Juan Ignacio
2022-Nov-25 20:45 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Rowland I did that setup for a new unix member server and test. [global] log file = /var/log/samba/%m.log log level = 1 realm = OURDOMAIN.ORG <http://OURSERVER.ORG> security = ADS server role = member server username map = /etc/samba/user.map workgroup = OURDOMAIN idmap config ourserver: range = 10000-9999999 idmap config ourserver: backend = rid After install everything needed and start services and join i cannot get nothing from getent passwd OURDOMAIN\\user I got users if i use wbinfo -u Another thing is when i check with the command wbinfo --ping-dc I got checking the NETLOGON for domain[OURDOMAIN] dc connection to "DC1.OURDOMAIN.ORG" succeeded DC1 is the old ad-dc who has Samba 4.1.. I want the new one DC2 why is not connected to this DC I installed samba 4.17 from the backports repos. El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (< samba at lists.samba.org>) escribi?:> > > On 25/11/2022 13:01, Juan Ignacio wrote: > > Well, apart from the fact you are not getting owner and group names > > now, > > yes, it will work without them, you just have to explicitly ask for > > them. No 'getent passwd', you have to use 'getent passwd username'. > > > > > > I'm getting owner and group names, when i use getent passwd i get all > > users of the domain. > > That is because you have 'winbind enum users = yes' set, which you DO > NOT NEED. > > > And on the files I'm getting domain usernames and domain groups names > > when I do ls. > > > > prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false > > krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false > > guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false > > When you posted your smb.conf it had these two 'idmap config' lines (and > only those two lines): > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > If you will note, all the numbers above are between 3000 and 7999, the > range set. > > But your domain users shouldn't have ID numbers in that range, but > because you did not set the required 'OURDOMAIN' idmap config lines they > are all being treated as if they are not members of the 'OURDOMAIN' > domain and are getting ID's from the default '*' domain. THIS IS WRONG. > > > > > he problem is, Domain Users shouldn't be in the '3000' range, that > > range is supposed to be for the BUILTIN domain. > > > > On the WIKI it says to use those values. > > |*| *3000-7999* > > |DOMAIN| *10000-999999* > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > > Yes, I know, I wrote it. > > > > > Maybe at that moment I did not understand well what is the difference > > between using the default domain "*" or DOMAIN. > > Please help me clarify this. > > > > Is there a lot of data on the Unix domain member ? > > > > It will probably be easier to correctly setup a new Unix domain > member > > and then drag & drop the data across. > > > > > > Yes, I have a lot of info on that file server, homes and shares. > > But it is virtualized and with disks in passthrough. > > Creating a new virtual unix domain member and passthrough the disks is > > not a difficult task for me. > > > > The issue is how do we rewrite new uids and gids to the fs. > > You do not rewrite uid's & gid's on a Unix domain member, that is > Samba's job and it does it based on the winbind idmap backend used. > > > We should convert the current ones to the new ones by using the correct > > rid range. > > The only way would be to pass them through windows if I am correct and > > it will take too long. > > You can find out what numeric ID a user is using now. correct the > smb.conf and restart Samba, then write a script to search for each ID, > convert that to the username, then chown the file/directory. that will > be a lot of work. > Or you could do what I suggested, create a new Unix domain member with a > correctly set smb.conf and then copy the files across, this should > correct your problem. > > > > > On the other hand, I haven't had any major problems with this domain > > member either, I could wait to demote the old ad-dc and then accommodate > > a new member. > > If your number of users and groups grow, you are going to have problems. > > > About this demote task to the old ad-dc, can something happen with this > > unix member server? I need to take care of that. > > If you have joined a new DC to the domain and replication, dns, etc are > working, then your Unix domain member will be able to use either DC, it > shouldn't