Mandi! Rowland penny via samba In chel di` si favelave...> Who was this 'someone' ?[...]> Yes, stop listening to spurious people who have never done the upgrade and > follow our documentation ;-)I'm 'someone'! ;-) And, as you know, i've correctly migrated/merged 4 NT domains in an AD domain some year ago, following also hint from this list. ;-)> I ask because the correct way of doing this is to > run 'samba-tool domain classicupgrade', we even have a wikipage: > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)As just discussed in this list, while 'classicupgrade' is clearly the main path for a migration, pose some glitches. - there's no 'merge' of multiple domains - it is a go/no go tool, there's no way back. So bulding a new domain is a, surely, longer path, but, at least for me, smoothest one.> Your users and groups in your new AD domain are not the same users and > groups as in your old NT4-style domain.[...]> Just because they use the same password does not make them the same user.Sure. But ACL are evaluated 'locally' to the server we are connecting, so we can buld a totally differend domain, with different goups and ACLs, this is not the point. The point here is that, as Louis say, something changed in samba/windows client os and something that worked without trouble with Win7/samba4.5 two years ago seems does not work now. I've suggested also to Paolo to: + enable on servers/domain members 'winbind use default domain = yes' + try to access shares with IP, to (try to) 'disable' kerberos auth If was Win10, surely also SMB1 have to be enabled, but seems that also Win7 does not work anymore... so we are asking here... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 24/08/2020 16:18, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> Who was this 'someone' ? > [...] >> Yes, stop listening to spurious people who have never done the upgrade and >> follow our documentation ;-) > I'm 'someone'! ;-)What is this ? Sparticus ? you are the second person to claim to be 'someone' ;-)> > And, as you know, i've correctly migrated/merged 4 NT domains in an AD > domain some year ago, following also hint from this list. ;-)Yes, I have some recollection of that.> As just discussed in this list, while 'classicupgrade' is clearly the > main path for a migration, pose some glitches. > - there's no 'merge' of multiple domainsTo be honest, I don't think most people will want to merge domains, but that is a valid point.> - it is a go/no go tool, there's no way back.I think I already said that.> So bulding a new domain is a, surely, longer path, but, at least for > me, smoothest one.You can also get rid of some of the old ways of doing things (using the RID as a Unix ID for one).> Sure. But ACL are evaluated 'locally' to the server we are connecting, > so we can buld a totally differend domain, with different goups and > ACLs, this is not the point.If you use 'acl_xattr', then the permissions might not be set locally.> > The point here is that, as Louis say, something changed in > samba/windows client os and something that worked without trouble with > Win7/samba4.5 two years ago seems does not work now.I know that now, but I didn't before, but I have been banging on for at least the last two years, UPGRADE!> > > I've suggested also to Paolo to: > > + enable on servers/domain members 'winbind use default domain = yes' > > + try to access shares with IP, to (try to) 'disable' kerberos authAs kerberos cannot use IP's, there is a good chance of that.> If was Win10, surely also SMB1 have to be enabled, but seems that also > Win7 does not work anymore... so we are asking here...As far as I am aware, SMBv1 is still readily available on Win7, but from Samba 4.11.0, it is now disabled on Samba, so if you must use SMBv1, you will need to set: client min protocol = NT1 server min protocol = NT1 in smb.conf Or make Windows only use NTLMv2 and loose network browsing and the ability to connect to NT4-style domains. Rowland
Rowland penny via samba ha scritto il 24/08/20 alle 17:39:> [...] > As far as I am aware, SMBv1 is still readily available on Win7, but from > Samba 4.11.0, it is now disabled on Samba, so if you must use SMBv1, you > will need to set: > > client min protocol = NT1 > > server min protocol = NT1 > > in smb.confok, the samba server I'm using as test has samba 4.5.16-Debian installed and these are the global parameters of the smb.conf (after adding the client/server min protocol):> # Global parameters > [global] > server string = %h server > workgroup = DOMINIOCSA > log file = /var/log/samba/log.%m > max log size = 1000 > allow insecure wide links = Yes > panic action = /usr/share/samba/panic-action %d > printcap name = cups > client min protocol = NT1 > server min protocol = NT1 > unix extensions = No > allow trusted domains = No > client ipc signing = if_required > client signing = if_required > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > security = DOMAIN > server signing = if_required > unix password sync = Yes > template shell = /bin/bash > winbind cache time = 1 > winbind enum groups = Yes > winbind enum users = Yes > winbind use default domain = Yes > dns proxy = No > wins server = 192.168.70.2 > idmap config * : range = 25000-30000 > idmap config dominiocsa : range = 10000-25000 > idmap config dominiocsa : backend = rid > idmap config * : backend = tdb > map archive = No > map acl inherit = Yes > inherit acls = Yes > invalid users = rootwhen a user of the AD domain try to access to a share of this server (even accessing using the IP instead of the name) the authentication fails even if the user has the same credentials in both domains... The win10 client has smbv1 client enabled... Piviul
