samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

>
> What is a 'member dc' ??

Sorry I must say a member of the DC or domain member as i said before.
Language Troubles.

If your 'member dc' is just another DC, then that smb.conf is not
valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>
No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.

I didn't make any changes on it, I must know if maybe I need to check
resolv.conf and hosts and other info before demoting the primary old
ad-dc...

If your 'member dc' is actually a Unix domain member, then that
smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config'
lines.
>
Yea but we put these lines a long time ago, this is the complete global of
the member file server.


[global]
       netbios name = FILESERVER
       security = ADS
       workgroup = OURDOMAIN
       realm = OURDOMAIN.ORG

       log file = /var/log/samba/%m.log
       log level = 10

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        #WINBIND
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind cache time = 60


       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

        username map = /usr/local/samba/etc/user.map

The samba was built from sources.


El jue, 24 nov 2022 a las 13:59, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 24/11/2022 15:54, Juan Ignacio wrote:
> >
> > Are you sure that there aren't any other 'idmap config'
lines ?
> >
> > I would have expected lines for your DOMAIN
> >
> >
> > All the lines on the member file server are these.
> >
> > vfs objects = acl_xattr map acl inherit = yes store dos attributes
> > yes
> >
> > #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> > refresh tickets = yes winbind use default domain = yes winbind cache
> > time = 60
> >
> >
> > # Default ID mapping configuration for local BUILTIN accounts # and
> > groups on a domain member. The default (*) domain: # - must not
> > overlap with any domain ID mapping configuration! # - must use a
> > read-write-enabled back end, such as tdb. # - Adding just this is not
> > enough # - You must set a DOMAIN backend configuration, see below
> > idmap config * : backend = tdb idmap config * : range = 3000-7999
> >
> > username map = /usr/local/samba/etc/user.map
> >
> > The whole idea behind syncing idmap.ldb between DC's is to ensure
> > that they all use the ID's.
> >
> >
> > Yea but i have some differences between the ad-dc and member dc,
>
>
> What is a 'member dc' ??
>
> In Samba AD, you have DC's (which are all equal except for the FSMO
> roles, this include RODC's) and Unix & Windows domain members.
>
> The domain members get their ID's from the DC's, Windows uses the
RID
> and Unix uses whatever winbind idmap backend that is chosen.
>
> If your 'member dc' is just another DC, then that smb.conf is not
valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>
> If your 'member dc' is actually a Unix domain member, then that
smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config'
lines.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 24/11/2022 17:25, Juan Ignacio wrote:
>     What is a 'member dc' ?? 
> 
> 
> Sorry I must say a member of the DC or domain member as i said before.  
> Language Troubles.
> 
>     If your 'member dc' is just another DC, then that smb.conf is
not valid
>     because you do not use the 'idmap config' lines in a DC
smb.conf
> 
> 
> No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.
Sorry, but no it doesn't.
> 
> I didn't make any changes on it, I must know if maybe I need to check 
> resolv.conf and hosts and other info before demoting the primary old 
> ad-dc...
> 
>     If your 'member dc' is actually a Unix domain member, then that
smb.conf
>     is not valid because there are no 'DOMAIN' 'idmap
config' lines.
> 
> 
> Yea but we put these lines a long time ago, this is the complete global 
> of the member file server.
> 
> 
Lets walk through your smb.conf:
> [global]
>  ? ? ? ?netbios name = FILESERVER
You do not need to set 'netbios name', Samba will fill it in for you.
>  ? ? ? ?security = ADS
>  ? ? ? ?workgroup = OURDOMAIN
>  ? ? ? ?realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> 
>  ? ? ? ?log file = /var/log/samba/%m.log
>  ? ? ? ?log level = 10
> 
>  ? ? ? ? vfs objects = acl_xattr
>  ? ? ? ? map acl inherit = yes
>  ? ? ? ? store dos attributes = yes
> 
>  ? ? ? ? #WINBIND
>  ? ? ? ? winbind enum users = yes
>  ? ? ? ? winbind enum groups = yes
You do not need the 'winbind enum' lines, they can just slow things 
down, winbind has to enumerate all users and groups.
>  ? ? ? ? winbind refresh tickets = yes
>  ? ? ? ? winbind use default domain = yes
>  ? ? ? ? winbind cache time = 60
> 
> 
>  ? ? ? ?# Default ID mapping configuration for local BUILTIN accounts
>  ? ? ? ?# and groups on a domain member. The default (*) domain:
>  ? ? ? ?# - must not overlap with any domain ID mapping configuration!
>  ? ? ? ?# - must use a read-write-enabled back end, such as tdb.
>  ? ? ? ?# - Adding just this is not enough
>  ? ? ? ?# - You must set a DOMAIN backend configuration, see below
>  ? ? ? ?idmap config * : backend = tdb
>  ? ? ? ?idmap config * : range = 3000-7999
Now we come to the 'biggy', did you actually read the line above
'You
must set a DOMAIN backend configuration' ?

Obviously not, because you do not appear to have done so, I would expect 
as a minimum:

idmap config OURDOMAIN : backend = rid
idmap config OURDOMAIN : range = 10000-999999

There are other idmap backends and you could use a different range, but 
the ranges must not overlap.
> 
>  ? ? ? ? username map = /usr/local/samba/etc/user.map
> 
> The samba was built from sources.
Doesn't matter where Samba comes from, you set it up the same, just 
different paths.

Rowland