samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

On 24/11/2022 17:25, Juan Ignacio wrote:
>     What is a 'member dc' ?? 
> 
> 
> Sorry I must say a member of the DC or domain member as i said before.  
> Language Troubles.
> 
>     If your 'member dc' is just another DC, then that smb.conf is
not valid
>     because you do not use the 'idmap config' lines in a DC
smb.conf
> 
> 
> No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.
Sorry, but no it doesn't.
> 
> I didn't make any changes on it, I must know if maybe I need to check 
> resolv.conf and hosts and other info before demoting the primary old 
> ad-dc...
> 
>     If your 'member dc' is actually a Unix domain member, then that
smb.conf
>     is not valid because there are no 'DOMAIN' 'idmap
config' lines.
> 
> 
> Yea but we put these lines a long time ago, this is the complete global 
> of the member file server.
> 
> 
Lets walk through your smb.conf:
> [global]
>  ? ? ? ?netbios name = FILESERVER
You do not need to set 'netbios name', Samba will fill it in for you.
>  ? ? ? ?security = ADS
>  ? ? ? ?workgroup = OURDOMAIN
>  ? ? ? ?realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> 
>  ? ? ? ?log file = /var/log/samba/%m.log
>  ? ? ? ?log level = 10
> 
>  ? ? ? ? vfs objects = acl_xattr
>  ? ? ? ? map acl inherit = yes
>  ? ? ? ? store dos attributes = yes
> 
>  ? ? ? ? #WINBIND
>  ? ? ? ? winbind enum users = yes
>  ? ? ? ? winbind enum groups = yes
You do not need the 'winbind enum' lines, they can just slow things 
down, winbind has to enumerate all users and groups.
>  ? ? ? ? winbind refresh tickets = yes
>  ? ? ? ? winbind use default domain = yes
>  ? ? ? ? winbind cache time = 60
> 
> 
>  ? ? ? ?# Default ID mapping configuration for local BUILTIN accounts
>  ? ? ? ?# and groups on a domain member. The default (*) domain:
>  ? ? ? ?# - must not overlap with any domain ID mapping configuration!
>  ? ? ? ?# - must use a read-write-enabled back end, such as tdb.
>  ? ? ? ?# - Adding just this is not enough
>  ? ? ? ?# - You must set a DOMAIN backend configuration, see below
>  ? ? ? ?idmap config * : backend = tdb
>  ? ? ? ?idmap config * : range = 3000-7999
Now we come to the 'biggy', did you actually read the line above
'You
must set a DOMAIN backend configuration' ?

Obviously not, because you do not appear to have done so, I would expect 
as a minimum:

idmap config OURDOMAIN : backend = rid
idmap config OURDOMAIN : range = 10000-999999

There are other idmap backends and you could use a different range, but 
the ranges must not overlap.
> 
>  ? ? ? ? username map = /usr/local/samba/etc/user.map
> 
> The samba was built from sources.
Doesn't matter where Samba comes from, you set it up the same, just 
different paths.

Rowland

>
>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf
is not
> valid
> >     because you do not use the 'idmap config' lines in a DC
smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf
seems
> OK.
>
> Sorry, but no it doesn't.
>
Ok, let's try to fix that server too.?

You do not need the 'winbind enum' lines, they can just slow
things
> down, winbind has to enumerate all users and groups.
>
Ok, so if i remove those lines i can still correctly see owner and group
names in unix?

>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for
you.
>
Ok, that's good to know.

Now we come to the 'biggy', did you actually read the line above
'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>
I had read that, but I didn't quite understand what it meant, what would
you recommend doing with those lines?
Maybe if it's no bother for you explain to me a bit how it works or send me
a link with info.

When I look at the uid of the files on the member it seems they are
correct, and if I check files it shows correctly.
I haven't checked that smb.conf in years,so I thought it worked ok, but it
seems not.

ls -n
drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
-rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
-rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi

ls -lh
drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
-rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
-rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip

That seems correct.

Thx in advance.

Thx in advance.


El jue, 24 nov 2022 a las 14:39, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf
is not
> valid
> >     because you do not use the 'idmap config' lines in a DC
smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf
seems
> OK.
>
> Sorry, but no it doesn't.
>
> >
> > I didn't make any changes on it, I must know if maybe I need to
check
> > resolv.conf and hosts and other info before demoting the primary old
> > ad-dc...
> >
> >     If your 'member dc' is actually a Unix domain member, then
that
> smb.conf
> >     is not valid because there are no 'DOMAIN' 'idmap
config' lines.
> >
> >
> > Yea but we put these lines a long time ago, this is the complete
global
> > of the member file server.
> >
> >
>
> Lets walk through your smb.conf:
>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for
you.
>
> >         security = ADS
> >         workgroup = OURDOMAIN
> >         realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> >
> >         log file = /var/log/samba/%m.log
> >         log level = 10
> >
> >          vfs objects = acl_xattr
> >          map acl inherit = yes
> >          store dos attributes = yes
> >
> >          #WINBIND
> >          winbind enum users = yes
> >          winbind enum groups = yes
>
> You do not need the 'winbind enum' lines, they can just slow things
> down, winbind has to enumerate all users and groups.
>
> >          winbind refresh tickets = yes
> >          winbind use default domain = yes
> >          winbind cache time = 60
> >
> >
> >         # Default ID mapping configuration for local BUILTIN accounts
> >         # and groups on a domain member. The default (*) domain:
> >         # - must not overlap with any domain ID mapping configuration!
> >         # - must use a read-write-enabled back end, such as tdb.
> >         # - Adding just this is not enough
> >         # - You must set a DOMAIN backend configuration, see below
> >         idmap config * : backend = tdb
> >         idmap config * : range = 3000-7999
>
> Now we come to the 'biggy', did you actually read the line above
'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>
> >
> >          username map = /usr/local/samba/etc/user.map
> >
> > The samba was built from sources.
>
> Doesn't matter where Samba comes from, you set it up the same, just
> different paths.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>