samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

>
>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf
is not
> valid
> >     because you do not use the 'idmap config' lines in a DC
smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf
seems
> OK.
>
> Sorry, but no it doesn't.
>
Ok, let's try to fix that server too.?

You do not need the 'winbind enum' lines, they can just slow
things
> down, winbind has to enumerate all users and groups.
>
Ok, so if i remove those lines i can still correctly see owner and group
names in unix?

>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for
you.
>
Ok, that's good to know.

Now we come to the 'biggy', did you actually read the line above
'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>
I had read that, but I didn't quite understand what it meant, what would
you recommend doing with those lines?
Maybe if it's no bother for you explain to me a bit how it works or send me
a link with info.

When I look at the uid of the files on the member it seems they are
correct, and if I check files it shows correctly.
I haven't checked that smb.conf in years,so I thought it worked ok, but it
seems not.

ls -n
drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
-rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
-rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi

ls -lh
drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
-rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
-rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip

That seems correct.

Thx in advance.

Thx in advance.


El jue, 24 nov 2022 a las 14:39, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 24/11/2022 17:25, Juan Ignacio wrote:
> >     What is a 'member dc' ??
> >
> >
> > Sorry I must say a member of the DC or domain member as i said before.
> > Language Troubles.
> >
> >     If your 'member dc' is just another DC, then that smb.conf
is not
> valid
> >     because you do not use the 'idmap config' lines in a DC
smb.conf
> >
> >
> > No its member is a Unix Domain Member to clarify, so the smb.conf
seems
> OK.
>
> Sorry, but no it doesn't.
>
> >
> > I didn't make any changes on it, I must know if maybe I need to
check
> > resolv.conf and hosts and other info before demoting the primary old
> > ad-dc...
> >
> >     If your 'member dc' is actually a Unix domain member, then
that
> smb.conf
> >     is not valid because there are no 'DOMAIN' 'idmap
config' lines.
> >
> >
> > Yea but we put these lines a long time ago, this is the complete
global
> > of the member file server.
> >
> >
>
> Lets walk through your smb.conf:
>
> > [global]
> >         netbios name = FILESERVER
>
> You do not need to set 'netbios name', Samba will fill it in for
you.
>
> >         security = ADS
> >         workgroup = OURDOMAIN
> >         realm = OURDOMAIN.ORG <http://OURDOMAIN.ORG>
> >
> >         log file = /var/log/samba/%m.log
> >         log level = 10
> >
> >          vfs objects = acl_xattr
> >          map acl inherit = yes
> >          store dos attributes = yes
> >
> >          #WINBIND
> >          winbind enum users = yes
> >          winbind enum groups = yes
>
> You do not need the 'winbind enum' lines, they can just slow things
> down, winbind has to enumerate all users and groups.
>
> >          winbind refresh tickets = yes
> >          winbind use default domain = yes
> >          winbind cache time = 60
> >
> >
> >         # Default ID mapping configuration for local BUILTIN accounts
> >         # and groups on a domain member. The default (*) domain:
> >         # - must not overlap with any domain ID mapping configuration!
> >         # - must use a read-write-enabled back end, such as tdb.
> >         # - Adding just this is not enough
> >         # - You must set a DOMAIN backend configuration, see below
> >         idmap config * : backend = tdb
> >         idmap config * : range = 3000-7999
>
> Now we come to the 'biggy', did you actually read the line above
'You
> must set a DOMAIN backend configuration' ?
>
> Obviously not, because you do not appear to have done so, I would expect
> as a minimum:
>
> idmap config OURDOMAIN : backend = rid
> idmap config OURDOMAIN : range = 10000-999999
>
> There are other idmap backends and you could use a different range, but
> the ranges must not overlap.
>
> >
> >          username map = /usr/local/samba/etc/user.map
> >
> > The samba was built from sources.
>
> Doesn't matter where Samba comes from, you set it up the same, just
> different paths.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 24/11/2022 18:51, Juan Ignacio wrote:
>     You do not need the 'winbind enum' lines, they can just slow
things
>     down, winbind has to enumerate all users and groups.
> 
> 
> Ok, so if i remove those lines i can stillcorrectly see owner and group 
> names in unix?
Well, apart from the fact you are not getting owner and group names now, 
yes, it will work without them, you just have to explicitly ask for 
them. No 'getent passwd', you have to use 'getent passwd
username'.

> 
> 
> I had read that, but I didn't quite understand what it meant, 

If you do not understand something, please ask.
> what would 
> you recommend doing with those lines?
> Maybe if it's no bother for you explain to me a bit how it works or
send
> me a link with info.
> 
> When I look at the uid of the files on the member it seems they are 
> correct, and if I check files it shows correctly.
> I haven't checked that smb.conf in years,so I thought it worked ok, but
> it seems not.
> 
> ls -n
> drwxrwx---+ ?2 ? ?0 3004 ? ?4096 Feb 23 ?2021 Sebran
> -rwxrwx---+ ?1 ? ?0 3004 ?950005 Feb 25 ?2021 sebran.exe
> -rwxrwx---+ ?1 ? ?0 3004 ?191568 Nov 25 ?2021 sopa2b.jclic.zi
> 
> ls -lh
> drwxrwx---+ ?2 root ?domain users 4.0K Feb 23 ?2021 Sebran
> -rwxrwx---+ ?1 root ?domain users 928K Feb 25 ?2021 sebran.exe
> -rwxrwx---+ ?1 root ?domain users 188K Nov 25 ?2021 sopa2b.jclic.zip
> 
> That seems correct.
The problem is, Domain Users shouldn't be in the '3000' range, that 
range is supposed to be for the BUILTIN domain.

Is there a lot of data on the Unix domain member ?

It will probably be easier to correctly setup a new Unix domain member 
and then drag & drop the data across.

As for the idmap backend, there a few of them, but the main ones are:
autorid
rid
ad

The first two are the easiest to set up, they calculate the Unix ID from 
the RID and the low range you set in smb.conf . The main difference 
between the two is that autorid is meant for multiple domains and you 
cannot use 'winbind use default domain = yes' with it. The rid backend 
calculates the Unix ID in a similar way and is meant for a single domain 
and you can use 'winbind use default domain = yes'. With either idmap 
backend, you do not add anything to AD.

The 'ad' idmap backend works in a totally different way, you must add 
uidNumber attributes to Users that you require visible on Unix domain 
members. You must also add gidNumber attributes to groups, the group 
'Domain Users' must be given a gidNumber attribute or no users will be 
visible. All uidNumber and gidNumber attributes set, must be within the 
range set in the smb.conf . You can use 'winbind use default domain = 
yes' with the 'ad' backend.

Any questions, please ask.

Rowland