Hi Rowland, The test environment is totally isolated and we testing with images of the client machines. We're just trying to iron out any issues post the PDC role move. We have a small list we are going through. The SSL bit is one of them. Once the new environment is stable, we'll be migratingto AD. Regards, Praveen Ghimire -------- Original message -------- From: Rowland Penny via samba <samba at lists.samba.org> Date: 10/08/2018 6:01 PM (GMT+10:00) To: samba at lists.samba.org Subject: Re: [Samba] LDAP SSL On Fri, 10 Aug 2018 06:29:54 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi Kris, > > The LDAP is in the new Samba4 box. We need to make sure the setup > first fine before migrating to AD > >Wrong, you need to test the upgrade in a test environment before you carry out the classicupgrade for real. Do not in any circumstances allow ANY of your domain clients 'see' the new AD DC, once they do, there is no turning back, they will not connect to your old PDC again without totally re-installing the OS. I would clone your PDC and then use this for testing, but ensure this is not connected to your main network. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Fri, 10 Aug 2018 12:01:37 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > > The test environment is totally isolated and we testing with images > of the client machines. > > We're just trying to iron out any issues post the PDC role move. We > have a small list we are going through. The SSL bit is one of them.Then you do not have a problem, stop using ssl on the test PDC and in smb.conf. Once this is done, try to classicupgrade. Rowland
I have a doubt about the ssl certificates and I believe that doing here already solves some doubt that somebody has it. Can I use self-signed certificates, for example, certificates that I obtained with GlobalSign, or do I need to be locally generated non-validated certificates? On Fri, Aug 10, 2018 at 9:07 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 10 Aug 2018 12:01:37 +0000 > Praveen Ghimire <PGhimire at sundata.com.au> wrote: > > > Hi Rowland, > > > > > > The test environment is totally isolated and we testing with images > > of the client machines. > > > > We're just trying to iron out any issues post the PDC role move. We > > have a small list we are going through. The SSL bit is one of them. > > Then you do not have a problem, stop using ssl on the test PDC and > in smb.conf. Once this is done, try to classicupgrade. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On Sat, 11 Aug 2018 12:47:19 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > Thank you for that. > > As mentioned we have some other issues, would appreciate your input > for these > > Server02: Samba 3.x: old PDC now file server > Server01: Samba 4.x , new PDC and LDAP > > We're using libnss_ldap(both Server02 and Server01) with (files ldap) > in nsswitch.conf. What we found that is if we have winbind running in > Server02 , the client machines are not able to access the shares. It > prompts them for user and password. If we stop winbind there are no > issues accessing the share. This is in the Server02 > > When we moved the DC role from Server02 to Server01, we purged the > the non-system users as these users are in LDAP. We then removed the > *.tdb files from the /var/lib/samba folder. The issue we are having > is that using getent passwd for these users doesn’t work from > Server02. Any new users added in LDAP shows up via getent passwd. > It's just the users who were once in the local database (either > tbd /etc/passwd). As mentioned we are using files ldap in > nsswitch.conf . The issue is that the users are able to authenticate > via LDAP (Server01) but not access shares (Server02). Comes up with > user cannot be found.I 'think' in the work to get AD clients working correctly, something got broken for NT4-style Unix clients. I say this because winbind does not seem able (using 'security = domain') to obtain users via getent or wbinfo. I know this because I spent sometime on Thursday trying to get this to work and couldn't. For some reason, even though the join was okay, Samba couldn't find the PDC. I wouldn't worry too much about your problems, just make sure the PDC can be upgraded in your test environment, without problems, then move to carrying out the upgrade for real, at this point, you will no longer need nss-ldapd on the fileserver, winbind will work. You seem to be fixated on getting Samba 4 to work with your PDC, rather than ironing out any problems in the classic upgrade. As I said earlier, clone your PDC into a test environment, but use Samba 4 instead of Samba 3. Then attempt the classicupgrade, fix any problems found (making notes as you go). Once you are sure, it works, do it again, but follow your notes, once you are 100% it works correctly, repeatedly, do it for real. I would ensure that all the clients are turned off before you do it for real, just in case. You can start and turn the clients on again, when you are sure the AD DC is running correctly. Rowland