FreeBSD-12.1p7 Samba-4.10.15 The user profiles were transferred from the existing Samba AD-DC to a new domain running on Samba-4.10. An ls on the original Samba (4.3.13) domain DC shows this: [root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll BROCKLEY-2016\domain admins 512 Aug 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 [root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 drwxrwx---+ 16 3000025 3000008 512 Aug 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 On the new domain ls shows this: ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24 /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 But on the new domain controller ls shows this: ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24 /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 This is expected as the uid/gid mapping from one installation to another is not expected to match. However, when I log on to the new domain from a Win10 workstation this is created: d---------+ 18 3000027 3000008 27 Aug 12 15:29 /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6 Which leads to a few questions: 1. What configuration is required on the new DC to show uid 3000027 as BROCKLEY\lyneak_hll or has this changed in later versions of Samba? 2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains. But does not display as such on the enw domain. What configuration setting is required to get the group to display using ls? 3. On the existing domain the gid on user profiles seems to be 20 (staff). On the new domain profiles are created with the gid 3000008. However, gid 20 9staff) exists in /etc/group on both DCs. Why the difference? Is this due to a configuration setting? The smb.conf file on the new DC is: [root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf ## Global parameters [global] netbios name = SMB4-2 disable netbios = yes realm = BROCKLEY.HARTE-LYNE.CA server role = active directory domain controller ## use 'samba-tool testparm -v | grep services' to list active services workgroup = BROCKLEY idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 zfsacl ## Temp fix for roaming profiles? oplock # veto oplock files = /NTUSER.DAT/ # veto oplock files = /ntuser.ini/ socket options = TCP_NODELAY SO_KEEPALIVE ## nbt causes a fatal startup error (or use disable netbios = yes) # server services = -nbt ## Eliminate ipv6 errors bind interfaces only = Yes interfaces = localhost smb4-2 ## DNS dns forwarder = 216.185.71.33 216.185.71.34 #additional dns hostnames = smb4-2.brockley.harte-lyne.ca ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns dns update command = /usr/local/sbin/samba_dnsupdate ## samba_dnsupdate insists on finding rndc rndc command = /usr/bin/true ## For secure dns dynamic updates use these (but secure does not work): # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g # 1 allow dns updates = secure only ## For insecure dynamic updates use these settings: nsupdate command = /usr/local/bin/samba-nsupdate allow dns updates = nonsecure ## Logging log level = 1 # log file = /var/log/samba4/smbd.log.%m log file = /var/log/samba4/smbd.log max log size = 10000 debug timestamp = yes # Disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ## Shares [sysvol] path = /var/db/samba4/sysvol read only = No [netlogon] path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts read only = No [PROFILES] comment = Users profiles path = /var/samba4/BROCKLEY/PROFILES/ browseable = No read only = No force create mode = 0600 force directory mode = 0700 csc policy = disable store dos attributes = yes vfs objects = dfs_samba4 zfsacl [USERS] comment = Users folder redirection path = /var/samba4/BROCKLEY/USERS/ browseable = No read only = No force create mode = 0600 force directory mode = 0700 csc policy = disable store dos attributes = yes vfs objects = dfs_samba4 zfsacl -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
We moved profiles with this tool https://www.forensit.com/downloads.html It worked perfect Am 13.08.20 um 15:54 schrieb James B. Byrne via samba:> FreeBSD-12.1p7 > Samba-4.10.15 > > The user profiles were transferred from the existing Samba AD-DC to a new > domain running on Samba-4.10. An ls on the original Samba (4.3.13) domain DC > shows this: > > [root at SAMBA-01 ~]# ls -ld /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 > drwxrwx---+ 16 BROCKLEY-2016\lyneak_hll BROCKLEY-2016\domain admins 512 Aug > 12 17:07 /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 > > [root at SAMBA-01 ~]# ls -ldn /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 > drwxrwx---+ 16 3000025 3000008 512 Aug 12 17:07 > /var/samba4/BROCKLEY-2016/PROFILES/lyneak_hll.V2 > > On the new domain ls shows this: > > ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 > drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24 > /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 > > But on the new domain controller ls shows this: > > ls -ld /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 > drwxrwx--- 16 3000025 3000008 25 Jul 24 17:24 > /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V2 > > This is expected as the uid/gid mapping from one installation to another is not > expected to match. However, when I log on to the new domain from a Win10 > workstation this is created: > > d---------+ 18 3000027 3000008 27 Aug 12 15:29 > /var/samba4/BROCKLEY/PROFILES/lyneak_hll.V6 > > Which leads to a few questions: > > 1. What configuration is required on the new DC to show uid 3000027 as > BROCKLEY\lyneak_hll or has this changed in later versions of Samba? > > 2. GID 3000008 appears to be BROCKLEY-2016\domain admins on both domains. But > does not display as such on the enw domain. What configuration setting is > required to get the group to display using ls? > > 3. On the existing domain the gid on user profiles seems to be 20 (staff). On > the new domain profiles are created with the gid 3000008. However, gid 20 > 9staff) exists in /etc/group on both DCs. Why the difference? Is this due to > a configuration setting? > > The smb.conf file on the new DC is: > > [root at smb4-2 ~ (master)]# cat /usr/local/etc/smb4.conf > ## Global parameters > [global] > netbios name = SMB4-2 > disable netbios = yes > realm = BROCKLEY.HARTE-LYNE.CA > server role = active directory domain controller > ## use 'samba-tool testparm -v | grep services' to list active services > workgroup = BROCKLEY > idmap_ldb:use rfc2307 = yes > vfs objects = dfs_samba4 zfsacl > > ## Temp fix for roaming profiles? oplock > # veto oplock files = /NTUSER.DAT/ > # veto oplock files = /ntuser.ini/ > > socket options = TCP_NODELAY SO_KEEPALIVE > > ## nbt causes a fatal startup error (or use disable netbios = yes) > # server services = -nbt > > ## Eliminate ipv6 errors > bind interfaces only = Yes > interfaces = localhost smb4-2 > > ## DNS > dns forwarder = 216.185.71.33 216.185.71.34 > #additional dns hostnames = smb4-2.brockley.harte-lyne.ca > > ## Note diff: sbin vs. bin and _ vs. - and dns vs. ns > dns update command = /usr/local/sbin/samba_dnsupdate > ## samba_dnsupdate insists on finding rndc > rndc command = /usr/bin/true > ## For secure dns dynamic updates use these (but secure does not work): > # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g > # 1 allow dns updates = secure only > ## For insecure dynamic updates use these settings: > nsupdate command = /usr/local/bin/samba-nsupdate > allow dns updates = nonsecure > > ## Logging > log level = 1 > # log file = /var/log/samba4/smbd.log.%m > log file = /var/log/samba4/smbd.log > max log size = 10000 > debug timestamp = yes > > # Disable printing > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > ## Shares > [sysvol] > path = /var/db/samba4/sysvol > read only = No > > [netlogon] > path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts > read only = No > > [PROFILES] > comment = Users profiles > path = /var/samba4/BROCKLEY/PROFILES/ > browseable = No > read only = No > force create mode = 0600 > force directory mode = 0700 > csc policy = disable > store dos attributes = yes > vfs objects = dfs_samba4 zfsacl > > [USERS] > comment = Users folder redirection > path = /var/samba4/BROCKLEY/USERS/ > browseable = No > read only = No > force create mode = 0600 > force directory mode = 0700 > csc policy = disable > store dos attributes = yes > vfs objects = dfs_samba4 zfsacl > > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html