Daniel Lopes de Carvalho
2020-Jun-22 21:12 UTC
[Samba] Winbind help - with domain migration.
On Mon, Jun 22, 2020 at 5:34 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 22/06/2020 21:00, Daniel Lopes de Carvalho via samba wrote: > > Hello guys > > I need some lights to migrate a Winbind/Samba share to a new AD. > > My scenario is: > > I have an old AD running on a Debian 9 and Samba 4.5.16 with many > > replication issues. > > Then I decided to create a new one from the scratch using Debian 10 and > > Samba 4.12.2 (and everything is working perfectly). I have migrated all > the > > accounts/machines/etc from old to new domain without any problem. > > Both the ADs has the same domain name and realm. > > > > The problem is: > > I have another machine running Debian 9 and Samba 4.5.16 (I can't update > > this server). > Why not ? >Because I have and application that does not exec on different kernel. The only way is to downgrade the kernel on Debian 10. And I would't like to do that...> > Here I use nslcd and use AD as a LDAP server to get users and > > groups. And I have a samba share on it. > > I already updated the /etc/resolv.conf and point it to the new AD/DNS, > > restarted samba and winbind services, but the winbind still working on > old > > AD. If I stop the Samba service on old AD, the samba share stops working. > Having two domains with the same name but different SID's is bound to > cause problems. > > > > I don't know If I missed something... > > > > Find below my smb.conf, nsswitch.conf and nslcd.conf. > > > > Thanks > > > > #################################### > > > > SMB.CONF > > security = ads > > workgroup = EXAMPLE > > realm = EXAMPLE.COM > > netbios name = hn01 > > > > #ntlm auth = no > > > > idmap config * : backend = tdb > > idmap config * : range = 10000-99999 > > > > idmap config UNISIM : default = yes > > idmap config UNISIM : backend = ad > > idmap config UNISIM : schema_mode = rfc2307 > > idmap config UNISIM : range = 0-9999 > > idmap config UNISIM : unix_nss_info = yes > Two things, why are you using '0-9999' for the DOMAIN 'idmap config' > lines and why are you using 'UNISIM' when the workgroup is 'EXAMPLE' ?Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, I took it on internet...> (or is this bad sanitisation) > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > You do not need the four lines above. >It is also from internet (I don't remember the reference).> > > > #################################### > > > > NSSWITCH.CONF > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat ldap > > group: compat ldap > > shadow: compat ldap > You do not use 'ldap' on the 'shadow' line > > #################################### > > > > NSLCD.CONF > > filter passwd (&(objectClass=user)(!(objectClass=computer))) > > map passwd gecos displayName > > map passwd homeDirectory "/home/$sAMAccountName" > > map passwd loginShell "/bin/bash" > > map passwd uid sAMAccountName > > > > filter shadow (&(objectClass=user)(!(objectClass=computer))) > > map shadow uid sAMAccountName > > map shadow shadowLastChange pwdLastSet > > > > filter group (&(objectClass=group)(!(objectClass=computer))) > > It has been sometime since I used nslcd, but the above didn't look > correct, so I dug into the 'attic' and this is how I used to set it: > > # /etc/nslcd.conf > # nslcd configuration file. See nslcd.conf(5) > # for details. > > # The user and group nslcd should run as. > uid nslcd > gid nslcd > > # The location at which the LDAP server(s) should be reachable. > uri ldap://dc1.samdom.example.com/ > base dc=samdom,dc=example,dc=com > pagesize 1000 > referrals off > nss_nested_groups yes > > # Kerberos authentication to AD > sasl_mech GSSAPI > sasl_realm SAMDOM.EXAMPLE.COM > krb5_ccname /tmp/nslcd.tkt > > # Filters. Disable, if your: > filter passwd (objectClass=user) > filter group (objectClass=group) > > # Attribute mappings > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map passwd gecos displayName > # Uncomment the following line to use Domain Users as the users primary > group > #map passwd gidNumber primaryGroupID > > I also used to use 'kstart' to keep the kerberos ticket valid. > > Rowland > > >I will try to correct this line as you pointed me. Thanks> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalho http://www.unisim.cepetro.unicamp.br daniel at cepetro.unicamp.br 19 3521-1221
On 22/06/2020 22:12, Daniel Lopes de Carvalho wrote:> > Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, > I took it on internet...Have you actually added any uidNumber and gidNumber attributes to AD ? It might help if you read our documentation: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Daniel Lopes de Carvalho
2020-Jul-23 16:53 UTC
[Samba] Winbind help - with domain migration.
Hi Rowland, how are you doing? I'm writing only to give you a feedback. I followed your advices and the link you gave me and finally managed to make the samba mappings work in my test environment. I was busy with other tasks so I didn't test it before. Thanks a lot for the help. Best regards On Tue, Jun 23, 2020 at 3:42 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 22/06/2020 22:12, Daniel Lopes de Carvalho wrote: > > > > Bad sanitized. UNISIM is my real domain. Sorry. And the 0-9999 idmap, > > I took it on internet... > > Have you actually added any uidNumber and gidNumber attributes to AD ? > > It might help if you read our documentation: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalho http://www.unisim.cepetro.unicamp.br daniel at cepetro.unicamp.br 19 3521-1221