samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

>
> Well, apart from the fact you are not getting owner and group names now,
> yes, it will work without them, you just have to explicitly ask for
> them. No 'getent passwd', you have to use 'getent passwd
username'.
>
I'm getting owner and group names, when i use getent passwd i get all users
of the domain.
And on the files I'm getting domain usernames and domain groups names when
I do ls.

prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false

he problem is, Domain Users shouldn't be in the '3000' range,
that
> range is supposed to be for the BUILTIN domain.
>
On the WIKI it says to use those values.
* *3000-7999*
DOMAIN *10000-999999*
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Maybe at that moment I did not understand well what is the difference
between using the default domain "*"  or DOMAIN.
Please help me clarify this.

Is there a lot of data on the Unix domain member ?
>
> It will probably be easier to correctly setup a new Unix domain member
> and then drag & drop the data across.
>
Yes, I have a lot of info on that file server, homes and shares.
But it is virtualized and with disks in passthrough.
Creating a new virtual unix domain member and passthrough the disks is not
a difficult task for me.

The issue is how do we rewrite new uids and gids to the fs.
We should convert the current ones to the new ones by using the correct rid
range.
The only way would be to pass them through windows if I am correct and it
will take too long.

On the other hand, I haven't had any major problems with this domain member
either, I could wait to demote the old ad-dc and then accommodate a new
member.
About this demote task to the old ad-dc, can something happen with this
unix member server? I need to take care of that.

As for the idmap backend, there a few of them, but the main ones
are:
> autorid
> rid
> ad
>
Excellent explanation, thx you.

The thing is, why am I using samba's idmap_tdb Backend for Winbind?
 idmap config * : backend = tdb
Maybe because the old ad-DC was misconfigured or something?
Or it was recommended before.
Now after those years I can't remember why I use tdb.

Any questions, please ask.
>
 I think I'm asking a lot sometimes, I don't like to bother with things
that may seem basic.

Thx for your patience.


El jue, 24 nov 2022 16:27, Rowland Penny via samba <samba at
lists.samba.org>
escribi?:
>
>
> On 24/11/2022 18:51, Juan Ignacio wrote:
>
> >     You do not need the 'winbind enum' lines, they can just
slow things
> >     down, winbind has to enumerate all users and groups.
> >
> >
> > Ok, so if i remove those lines i can stillcorrectly see owner and
group
> > names in unix?
>
> Well, apart from the fact you are not getting owner and group names now,
> yes, it will work without them, you just have to explicitly ask for
> them. No 'getent passwd', you have to use 'getent passwd
username'.
>
>
> >
> >
> > I had read that, but I didn't quite understand what it meant,
>
>
> If you do not understand something, please ask.
>
> > what would
> > you recommend doing with those lines?
> > Maybe if it's no bother for you explain to me a bit how it works
or send
> > me a link with info.
> >
> > When I look at the uid of the files on the member it seems they are
> > correct, and if I check files it shows correctly.
> > I haven't checked that smb.conf in years,so I thought it worked
ok, but
> > it seems not.
> >
> > ls -n
> > drwxrwx---+  2    0 3004    4096 Feb 23  2021 Sebran
> > -rwxrwx---+  1    0 3004  950005 Feb 25  2021 sebran.exe
> > -rwxrwx---+  1    0 3004  191568 Nov 25  2021 sopa2b.jclic.zi
> >
> > ls -lh
> > drwxrwx---+  2 root  domain users 4.0K Feb 23  2021 Sebran
> > -rwxrwx---+  1 root  domain users 928K Feb 25  2021 sebran.exe
> > -rwxrwx---+  1 root  domain users 188K Nov 25  2021 sopa2b.jclic.zip
> >
> > That seems correct.
>
> The problem is, Domain Users shouldn't be in the '3000' range,
that
> range is supposed to be for the BUILTIN domain.
>
> Is there a lot of data on the Unix domain member ?
>
> It will probably be easier to correctly setup a new Unix domain member
> and then drag & drop the data across.
>
> As for the idmap backend, there a few of them, but the main ones are:
> autorid
> rid
> ad
>
> The first two are the easiest to set up, they calculate the Unix ID from
> the RID and the low range you set in smb.conf . The main difference
> between the two is that autorid is meant for multiple domains and you
> cannot use 'winbind use default domain = yes' with it. The rid
backend
> calculates the Unix ID in a similar way and is meant for a single domain
> and you can use 'winbind use default domain = yes'. With either
idmap
> backend, you do not add anything to AD.
>
> The 'ad' idmap backend works in a totally different way, you must
add
> uidNumber attributes to Users that you require visible on Unix domain
> members. You must also add gidNumber attributes to groups, the group
> 'Domain Users' must be given a gidNumber attribute or no users will
be
> visible. All uidNumber and gidNumber attributes set, must be within the
> range set in the smb.conf . You can use 'winbind use default domain
> yes' with the 'ad' backend.
>
> Any questions, please ask.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 25/11/2022 13:01, Juan Ignacio wrote:
>     Well, apart from the fact you are not getting owner and group names
>     now,
>     yes, it will work without them, you just have to explicitly ask for
>     them. No 'getent passwd', you have to use 'getent passwd
username'.
> 
> 
> I'm getting owner and group names, when i use getent passwd i get all 
> users of the domain.
That is because you have 'winbind enum users = yes' set, which you DO 
NOT NEED.
> And on the files I'm getting domain usernames and domain groups names 
> when I do ls.
> 
> prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false
> krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false
> guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false
When you posted your smb.conf it had these two 'idmap config' lines (and
only those two lines):