notice a difference. > > > > > As for the idmap backend, there a few of them, but the main ones are: > > autorid > > rid > > ad > > > > > > Excellent explanation, thx you. > > > > The thing is, why am I using samba's idmap_tdb Backend for Winbind? > > idmap config * : backend = tdb > > Maybe because the old ad-DC was misconfigured or something? > > Or it was recommended before. > > Now after those years I can't remember why I use tdb. > > That is what is used for the default domain, which is only supposed to > be for the Well Known SIDs (there are less than 200 of those) and > anything outside the DOMAIN domain (DOMAIN is just a placeholder for the > real domain name, like you are using 'OURDOMAIN') > > > > > Any questions, please ask. > > > > > > I think I'm asking a lot sometimes, I don't like to bother with things > > that may seem basic. > > The only stupid question is the one you do not ask ;-) > > I would rather answer questions before something is done, than do what I > am doing now, giving you bad news. > > > > > Thx for your patience. > > > > No problem > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Dale
2022-Nov-25 21:08 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Juan, The full idmap configuration should be idmap config * : backend = tdb idmap config * : range = 3000-3999 idmap config OURDOMAIN : backend = rid idmap config OURDOMAIN : range = 10000-9999999 Also, /etc/nsswitch.conf should include winbind on the passwd and group lines, similar to the following: passwd: files winbind group: files winbind This is all assuming you have already installed libpam-winbind and libnss-winbind Dale There are other steps mentioned in the wiki On 11/25/22 2:45 PM, Juan Ignacio via samba wrote:> Rowland I did that setup for a new unix member server and test. > > [global] > log file = /var/log/samba/%m.log > log level = 1 > realm = OURDOMAIN.ORG <http://OURSERVER.ORG> > security = ADS > server role = member server > username map = /etc/samba/user.map > workgroup = OURDOMAIN > idmap config ourserver: range = 10000-9999999 > idmap config ourserver: backend = rid > > > After install everything needed and start services and join i cannot get > nothing from getent passwd OURDOMAIN\\user > > I got users if i use wbinfo -u > > Another thing is when i check with the command wbinfo --ping-dc > > I got > > checking the NETLOGON for domain[OURDOMAIN] dc connection to > "DC1.OURDOMAIN.ORG" succeeded > > DC1 is the old ad-dc who has Samba 4.1.. > > I want the new one DC2 why is not connected to this DC > > I installed samba 4.17 from the backports repos. > > > > > > El vie, 25 nov 2022 a las 10:48, Rowland Penny via samba (< > samba at lists.samba.org>) escribi?: > >> >> On 25/11/2022 13:01, Juan Ignacio wrote: >>> Well, apart from the fact you are not getting owner and group names >>> now, >>> yes, it will work without them, you just have to explicitly ask for >>> them. No 'getent passwd', you have to use 'getent passwd username'. >>> >>> >>> I'm getting owner and group names, when i use getent passwd i get all >>> users of the domain. >> That is because you have 'winbind enum users = yes' set, which you DO >> NOT NEED. >> >>> And on the files I'm getting domain usernames and domain groups names >>> when I do ls. >>> >>> prueba:*:3015:3004::/home/OURDOMAIN/prueba:/bin/false >>> krbtgt:*:3014:3004::/home/OURDOMAIN/krbtgt:/bin/false >>> guest:*:3013:3004::/home/OURDOMAIN/guest:/bin/false >> When you posted your smb.conf it had these two 'idmap config' lines (and >> only those two lines): >> >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> >> If you will note, all the numbers above are between 3000 and 7999, the >> range set. >> >> But your domain users shouldn't have ID numbers in that range, but >> because you did not set the required 'OURDOMAIN' idmap config lines they >> are all being treated as if they are not members of the 'OURDOMAIN' >> domain and are getting ID's from the default '*' domain. THIS IS WRONG. >> >>> he problem is, Domain Users shouldn't be in the '3000' range, that >>> range is supposed to be for the BUILTIN domain. >>> >>> On the WIKI it says to use those values. >>> |*| *3000-7999* >>> |DOMAIN| *10000-999999* >>> >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> >> Yes, I know, I wrote it. >> >>> Maybe at that moment I did not understand well what is the difference >>> between using the default domain "*" or DOMAIN. >>> Please help me clarify this. >>> >>> Is there a lot of data on the Unix domain