Dear all, I have successfully set up samba ad in a virtual environment and now wish to deploy in the real world. The DCs will remain as VMs. The issue I have is that the bare metal file server is currently a domain member of another AD, which I am decommissioning. What is the best way to transplant the VM file server samba config over to bare metal? I setup the VM file server to match bare metal in terms of OS and hostname/IP. (Debian stretch with 4.10.18(Louis rep) on VM, bare metal is stretch with 4.5.16, which will be upgraded to 4.10.18 ). I can't use a new file server hostname as other services are dependent on that. DCs are Bullseye with stock samba, awaiting Louis' magic. Options? 1. Remove VM file server from virtual AD, upgrade bare metal samba, then rejoin AD? 2. Purge samba from bare metal, clean install 4.10.18( if that is possible) and copy samba dir from VM to bare metal? Option 2 sounds dodgy, but not sure if option 1 will work cleanly. Further question: Once bare metal is connected to new domain, what is the best way of changing over the file ownership/permissions? This was discussed on the list about 6 weeks ago. My plan is chmod -R username."Domain Users" on the fileserver from the Unix end, and get a Windows 10 client to replace the windows ACLs on the file server. Does that sound reasonable? (I know RP will ask, I've held off upgrading stretch to buster because I found stretch so stable compared to buster. I use buster on a workstation and it requires too many reboots to be used as a server. I have high hopes for bullseye, hoping the further integration of systemd doesn't scupper that) Thanks, RT
Mandi! Rob Tho via samba In chel di` si favelave...> I have successfully set up samba ad in a virtual environment and now wish > to deploy in the real world.Does the old and new domain have the same users and password (or can have, indeed)? If 'yes', at least using SMB1, you can also simply point the new domain users to use the old domain/server (you can use IP '\\1.2.3.4\Share' to try to force SMB1). This does not solve your trouble, but at least can give you more time (eg, instead of moving all data around in one turn, you can move one share at a time). Also, for file permission, if you use POSIX ACL (or, you don't have complex ACL permission that are saved in POSIX Attributes), i think you can simply dump ACL with getfacl and restore it with setfacl, or use rsync with --acls; clearly also this if usernames matches. I've not tested it, but if instead of login you can get to match UID/GID from older to newer domain, you can user getfacl/setfacl or rsync with some sort of '--numeric'. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)