Pablo Sanz Fernández
2019-Oct-22 09:56 UTC
[Samba] Upgrade from 4.4.3 to 4.9.13, idmap question
Hi, We have samba 4.4.3, provisioned as AD controller, compiled with "./configure --with-shared-modules=idmap_ad" option. The smb.conf has the following idmap configuration: idmap_ldb:use rfc2307 = yes idmap config EADOM:backend = ad idmap config EADOM:schema_mode = rfc2307 idmap config EADOM:range = 500-149999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes If we update to 4.9.13 (direct upgrade) or any versi?n greater tan 4.5, we know that we must remove the idmap lines from smb.conf, and also execute the command "samba-tool dbcheck -cross-ncs -fix -yes". But, does it have any implications with the user and computer accounts id mapping? A computer or user that was in AD before update and change the smb.conf removing the idmap section, will keep his attributes like objectSID untouched? In summary, should we worry that some computer will leave the domain because the upgrade changes some of its account attributes in the AD? Regards, Pablo Sanz
On 22/10/2019 10:56, Pablo Sanz Fern?ndez via samba wrote:> Hi, > > We have samba 4.4.3, provisioned as AD controller, compiled with "./configure --with-shared-modules=idmap_ad" option. > > The smb.conf has the following idmap configuration: > > idmap_ldb:use rfc2307 = yesWell that line is okay in a DC smb.conf> idmap config EADOM:backend = ad > idmap config EADOM:schema_mode = rfc2307 > idmap config EADOM:range = 500-149999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yesAnd the above never did anything on a DC and should never have been there.> > If we update to 4.9.13 (direct upgrade) or any versi?n greater tan 4.5, we know that we must remove the idmap lines from smb.conf, and also execute the command "samba-tool dbcheck -cross-ncs -fix -yes".You should never have had them, they did nothing.> > But, does it have any implications with the user and computer accounts id mapping? A computer or user that was in AD before update and change the smb.conf removing the idmap section, will keep his attributes like objectSID untouched?The objectSID is only used to map an AD user or group to an xidNumber in idmap.ldb on a DC or in the ID calculation on a Unix domain member if using the 'rid' backend, it is never changed.> > In summary, should we worry that some computer will leave the domain because the upgrade changes some of its account attributes in the AD?No, your computer should not leave the domain because you remove something that should never have been in the DC smb.conf Rowland