Daniel Lopes de Carvalho
2020-Jun-22 20:00 UTC
[Samba] Winbind help - with domain migration.
Hello guys I need some lights to migrate a Winbind/Samba share to a new AD. My scenario is: I have an old AD running on a Debian 9 and Samba 4.5.16 with many replication issues. Then I decided to create a new one from the scratch using Debian 10 and Samba 4.12.2 (and everything is working perfectly). I have migrated all the accounts/machines/etc from old to new domain without any problem. Both the ADs has the same domain name and realm. The problem is: I have another machine running Debian 9 and Samba 4.5.16 (I can't update this server). Here I use nslcd and use AD as a LDAP server to get users and groups. And I have a samba share on it. I already updated the /etc/resolv.conf and point it to the new AD/DNS, restarted samba and winbind services, but the winbind still working on old AD. If I stop the Samba service on old AD, the samba share stops working. I don't know If I missed something... Find below my smb.conf, nsswitch.conf and nslcd.conf. Thanks #################################### SMB.CONF security = ads workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = hn01 #ntlm auth = no idmap config * : backend = tdb idmap config * : range = 10000-99999 idmap config UNISIM : default = yes idmap config UNISIM : backend = ad idmap config UNISIM : schema_mode = rfc2307 idmap config UNISIM : range = 0-9999 idmap config UNISIM : unix_nss_info = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes log level = 4 log file = /var/log/samba/log.%m syslog = 0 syslog only = No [area_comum] comment = Area comum browseable = yes writeable = yes path = /area_comum create mode = 0755 public = yes read only = no oplocks = no level2 oplocks = no # veto oplock files =/*.LSImex/*.LSResolve/*.LSGem/*.LDImex/*.LDResolve/*.LDGem/ #################################### NSSWITCH.CONF # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis #################################### NSLCD.CONF filter passwd (&(objectClass=user)(!(objectClass=computer))) map passwd gecos displayName map passwd homeDirectory "/home/$sAMAccountName" map passwd loginShell "/bin/bash" map passwd uid sAMAccountName filter shadow (&(objectClass=user)(!(objectClass=computer))) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (&(objectClass=group)(!(objectClass=computer)))
On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote:> Hello guys > I need some lights to migrate a Winbind/Samba share to a new AD. > My scenario is: > I have an old AD running on a Debian 9 and Samba 4.5.16 with many > replication issues. > Then I decided to create a new one from the scratch using Debian 10 and > Samba 4.12.2 (and everything is working perfectly). I have migrated all the > accounts/machines/etc from old to new domain without any problem. > Both the ADs has the same domain name and realm. > > The problem is: > I have another machine running Debian 9 and Samba 4.5.16 (I can't update > this server).Why not ?> Here I use nslcd and use AD as a LDAP server to get users and > groups. And I have a samba share on it. > I already updated the /etc/resolv.conf and point it to the new AD/DNS, > restarted samba and winbind services, but the winbind still working on old > AD. If I stop the Samba service on old AD, the samba share stops working.Having two domains with the same name but different SID's is bound to cause problems.> > I don't know If I missed something... > > Find below my smb.conf, nsswitch.conf and nslcd.conf. > > Thanks > > #################################### > > SMB.CONF > security = ads > workgroup = EXAMPLE > realm = EXAMPLE.COM > netbios name = hn01 > > #ntlm auth = no > > idmap config * : backend = tdb > idmap config * : range = 10000-99999 > > idmap config UNISIM : default = yes > idmap config UNISIM : backend = ad > idmap config UNISIM : schema_mode = rfc2307 > idmap config UNISIM : range = 0-9999 > idmap config UNISIM : unix_nss_info = yesTwo things, why are you using '0-9999' for the DOMAIN 'idmap config' lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ? (or is this bad sanitisation)> winbind offline logon = false > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yesYou do not need the four lines above.> > #################################### > > NSSWITCH.CONF > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat ldap > group: compat ldap > shadow: compat ldapYou do not use 'ldap' on the 'shadow' line> #################################### > > NSLCD.CONF > filter passwd (&(objectClass=user)(!(objectClass=computer))) > map passwd gecos displayName > map passwd homeDirectory "/home/$sAMAccountName" > map passwd loginShell "/bin/bash" > map passwd uid sAMAccountName > > filter shadow (&(objectClass=user)(!(objectClass=computer))) > map shadow uid sAMAccountName > map shadow shadowLastChange pwdLastSet > > filter group (&(objectClass=group)(!(objectClass=computer)))It has been sometime since I used nslcd, but the above didn't look correct, so I dug into the 'attic' and this is how I used to set it: # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri???????????? ldap://dc1.samdom.example.com/ base??????????? dc=samdom,dc=example,dc=com pagesize??????? 1000 referrals?????? off nss_nested_groups yes # Kerberos authentication to AD sasl_mech?????? GSSAPI sasl_realm????? SAMDOM.EXAMPLE.COM krb5_ccname???? /tmp/nslcd.tkt # Filters. Disable, if your: filter? passwd? (objectClass=user) filter? group?? (objectClass=group) # Attribute mappings map???? passwd? uid??????????????? sAMAccountName map???? passwd? homeDirectory????? unixHomeDirectory map???? passwd? gecos????????????? displayName # Uncomment the following line to use Domain Users as the users primary group #map???? passwd? gidNumber????????? primaryGroupID I also used to use 'kstart' to keep the kerberos ticket valid. Rowland
Daniel Lopes de Carvalho
2020-Jun-22 21:12 UTC
[Samba] Winbind help - with domain migration.
