samba - Oct 2020 - Moving users from a Samba 3.6 to 4.9 (tdb)

Le Thu, 8 Oct 2020 17:37:38 +0100
Rowland penny via samba <samba at lists.samba.org> ?crivait:
> On 08/10/2020 17:25, Emmanuel Florac via samba wrote:
> > But it's not a domain, no LDAP, no AD. Just a standalone server,
> > migrating to another standalone server. Should I do something using
> > Samba tool?  
> 
> No, samba-tool is only used with AD.
> 
> As far as I am aware, the standalone server hasn't changed that much 
> between 3.6 and 4.9 (both of which are EOL as far as Samba is 
> concerned), so your method probably should have worked.
> 
> What OS are you using ?
Debian, the old server running Debian 7 and the new one Debian 10
(current stable).
 
> Have you checked the file ownership on the files you copied ?
Yes, they belong to root, 600 access rights on both systems.
 
> What is in your smb.conf ?
> 
> I take it that it isn't so much getting Samba to work, it is the file 
> ownership.
The smb.conf are quite different, because the old one doesn't work out
of the box with the new machine.

The main differences are:

old box:

    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    idmap uid = 10000-20000
    idmap gid = 10000-20000

(no idmap or winbind custom settings on the new one)

Old box :

    unix password sync = false

New:

    unix password sync = true

Maybe that's the culprit? I don't really know what this setting does.
-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20201008/bd346a5e/attachment.sig>

On 08/10/2020 17:49, Emmanuel Florac wrote:
> Le Thu, 8 Oct 2020 17:37:38 +0100
> Rowland penny via samba <samba at lists.samba.org> ?crivait:
>
>> On 08/10/2020 17:25, Emmanuel Florac via samba wrote:
>>> But it's not a domain, no LDAP, no AD. Just a standalone
server,
>>> migrating to another standalone server. Should I do something using
>>> Samba tool?
>> No, samba-tool is only used with AD.
>>
>> As far as I am aware, the standalone server hasn't changed that
much
>> between 3.6 and 4.9 (both of which are EOL as far as Samba is
>> concerned), so your method probably should have worked.
>>
>> What OS are you using ?
> Debian, the old server running Debian 7 and the new one Debian 10
> (current stable).
>   
>> Have you checked the file ownership on the files you copied ?
> Yes, they belong to root, 600 access rights on both systems.
>   
>> What is in your smb.conf ?
>>
>> I take it that it isn't so much getting Samba to work, it is the
file
>> ownership.
> The smb.conf are quite different, because the old one doesn't work out
> of the box with the new machine.
>
> The main differences are:
>
> old box:
>
>      winbind separator = +
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind cache time = 10
>      idmap uid = 10000-20000
>      idmap gid = 10000-20000
>
> (no idmap or winbind custom settings on the new one)
>
> Old box :
>
>      unix password sync = false
>
> New:
>
>      unix password sync = true
>
> Maybe that's the culprit? I don't really know what this setting
does.
You do not normally run winbind on standalone server, so I think you 
need to post the [global] portion of your old smb.conf, so we can find 
out just what you are running.

Rowland

Yes, without full config this is hard to analyze.. 
Smb.conf maybe some logs parts if there is something in the logs.. 


Now, TP starter said. 
> I copied system users and group, then /var/lib/samba/*.tdb  
Here im pointing to the "users" and "groups" 
What exactly did you copy? Only the passwd and groups ? 
Did you make sure you only copied the UID/GIDS above 1000? 
Because the numbers below it do change per install. 

You also know there is a "shadow" file? 
Did you test if you can login with the copies users ( if allowed and needed ) 

These are the important once.. 
accounts: /etc/passwd
passwords: /etc/shadow
groups and memberships: /etc/group
group passwords: /etc/gshadow
/etc/samba/*
/var/lib/samba/*

This one has a good and valid set to move accounts. 
https://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/

Debian and Ubuntu Linux : Default is 1000 and upper limit is 29999
(/etc/adduser.conf).
Only that part, the upper limit is now 59999 


And have you seen? 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server#Creating_a_Local_User_Account
I dont think the underlaying problem here is samba, but how its copied. 