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 24 augustus 2020 17:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] accessing foreign AD users to NT domain > > On 24/08/2020 16:18, Marco Gaiarin via samba wrote: > > Mandi! Rowland penny via samba > > In chel di` si favelave... > > > >> Who was this 'someone' ? > > [...] > >> Yes, stop listening to spurious people who have never done > the upgrade and > >> follow our documentation ;-) > > I'm 'someone'! ;-) > What is this ? Sparticus ? you are the second person to claim to be > 'someone' ;-)LoL :-) but Marco is correct, we both said it :-) heheh..> > > > And, as you know, i've correctly migrated/merged 4 NT > domains in an AD > > domain some year ago, following also hint from this list. ;-) > Yes, I have some recollection of that. > > As just discussed in this list, while 'classicupgrade' is > clearly the > > main path for a migration, pose some glitches. > > - there's no 'merge' of multiple domains> To be honest, I don't think most people will want to merge > domains, but that is a valid point.> > - it is a go/no go tool, there's no way back. > I think I already said that. > > So bulding a new domain is a, surely, longer path, but, at least for > > me, smoothest one.> You can also get rid of some of the old ways of doing things > (using the RID as a Unix ID for one).Why use RID. I cant use RID.. And RID is bad in my opionion. Sure if you have one server RID, fine but multple servers, well dont use RID RID is just a cheap way to make things work. And ( in my opinion) the biggest dis-advantage of RID isnt even on the RID page. But you can find that on the backend AD page as advantage.> IDs are only cached locally, they are stored in the AD database on DC's. > This means that if the local cache becomes corrupt the file ownerships are not lost.So imagine your in stress your server went down. Now you setting up a new one, restoring backups, hastly you let your users connect and.. Everything is wrong, all you ACL's are messed up. The biggest dis-advantage...> If the Windows Active Directory Users and Computers (ADUC) program is not used, > you have to manual track ID values to avoid duplicates.Im still waiting for Rowland's its patch to go in samba. Its just crazy that even when we can use and add UnixAttributes, its not stored in the AD. This would help so much if its in, maintaining UID/GIDs manualy is not an option, that's crazyness And forces you into RID, but this is my personal opinion. I dont like RID backends in general, but you can use it. It all depends on your needs and what your willing to risk what and where.> > Sure. But ACL are evaluated 'locally' to the server we are connecting, > > so we can buld a totally differend domain, with different goups and > > ACLs, this is not the point.> If you use 'acl_xattr', then the permissions might not be set locally.? Uhm,, acl_xattr and the permissions might not be set locally.? What did i miss here? the permissions might not be set locally.? But then where are the stored?> > > > The point here is that, as Louis said, something changed in > > samba/windows client os and something that worked without > trouble with > > Win7/samba4.5 two years ago seems does not work now.> I know that now, but I didn't before, but I have been banging > on for at least the last two years, UPGRADE!> > > > > > I've suggested also to Paolo to: > > > > + enable on servers/domain members 'winbind use default > domain = yes' > > > > + try to access shares with IP, to (try to) 'disable' > kerberos auth > As kerberos cannot use IP's, there is a good chance of that. > > If was Win10, surely also SMB1 have to be enabled, but > seems that also > > Win7 does not work anymore... so we are asking here...> > As far as I am aware, SMBv1 is still readily available on > Win7, but from > Samba 4.11.0, it is now disabled on Samba, so if you must use > SMBv1, you > will need to set: > > client min protocol = NT1 > > server min protocol = NT1 > > in smb.conf > > Or make Windows only use NTLMv2 and loose network browsing and the > ability to connect to NT4-style domains. > > Rowland > >> > The point here is that, as Louis say, something changed in > samba/windows client os and something that worked without trouble with > Win7/samba4.5 two years ago seems does not work now. >15 years for me now, im replacing the server, i wrote a manual for 15y ago. Here the windows xp, windows 7 and windows 10 do work, do login without problems. Only the drivermappings are shown disabled so now and then. And this shift users, so what happend, I really dont know, but the simple net use command Fix my problem, the problem is only with 1 server, and that runs a samba 3.6.6 Im replacing it this week. Finaly. Greetz, Louis
On 25/08/2020 08:31, L.P.H. van Belle via samba wrote:>> You can also get rid of some of the old ways of doing things >> (using the RID as a Unix ID for one). > Why use RID. I cant use RID.. And RID is bad in my opionion.ER, no, I think you misunderstood me ;-) With the old NT4-style domains it used be thought that using the RID for a Unix ID was a good idea e.g. if the RID was '1000' the Unix ID was '1000'. Now this wasn't really a problem when you had to have a Unix user and a Windows one, but later versions didn't, the users could be in ldap. The problem is now coming to the fore with the classic upgrade and if your Samba Unix ID's start at '1000', you cannot have any local Unix users, which is undoubtedly a problem on distros such as Ubuntu.