On Mon, Jun 22, 2020 at 5:34 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote: > > Hello guys > > I need some lights to migrate a Winbind/Samba share to a new AD. > > My scenario is: > > I have an old AD running on a Debian 9 and Samba 4.5.16 with many > > replication issues. > > Then I decided to create a new one from the scratch using Debian 10 and > > Samba 4.12.2 (and everything is working perfectly). I have migrated all > the > > accounts/machines/etc from old to new domain without any problem. > > Both the ADs has the same domain name and realm. > > > > The problem is: > > I have another machine running Debian 9 and Samba 4.5.16 (I can't update > > this server). > Why not ? >Because I have and application that does not exec on different kernel. The only way is to downgrade the kernel on Debian 10. And I would't like to do that...> > Here I use nslcd and use AD as a LDAP server to get users and > > groups. And I have a samba share on it. > > I already updated the /etc/resolv.conf and point it to the new AD/DNS, > > restarted samba and winbind services, but the winbind still working on > old > > AD. If I stop the Samba service on old AD, the samba share stops working. > Having two domains with the same name but different SID's is bound to > cause problems. > > > > I don't know If I missed something... > > > > Find below my smb.conf, nsswitch.conf and nslcd.conf. > > > > Thanks > > > > #################################### > > > > SMB.CONF > > security = ads > > workgroup = EXAMPLE > > realm = EXAMPLE.COM > > netbios name = hn01 > > > > #ntlm auth = no > > > > idmap config * : backend = tdb > > idmap config * : range = 10000-99999 > > > > idmap config UNISIM : default = yes > > idmap config UNISIM : backend = ad > > idmap config UNISIM : schema_mode = rfc2307 > > idmap config UNISIM : range = 0-9999 > > idmap config UNISIM : unix_nss_info = yes > Two things, why are you using '0-9999' for the DOMAIN 'idmap config' > lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ?Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, I took it on internet...> (or is this bad sanitisation) > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > You do not need the four lines above. >It is also from internet (I don't remember the reference).> > > > #################################### > > > > NSSWITCH.CONF > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat ldap > > group: compat ldap > > shadow: compat ldap > You do not use 'ldap' on the 'shadow' line > > #################################### > > > > NSLCD.CONF > > filter passwd (&(objectClass=user)(!(objectClass=computer))) > > map passwd gecos displayName > > map passwd homeDirectory "/home/$sAMAccountName" > > map passwd loginShell "/bin/bash" > > map passwd uid sAMAccountName > > > > filter shadow (&(objectClass=user)(!(objectClass=computer))) > > map shadow uid sAMAccountName > > map shadow shadowLastChange pwdLastSet > > > > filter group (&(objectClass=group)(!(objectClass=computer))) > > It has been sometime since I used nslcd, but the above didn't look > correct, so I dug into the 'attic' and this is how I used to set it: > > # /etc/nslcd.conf > # nslcd configuration file. See nslcd.conf(5) > # for details. > > # The user and group nslcd should run as. > uid nslcd > gid nslcd > > # The location at which the LDAP server(s) should be reachable. > uri ldap://dc1.samdom.example.com/ > base dc=samdom,dc=example,dc=com > pagesize 1000 > referrals off > nss_nested_groups yes > > # Kerberos authentication to AD > sasl_mech GSSAPI > sasl_realm SAMDOM.EXAMPLE.COM > krb5_ccname /tmp/nslcd.tkt > > # Filters. Disable, if your: > filter passwd (objectClass=user) > filter group (objectClass=group) > > # Attribute mappings > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map passwd gecos displayName > # Uncomment the following line to use Domain Users as the users primary > group > #map passwd gidNumber primaryGroupID > > I also used to use 'kstart' to keep the kerberos ticket valid. > > Rowland > > >I will try to correct this line as you pointed me. Thanks> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalho http://www.unisim.cepetro.unicamp.br daniel at cepetro.unicamp.br 19 3521-1221