I say review above with the steps you did, you missed something. ( but thats
clear already ) :-/


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 8 oktober 2020 19:32
> Aan: sambalist
> Onderwerp: Re: [Samba] Moving users from a Samba 3.6 to 4.9 (tdb)
> 
> On 08/10/2020 17:49, Emmanuel Florac wrote:
> > Le Thu, 8 Oct 2020 17:37:38 +0100
> > Rowland penny via samba <samba at lists.samba.org> ?crivait:
> >
> >> On 08/10/2020 17:25, Emmanuel Florac via samba wrote:
> >>> But it's not a domain, no LDAP, no AD. Just a standalone
server,
> >>> migrating to another standalone server. Should I do 
> something using
> >>> Samba tool?
> >> No, samba-tool is only used with AD.
> >>
> >> As far as I am aware, the standalone server hasn't changed 
> that much
> >> between 3.6 and 4.9 (both of which are EOL as far as Samba is
> >> concerned), so your method probably should have worked.
> >>
> >> What OS are you using ?
> > Debian, the old server running Debian 7 and the new one Debian 10
> > (current stable).
> >   
> >> Have you checked the file ownership on the files you copied ?
> > Yes, they belong to root, 600 access rights on both systems.
> >   
> >> What is in your smb.conf ?
> >>
> >> I take it that it isn't so much getting Samba to work, it 
> is the file
> >> ownership.
> > The smb.conf are quite different, because the old one 
> doesn't work out
> > of the box with the new machine.
> >
> > The main differences are:
> >
> > old box:
> >
> >      winbind separator = +
> >      winbind enum users = yes
> >      winbind enum groups = yes
> >      winbind cache time = 10
> >      idmap uid = 10000-20000
> >      idmap gid = 10000-20000
> >
> > (no idmap or winbind custom settings on the new one)
> >
> > Old box :
> >
> >      unix password sync = false
> >
> > New:
> >
> >      unix password sync = true
> >
> > Maybe that's the culprit? I don't really know what this 
> setting does.
> 
> You do not normally run winbind on standalone server, so I think you 
> need to post the [global] portion of your old smb.conf, so we 
> can find 
> out just what you are running.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Le Thu, 8 Oct 2020 18:31:38 +0100
Rowland penny via samba <samba at lists.samba.org> ?crivait:
> You do not normally run winbind on standalone server, so I think you 
> need to post the [global] portion of your old smb.conf, so we can
> find out just what you are running.
Here is the old one:

[global]
    name resolve order = wins lmhosts host bcast
    
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n . encrypt passwords = true
    passdb backend = tdbsam
    unix password sync = false
    passwd program = /usr/bin/passwd %u
    
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    idmap gid = 10000-20000
    idmap uid = 10000-20000
    obey pam restrictions = yes
    
    preserve case = yes
    short preserve case = yes
    inherit acls = yes
    nt acl support = yes
    dns proxy = no
    inherit permissions = yes
    
    load printers = no
    printcap name = /dev/null 
    disable spoolss = yes 
    printing = bsd

    invalid users = root

    local master = no
    domain master = no
    preferred master = no
    workgroup = WORKGROUP
    syslog only = no
    os level = 20
    security = user
    max log size = 1000
    load printers = no
    
    guest account = nobody
    wins support = no
    wins server = 127.0.0.1
    template shell = /bin/false
    server string = %h server (Samba %v)
    syslog = 0;
    panic action = /usr/share/samba/panic-action %d
    block size = 4096

    allow insecure wide links = yes


For comparison, there's almost nothing in the new one:


[global]
        netbios aliases = NAS
        passwd program = /usr/bin/passwd %u
        syslog = 0
        server role = standalone server
        log file = /var/log/samba/log.%m
        usershare allow guests = yes
        unix password sync = yes
        map to guest = bad user
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
max log size = 1000 default = NAS
        pam password change = yes
        os level = 20
        obey pam restrictions = yes
        workgroup = WORKGROUP
        passdb backend = tdbsam
        dns proxy = no
        netbios name = 457NAS


-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20201009/d2816225/attachment.sig>

Le Fri, 9 Oct 2020 08:58:40 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org>
?crivait:
> Now, TP starter said. 
> > I copied system users and group, then /var/lib/samba/*.tdb    
> 
> Here im pointing to the "users" and "groups" 
> What exactly did you copy? Only the passwd and groups ? 
> Did you make sure you only copied the UID/GIDS above 1000? 
> Because the numbers below it do change per install. 
> 
> You also know there is a "shadow" file? 
> Did you test if you can login with the copies users ( if allowed and
> needed ) 
> 
> These are the important once.. 
> accounts: /etc/passwd
> passwords: /etc/shadow
> groups and memberships: /etc/group
> group passwords: /etc/gshadow
> /etc/samba/*
> /var/lib/samba/*
> 
> This one has a good and valid set to move accounts. 
>
https://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/

Yes, I've copied the users and groups over 1000 only. I didn't move
stuff from /etc/samba because there isn't anything but smb.conf, and
the old one doesn't work well with a more recent samba anyway :)

-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20201009/4dd2007e/attachment.sig>