> Im still waiting for Rowland's its patch to go in samba. > Its just crazy that even when we can use and add UnixAttributes, its not stored in the AD. > This would help so much if its in, maintaining UID/GIDs manualy is not an option, that's crazyness > And forces you into RID, but this is my personal opinion. >I have given up on that, there is always going to be a better way of doing this, but it never turns up :-(>> If you use 'acl_xattr', then the permissions might not be set locally. > ? Uhm,, acl_xattr and the permissions might not be set locally.? > > What did i miss here? > the permissions might not be set locally.? But then where are the stored?'set' and 'stored' are different, you can 'set' them from windows but they are stored locally ;-) On a Samba Unix domain member, the permissions are stored in three places, in the normal Unix acl (ugo) shown by 'ls', in extended ACLs shown by 'getfacl' and in an EA shown by 'getfattr' or 'samba-tool'.> 15 years for me now, im replacing the server, i wrote a manual for 15y ago. > > Here the windows xp, windows 7 and windows 10 do work, do login without problems. > Only the drivermappings are shown disabled so now and then. > > And this shift users, so what happend, I really dont know, but the simple net use command > Fix my problem, the problem is only with 1 server, and that runs a samba 3.6.6 > Im replacing it this week. Finaly.Have you thought about contacting the Guinness book of records ? for the slowest update ever LOL. Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 25 augustus 2020 10:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] accessing foreign AD users to NT domain > > On 25/08/2020 08:31, L.P.H. van Belle via samba wrote: > >> You can also get rid of some of the old ways of doing things > >> (using the RID as a Unix ID for one). > > Why use RID. I cant use RID.. And RID is bad in my opionion. > > ER, no, I think you misunderstood me ;-)Yes definetly.. I must have misunderstood..> > With the old NT4-style domains it used be thought that using > the RID for > a Unix ID was a good idea e.g. if the RID was '1000' the Unix ID was > '1000'. Now this wasn't really a problem when you had to have a Unix > user and a Windows one, but later versions didn't, the users > could be in > ldap. The problem is now coming to the fore with the classic > upgrade and > if your Samba Unix ID's start at '1000', you cannot have any > local Unix > users, which is undoubtedly a problem on distros such as Ubuntu.Ah, because if that, well, 15y ago when i did setup my old NT4PDC. I already covered that uid problem.. I saw that coming, because of the setup i made. I used Smbldap tools these days and well, for me it was "logical" that you dont use the local available UID/GIDS and stay away from the local ranges. Most simpel command/tip on Not using ranges of the systems is : grep -E "LAST_UID|LAST_GID" /etc/adduser.conf Results in Debian Buster to : LAST_UID=29999 LAST_GID=29999 So my (new) range now will be LAST_[G-U]ID +10001 Trying to be future proof (again).> > > Im still waiting for Rowland's its patch to go in samba. > > Its just crazy that even when we can use and add > UnixAttributes, its not stored in the AD. > > This would help so much if its in, maintaining UID/GIDs > manualy is not an option, that's crazyness > > And forces you into RID, but this is my personal opinion. > >> I have given up on that, there is always going to be a better way of > doing this, but it never turns up :-(Well, i have an idea on that, but it has to wait untill im finish with my server(s) Or my boss wont be happy..> >> If you use 'acl_xattr', then the permissions might not be > set locally. > > ? Uhm,, acl_xattr and the permissions might not be set locally.? > > > > What did i miss here? > > the permissions might not be set locally.? But then where > are the stored? > > 'set' and 'stored' are different, you can 'set' them from windows but > they are stored locally ;-)Ah, ok, im think i reallly missed a biggy here..> > On a Samba Unix domain member, the permissions are stored in three > places, in the normal Unix acl (ugo) shown by 'ls', in extended ACLs > shown by 'getfacl' and in an EA shown by 'getfattr' or 'samba-tool'.On this i also think we should make/have a compatibility matrix. Because if you use CHMOD/CHOWN on the wrong place it destroys your windows ACL. Chmod/own is still use way to much in my opinion.> > > 15 years for me now, im replacing the server, i wrote a > manual for 15y ago. > > > > Here the windows xp, windows 7 and windows 10 do work, do > login without problems. > > Only the drivermappings are shown disabled so now and then. > > > > And this shift users, so what happend, I really dont know, > but the simple net use command > > Fix my problem, the problem is only with 1 server, and that > runs a samba 3.6.6 > > Im replacing it this week. Finaly. > > Have you thought about contacting the Guinness book of > records ? for the slowest update ever LOL.Well that server its install took me 6 months but after that i havent touched it for 12 years. The damn ding keeps working :-)... And to me that only shows how powerfull a good Samba server setup can be. I've seen Novell, Bayes, Windows and for me, Linux + samba is all you need. You only need to take some time to set it up correctly.. Our network here is now 100% windows server free.. Next is moving Windows 10 out with its more and more crappy updates, and i think if found a nice replacement for it. And this upgrade, well, replacing that one is what im working on for few months already. It's a slow process, because i cant take it offline and i do way more here than only setup servers. Im helpdesk and support for everything here; pc's, software, printers, hardware, viop, vpns, new installs and upgrades. Aahh.. So yeah, its a slow process when i work on my servers. Only 2 hands and a 1 guy ICT department. :-/ He, im happy that i have work these days so, .... Ok back to work or im not getting it done, and boss is back next week. I promised to have switched server by then.. ;-) Greetz, Louis