samba - Oct 2019 - Upgrade from 4.4.3 to 4.9.13, idmap question

Hi,

We have samba 4.4.3, provisioned as AD controller, compiled with
"./configure --with-shared-modules=idmap_ad" option.

The smb.conf has the following idmap configuration:

                idmap_ldb:use rfc2307 = yes
idmap config EADOM:backend = ad
idmap config EADOM:schema_mode = rfc2307
idmap config EADOM:range = 500-149999

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes

If we update to 4.9.13 (direct upgrade) or any versi?n greater tan 4.5, we know
that we must remove the idmap lines from smb.conf, and also execute the command
"samba-tool dbcheck -cross-ncs -fix -yes".

But, does it have any implications with the user and computer accounts id
mapping? A computer or user that was in AD before update and change the smb.conf
removing the idmap section, will keep his attributes like objectSID untouched?

In summary, should we worry that some computer will leave the domain because the
upgrade changes some of its account attributes in the AD?

Regards,

Pablo Sanz

On 22/10/2019 10:56, Pablo Sanz Fern?ndez via samba
wrote:
> Hi,
>
> We have samba 4.4.3, provisioned as AD controller, compiled with
"./configure --with-shared-modules=idmap_ad" option.
>
> The smb.conf has the following idmap configuration:
>
>                  idmap_ldb:use rfc2307 = yes
Well that line is okay in a DC smb.conf
> idmap config EADOM:backend = ad
> idmap config EADOM:schema_mode = rfc2307
> idmap config EADOM:range = 500-149999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
And the above never did anything on a DC and should never have been
there.
>
> If we update to 4.9.13 (direct upgrade) or any versi?n greater tan 4.5, we
know that we must remove the idmap lines from smb.conf, and also execute the
command "samba-tool dbcheck -cross-ncs -fix -yes".
You should never have had them, they did nothing.
>
> But, does it have any implications with the user and computer accounts id
mapping? A computer or user that was in AD before update and change the smb.conf
removing the idmap section, will keep his attributes like objectSID untouched?
The objectSID is only used to map an AD user or group to an xidNumber in 
idmap.ldb on a DC or in the ID calculation on a Unix domain member if 
using the 'rid' backend, it is never changed.
>
> In summary, should we worry that some computer will leave the domain
because the upgrade changes some of its account attributes in the AD?
No, your computer should not leave the domain because you remove 
something that should never have been in the DC smb.conf

Rowland