sysvol as per https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround during the transition. Regards, -- Tom me at tdiehl.org
On Mon, 18 Jun 2018 11:42:05 -0400 (EDT) Tom Diehl via samba <samba at lists.samba.org> wrote:> Hi, > > In reading > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > it says "If the other DCs are Samba DCs and were provisioned with > --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' > to the join command" > > So does this mean that rfc2307 should not be used if the other DCs > are MS DCs? Does the answer change if the ultimate goal is to > decommission the MS DCs?Do you have any Unix clients or do have an intention of either using the Samba DC as a fileserver, or adding any Unix domain members ? If you do, then add the line to any Samba DC's, if not then you can ignore it.> > In addition, > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings > states that "you must Create a hot-backup of > the /usr/local/samba/private/idmap.ldb file on the existing DC:" and > import into the new DC. > > If The existing DC is an MS DC, how do I accomplish this step?You cannot, because a windows DC will not have that file. There is a problem (or is it a feature ?) with idmap.ldb on Samba DC's, they can, and most probably will, return different ID's from each other. So for Sysvol, you must copy idmap.ldb from the first Samba DC to any other Samba DC's> > The ultimate goal is to migrate from the MS DCs to Samba DC's. I am > thinking I can use robocopy to sync the sysvol as per > https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround > during the transition.That is probably the only way you can do it. Rowland
On Mon, 18 Jun 2018, Rowland Penny via samba wrote:> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> In reading >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >> it says "If the other DCs are Samba DCs and were provisioned with >> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' >> to the join command" >> >> So does this mean that rfc2307 should not be used if the other DCs >> are MS DCs? Does the answer change if the ultimate goal is to >> decommission the MS DCs? > > Do you have any Unix clients or do have an intention of either using > the Samba DC as a fileserver, or adding any Unix domain members ? > > If you do, then add the line to any Samba DC's, if not then you can > ignore it.There are no Unix clients today but the plan is to add them once the Samba DC is up and running. So if I understand you correctly, I should add rfc2307 attributes so that I have them available when we provision the member server. Then on the member server add something like the following to the smb.conf: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:unix_nss_info = yes idmap config SAMDOM:range = 10000-999999 This will also necessitate adding unix attributes to the user accounts. Does this sound reasonable?>> >> In addition, >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings >> states that "you must Create a hot-backup of >> the /usr/local/samba/private/idmap.ldb file on the existing DC:" and >> import into the new DC. >> >> If The existing DC is an MS DC, how do I accomplish this step? > > You cannot, because a windows DC will not have that file. There is a > problem (or is it a feature ?) with idmap.ldb on Samba DC's, they can, > and most probably will, return different ID's from each other. So for > Sysvol, you must copy idmap.ldb from the first Samba DC to any other > Samba DC'sSo is it safe to just ignore this part until I add a 2nd Samba DC or is there something special I need to do to get the ID's to match when one of the DC's is an MS DC? Regards, -- Tom me at tdiehl.org