samba - Dec 2019 - security = ads, backend = ad parameter not working in samba 4.10.10

On 05/12/2019 17:48, S?rgio Basto wrote:
> I did migration with something like this :
>
> ldbsearch -H /opt/samba/private/sam.ldb -s sub -b dc=old_ad,dc=local
> '(objectClass=user)' > user-export2.ldif
> scp user-export2.ldif to_the_new_machine:
>
> in new machine :
>
> sed -i 's/DC=old_ad/DC=corp/g; s/old_ad.local/corp.local/g'
user-export2.ldif
> sed -i bla bla  user-export2.ldif
>
> ldbmodify -H /var/lib/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 user-export2.ldif
>
Sorry, but it is more involved than that, you should have joined a new 
DC, then demoted the old DC, you might have had to do this a few times 
to move from Samba 4.x.x to a supported Samba version.

I am very surprised that this worked in any way at all.

Rowland

On Thu, 2019-12-05 at 18:34 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 17:48, S?rgio Basto wrote:
> > I did migration with something like this :
> > 
> > ldbsearch -H /opt/samba/private/sam.ldb -s sub -b
> > dc=old_ad,dc=local
> > '(objectClass=user)' > user-export2.ldif
> > scp user-export2.ldif to_the_new_machine:
> > 
> > in new machine :
> > 
> > sed -i 's/DC=old_ad/DC=corp/g; s/old_ad.local/corp.local/g'
user-
> > export2.ldif
> > sed -i bla bla  user-export2.ldif
> > 
> > ldbmodify -H /var/lib/samba/private/sam.ldb --
> > controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 user-export2.ldif
> > 
> Sorry, but it is more involved than that, you should have joined a
> new 
> DC, then demoted the old DC, you might have had to do this a few
> times 
> to move from Samba 4.x.x to a supported Samba version.
> 
> I am very surprised that this worked in any way at all.
I did a new AD with a new name.  
Samba 4.0.0 don't have demote , I move from a Sernet software to a free
and open software in Centos 7 (I use RedHat flavor since 2001) . 
I just migrate the users and his password nothing more  ... I had to
remove a lot of fields,  OU(s) etc for example: [1] .

And is working very well, I'm very happy, yesterday I upgrade all DC(s)
to samba 4.10.10 and it was very smooth .

And well, I want add a new uidNumber and gidNumber to every user and
group in AD , how I can do that  ? to use backend = ad , I want use
backend = ad .

Thank you.


[1]

sed -i
'/^instanceType/d;/^whenCreated/d;/^whenChanged/d;/^uSNCreated/d;/^uSNC
hanged/d;/^objectGUID/d;/^codePage/d;/^countryCode/d;/^pwdLastSet/d;/^p
rimaryGroupID/d;/^objectSid/d;/^sAMAccountType/d;/^sAMAccountType/d;/^l
ockoutTime/d;/^isCriticalSystemObject/d' user-exporttest.ldif 


> Rowland
> 
> 
> 
> 
-- 
S?rgio M. B.

On 05/12/2019 19:08, S?rgio Basto wrote:
> I did a new AD with a new name.
You get more than a new name
> Samba 4.0.0 don't have demote
Yes, but you could have upgraded to a version that did.
> , I move from a Sernet software to a free
> and open software in Centos 7 (I use RedHat flavor since 2001) .
How did you manage to provision an AD DC using red-hat packages
?
> I just migrate the users and his password nothing more  ... I had to
> remove a lot of fields,  OU(s) etc for example: [1] .
Just which user attributes did you migrate ?

The users objectSid would have contained the SID of the old Domain, for 
instance.
>
> And is working very well, I'm very happy, yesterday I upgrade all DC(s)
> to samba 4.10.10 and it was very smooth .
This sure surprises me, people have upgrading correctly and have had 
problems.
>
> And well, I want add a new uidNumber and gidNumber to every user and
> group in AD , how I can do that  ? to use backend = ad , I want use
> backend = ad .
>
You can write a script to do this using ldbmodify, or there is 'Adam' 
produced by one of regular poster, see here:

https://gitlab.com/JonathonReinhart/adam

Unfortunately, there appears to be a problem with his git at the moment :-(

Or you can wait until 4.12.0 is released, samba-tool will then be able 
to do it for you.

Rowland