member ? >>> >>> It will probably be easier to correctly setup a new Unix domain >> member >>> and then drag & drop the data across. >>> >>> >>> Yes, I have a lot of info on that file server, homes and shares. >>> But it is virtualized and with disks in passthrough. >>> Creating a new virtual unix domain member and passthrough the disks is >>> not a difficult task for me. >>> >>> The issue is how do we rewrite new uids and gids to the fs. >> You do not rewrite uid's & gid's on a Unix domain member, that is >> Samba's job and it does it based on the winbind idmap backend used. >> >>> We should convert the current ones to the new ones by using the correct >>> rid range. >>> The only way would be to pass them through windows if I am correct and >>> it will take too long. >> You can find out what numeric ID a user is using now. correct the >> smb.conf and restart Samba, then write a script to search for each ID, >> convert that to the username, then chown the file/directory. that will >> be a lot of work. >> Or you could do what I suggested, create a new Unix domain member with a >> correctly set smb.conf and then copy the files across, this should >> correct your problem. >> >>> On the other hand, I haven't had any major problems with this domain >>> member either, I could wait to demote the old ad-dc and then accommodate >>> a new member. >> If your number of users and groups grow, you are going to have problems. >> >>> About this demote task to the old ad-dc, can something happen with this >>> unix member server? I need to take care of that. >> If you have joined a new DC to the domain and replication, dns, etc are >> working, then your Unix domain member will be able to use either DC, it >> shouldn't notice a difference. >> >>> As for the idmap backend, there a few of them, but the main ones are: >>> autorid >>> rid >>> ad >>> >>> >>> Excellent explanation, thx you. >>> >>> The thing is, why am I using samba's idmap_tdb Backend for Winbind? >>> idmap config * : backend = tdb >>> Maybe because the old ad-DC was misconfigured or something? >>> Or it was recommended before. >>> Now after those years I can't remember why I use tdb. >> That is what is used for the default domain, which is only supposed to >> be for the Well Known SIDs (there are less than 200 of those) and >> anything outside the DOMAIN domain (DOMAIN is just a placeholder for the >> real domain name, like you are using 'OURDOMAIN') >> >>> Any questions, please ask. >>> >>> >>> I think I'm asking a lot sometimes, I don't like to bother with things >>> that may seem basic. >> The only stupid question is the one you do not ask ;-) >> >> I would rather answer questions before something is done, than do what I >> am doing now, giving you bad news. >> >>> Thx for your patience. >>> >> No problem >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Rowland Penny
2022-Nov-25 21:25 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
On 25/11/2022 20:45, Juan Ignacio wrote:> Rowland I did that setup for a new unix member server and test. > > [global] > ? ? ? ? log file = /var/log/samba/%m.log > ? ? ? ? log level = 1 > ? ? ? ? realm = OURDOMAIN.ORG <http://OURSERVER.ORG> > ? ? ? ? security = ADS > ? ? ? ? server role = member server > ? ? ? ? username map = /etc/samba/user.map > ? ? ? ? workgroup = OURDOMAIN > ? ? ? ? idmap config ourserver: range = 10000-9999999 > ? ? ? ? ? ? ? ? ?idmap config ourserver: backend = ridI do not think you are getting this, you need both sets of the idmap config lines, you have two domains, the default domain '*' and the 'OURDOMAIN' domain, so you should have these lines: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config OURDOMAIN : backend = rid idmap config OURDOMAIN : range = 10000-9999999> > > After install everything needed and start services and join i cannot get > nothing from getent passwd OURDOMAIN\\userYou will not, part of which is that 'ourserver' != 'OURDOMAIN'> > ?I got users if i use wbinfo -uThat is a bit meaningless, wbinfo reads directly from AD, Unix is not involved.> > Another thing is when i check with the command wbinfo --ping-dc > > I got > > checking the NETLOGON for domain[OURDOMAIN] dc connection to "DC1.OURDOMAIN.ORG <http://DC1.OURDOMAIN.ORG>" succeeded > > DC1 is the old ad-dc who has Samba 4.1.. > > I want the new one DC2 why is not connected to this DCProbably if you keep trying, DC2 will reply, Winbind will use the DC it thinks is best, this is influenced by the first nameserver in /etc/resolv.conf Rowland