I inherited an old Samba 4 server that act as both AD DC and fileserver. Hardware is old, need to be replaced. Plan is to add a second AD DC and join a new fileserver as a domain member, rsync all files from the old file server to the new and map clients to the new one and finally demote the old AD DC. The old AD DC has this line in smb.conf: idmap_ldb:use rfc2307 = yes Because of that my understanding is that I should join the second DC with: --option='idmap_ldb:use rfc2307 = yes' Does this also mean that the member server that will act as a file server should have idmap config = ad? The documentation is not clear to me, in the wiki for setting up a domain controller it is recommended to use rfc2307 but in the wiki on how to set that up it is recommended to _not_ use rfc2307 in a DC. Samba version in old server is 4.0.14 on debian 7. On new servers I will use 4.9.2 on debian 9 Grateful for comments and suggestions :) -Mark-
On Mon, 26 Nov 2018 13:13:11 +0100 Mark Amundsen via samba <samba at lists.samba.org> wrote:> I inherited an old Samba 4 server that act as both AD DC and > fileserver. Hardware is old, need to be replaced. > > Plan is to add a second AD DC and join a new fileserver as a domain > member, rsync all files from the old file server to the new and map > clients to the new one and finally demote the old AD DC. > > The old AD DC has this line in smb.conf: > idmap_ldb:use rfc2307 = yes > > Because of that my understanding is that I should join the second DC > with: --option='idmap_ldb:use rfc2307 = yes'Yes> > Does this also mean that the member server that will act as a file > server should have idmap config = ad?Only if you have manually added uidNumber & gidNumber attributes to AD> > The documentation is not clear to me, in the wiki for setting up a > domain controller it is recommended to use rfc2307 but in the wiki on > how to set that up it is recommended to _not_ use rfc2307 in a DC.No, I think you mean that you should provision with 'use-rfc2307' but it is not recommended to use a DC as a fileserver. Rowland
Hi So I added a second DC with the rfc2307 option. It replicates and I auth works. yay.>> Does this also mean that the member server that will act as a file >> server should have idmap config = ad?> Only if you have manually added uidNumber & gidNumber attributes to ADI belive the microsoft admin tools have always been used to add users and groups Is 'idmap rid' a better choice than ad? Can I still copy files with rsync in that case or will file ownership be mangled?>> >> The documentation is not clear to me, in the wiki for setting up a >> domain controller it is recommended to use rfc2307 but in the wiki on >> how to set that up it is recommended to _not_ use rfc2307 in a DC.> No, I think you mean that you should provision with 'use-rfc2307' but it > is not recommended to use a DC as a fileserver.As I already added the new DC, this doesn't matter anymore. However: 'When provisioning a new AD, it is recommended to enable the NIS extensions by passing the --use-rfc2307 parameter ...' from: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller and 'It is recommended not to use those mappings on the DCs' from: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD Thanks for your input, much appreciated! -Mark-