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

If you will note, all the numbers above are between 3000 and 7999, the 
range set.

But your domain users shouldn't have ID numbers in that range, but 
because you did not set the required 'OURDOMAIN' idmap config lines they
are all being treated as if they are not members of the 'OURDOMAIN' 
domain and are getting ID's from the default '*' domain. THIS IS
WRONG.
> 
>     he problem is, Domain Users shouldn't be in the '3000'
range, that
>     range is supposed to be for the BUILTIN domain.
> 
> On the WIKI it says to use those values.
> |*| 	*3000-7999*
> |DOMAIN| 	*10000-999999*
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
>
<https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
Yes, I know, I wrote it.
> 
> Maybe at that moment I did not understand well what is the difference 
> between using the default domain "*"? or DOMAIN.
> Please help me clarify this.
> 
>     Is there a lot of data on the Unix domain member ?
> 
>     It will probably be easier to correctly setup a new Unix domain member
>     and then drag & drop the data across. 
> 
> 
> Yes, I have a lot of info on that file server, homes and shares.
> But it is virtualized and with disks in passthrough.
> Creating a new virtual unix domain member and passthrough the disks is 
> not a difficult task for me.
> 
> The issue is how do we rewrite new uids and gids to the fs.
You do not rewrite uid's & gid's on a Unix domain member, that is 
Samba's job and it does it based on the winbind idmap backend used.
> We should convert the current ones to the new ones by using the correct 
> rid range.
> The only way would be to pass them through windows if I am correct and 
> it will take too long.
You can find out what numeric ID a user is using now. correct the 
smb.conf and restart Samba, then write a script to search for each ID, 
convert that to the username, then chown the file/directory. that will 
be a lot of work.
Or you could do what I suggested, create a new Unix domain member with a 
correctly set smb.conf and then copy the files across, this should 
correct your problem.
> 
> On the other hand, I haven't had any major problems with this domain 
> member either, I could wait to demote the old ad-dc and then accommodate 
> a new member.
If your number of users and groups grow, you are going to have problems.
> About this demote task to the old ad-dc, can something happen with this 
> unix member server? I need to take care of that.
If you have joined a new DC to the domain and replication, dns, etc are 
working, then your Unix domain member will be able to use either DC, it 
shouldn't notice a difference.
> 
>     As for the idmap backend, there a few of them, but the main ones are:
>     autorid
>     rid
>     ad 
> 
> 
> Excellent explanation, thx you.
> 
> The thing is, why am I using samba's idmap_tdb Backend for Winbind?
>  ?idmap config * : backend = tdb
> Maybe because the old ad-DC was misconfigured or something?
> Or it was recommended before.
> Now after those years I can't remember why I use tdb.
That is what is used for the default domain, which is only supposed to 
be for the Well Known SIDs (there are less than 200 of those) and 
anything outside the DOMAIN domain (DOMAIN is just a placeholder for the 
real domain name, like you are using 'OURDOMAIN')
> 
>     Any questions, please ask. 
> 
> 
>  ?I think I'm asking a lot sometimes, I don't like to bother with
things
> that may seem basic.
The only stupid question is the one you do not ask ;-)

I would rather answer questions before something is done, than do what I 
am doing now, giving you bad news.
> 
> Thx for your patience.
> 
No problem

Rowland