samba - Sep 2020 - How to convert stand-alone samba servers to join existing Windows Active Directory domain

We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing 
servers with hundreds of local users on each server (not the same on all 
samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would like 
to convert these stand-alone servers to join an existing Windows based AD 
domain without losing data or ownership/permission metadata on these 
servers.  Is there a guide for doing so or can someone give the steps 
necessary to accomplish this task?  I see in the samba wiki how to set up 
samba as a domain controller or stand-alone server but nothing really on 
how to convert from stand-alone to domain member.  I am not real familiar 
with the Active Directory side of things so perhaps I'm not asking the 
right questions or looking in the right places.  Thank you in advance.

On 10/09/2020 20:28, Ted Buchanan via samba wrote:
> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
> servers with hundreds of local users on each server (not the same on all
> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would like
> to convert these stand-alone servers to join an existing Windows based AD
> domain without losing data or ownership/permission metadata on these
> servers.  Is there a guide for doing so or can someone give the steps
> necessary to accomplish this task?  I see in the samba wiki how to set up
> samba as a domain controller or stand-alone server but nothing really on
> how to convert from stand-alone to domain member.  I am not real familiar
> with the Active Directory side of things so perhaps I'm not asking the
> right questions or looking in the right places.  Thank you in advance.
>
I meant to reply to this earlier, but got sidetracked ;-)

Not sure you can do this easily, yes, you might have the same users on 
some of the standalone servers, but do they have the same numeric ID on 
each of them ?

Lets say you have the user 'fred' who is a Unix & Samba user on 
computers A,B & D, but not on C

On A, he has the ID '1005'

On B, he has the ID '1764'

On D, he has the ID '1067'

When you create your AD domain, you will have to recreate your users and 
delete them from /etc/passwd on the standalone servers when you join 
them to the domain, so which uidNumber attribute contents will you give 
'fred' ?

If you choose '1005' there is a good chance that it will clash with 
another user from B, or C, or D, the same goes for the other two ID's

I feel the only way out of this problem is to create a new AD domain. 
Create your users in AD with new ID's (preferably from 10000 upwards) 
and then chown the files on the standalone servers after you have joined 
them to domain. Presumably after writing a script to do the chown.

Rowland

On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
> servers with hundreds of local users on each server (not the same on all
> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would like
> to convert these stand-alone servers to join an existing Windows based AD
> domain without losing data or ownership/permission metadata on these
> servers.  Is there a guide for doing so or can someone give the steps
> necessary to accomplish this task?  I see in the samba wiki how to set up
> samba as a domain controller or stand-alone server but nothing really on
> how to convert from stand-alone to domain member.  I am not real familiar
> with the Active Directory side of things so perhaps I'm not asking the
> right questions or looking in the right places.  Thank you in advance.
> 
Samba id mapping strategies are plugable, one of those is the winbind 
tdb id mapping. So in theory you could collect all users from one of 
those servers, annotate their user, group and ids, and create a new tdb 
file with the corresponding mapping from the AD domain to the local id, 
and then configure winbind to use that tdb mapping.

You will have to generate a new idmap tdb file for each server because 
when running each one as an standalone server, there is no relationship 
on the mapping between the servers.

If you plan on sharing or syncing content between these servers, you 
will need to use tools that sync permissions and POSIX acls, by name and 
not by id, but you will have problems with Windows ACLs because these 
are stored on a Samba specific way many tools can't process. So be careful.

This could be a temporary strategy, so you can then migrate it to a new 
server gradually that doesn't use that tdb mapping strategy.

Thank you Rowland and Robert for your comments giving food for thought. 
Even after I asked the question, I realized that our Active Directory ID 
does not match the user IDs on the samba servers so that adds another 
variable.



From:   "Rowland penny via samba" <samba at lists.samba.org>
To:     samba at lists.samba.org
Date:   09/11/2020 02:08 PM
Subject:        Re: [Samba] How to convert stand-alone samba servers to 
join existing Windows Active Directory domain
Sent by:        "samba" <samba-bounces at lists.samba.org>



On 10/09/2020 20:28, Ted Buchanan via samba wrote:
> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
> servers with hundreds of local users on each server (not the same on all
> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would 
like
> to convert these stand-alone servers to join an existing Windows based 
AD
> domain without losing data or ownership/permission metadata on these
> servers.  Is there a guide for doing so or can someone give the steps
> necessary to accomplish this task?  I see in the samba wiki how to set 
up
> samba as a domain controller or stand-alone server but nothing really on
> how to convert from stand-alone to domain member.  I am not real 
familiar
> with the Active Directory side of things so perhaps I'm not asking the
> right questions or looking in the right places.  Thank you in advance.
>
I meant to reply to this earlier, but got sidetracked ;-)

Not sure you can do this easily, yes, you might have the same users on 
some of the standalone servers, but do they have the same numeric ID on 
each of them ?

Lets say you have the user 'fred' who is a Unix & Samba user on 
computers A,B & D, but not on C

On A, he has the ID '1005'

On B, he has the ID '1764'

On D, he has the ID '1067'

When you create your AD domain, you will have to recreate your users and 
delete them from /etc/passwd on the standalone servers when you join 
them to the domain, so which uidNumber attribute contents will you give 
'fred' ?

If you choose '1005' there is a good chance that it will clash with 
another user from B, or C, or D, the same goes for the other two ID's

I feel the only way out of this problem is to create a new AD domain. 
Create your users in AD with new ID's (preferably from 10000 upwards) 
and then chown the files on the standalone servers after you have joined 
them to domain. Presumably after writing a script to do the chown.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 11/09/2020 19:23, Robert Marcano via samba wrote:
> On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
>> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
>> servers with hundreds of local users on each server (not the same on
all
>> samba servers) in a CentOS/Oracle Linux (6 and 7) network.? We would 
>> like
>> to convert these stand-alone servers to join an existing Windows 
>> based AD
>> domain without losing data or ownership/permission metadata on these
>> servers.? Is there a guide for doing so or can someone give the steps
>> necessary to accomplish this task?? I see in the samba wiki how to 
>> set up
>> samba as a domain controller or stand-alone server but nothing really
on
>> how to convert from stand-alone to domain member.? I am not real 
>> familiar
>> with the Active Directory side of things so perhaps I'm not asking
the
>> right questions or looking in the right places.? Thank you in advance.
>>
>
> Samba id mapping strategies are plugable, one of those is the winbind 
> tdb id mapping. So in theory you could collect all users from one of 
> those servers, annotate their user, group and ids, and create a new 
> tdb file with the corresponding mapping from the AD domain to the 
> local id, and then configure winbind to use that tdb mapping.
>
> You will have to generate a new idmap tdb file for each server because 
> when running each one as an standalone server, there is no 
> relationship on the mapping between the servers.
>
> If you plan on sharing or syncing content between these servers, you 
> will need to use tools that sync permissions and POSIX acls, by name 
> and not by id, but you will have problems with Windows ACLs because 
> these are stored on a Samba specific way many tools can't process. So 
> be careful.
>
> This could be a temporary strategy, so you can then migrate it to a 
> new server gradually that doesn't use that tdb mapping strategy.
>
>
the 'tdb' backend is an allocating backend, so I don't think that
method
is going to work, but I am open to persuasion ;-)

Yes, some method will have to be found to identify the file & directory 
ownership before the join and then change them to the new ID's after the 
join.

Rowland