Rowland Penny
2022-Nov-28 16:44 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
On 28/11/2022 16:11, Juan Ignacio wrote:> I didn't log into unix directly, I logged on a windows machine. > The problem is I needed the administrator account to manage some gpos > and move the files from one member server to?another and rewrite the > permissions, timestamp and file ownership on windows. > If I write a file on the member it shows as root what seems correct for > me because I don't want anyone accessing that share right now. > At least until I finish migrating the files. > > Administrator is the Windows > administrator with thr RID '500', so with your DOMAIN low range it will > have the Unix ID 10500, it is just a normal Unix user. > > > How can I know that? > > We are not mapping administrator to root? > > OURDOMAIN\administrator is not equal to root and the uid=0? > > Sorry im trying to understand better. >You are (or were) mapping Administrator to root, you had in smb.conf this line: username map = /etc/samba/user.map which should contain one line: !root = OURDOMAIN\Administrator This would, when Administrator connects via Samba have mapped the Windows user 'Administrator' to the Unix user 'root' However, due to a recent change, any RID under '1000' is ignored unless you also set 'min uid = 0' in smb.conf If you run 'getent passwd Administrator' on a Unix machine, you should get something like this: administrator:*:10500:10513::/home/administrator:/bin/bash This is using the 'rid' idmap backend. As you can see, Unix knows 'Administrator by the ID '10500'. '10500' != '0' ('0' being the Unix ID for 'root') Do not do anything directly on Unix as Administrator, If you want to use Administrator on Unix, use the 'root' user instead. I hope this helps. Rowland
Juan Ignacio
2022-Nov-30 19:30 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Excellent. Thx, for your explanation Rowland, now I can understand lots better. I'm close to shutting down the old primary ad-dc to test if everyone can login and next try to demote it. Some things I want to know before demoting. I need to make a backup of the old samba 4.1 ad-dc on the old server "DC1". I backed up manually all the /usr/local/samba/ directory I was thinking of using this script of samba4 on GIT, which is more updated than the one I was using. https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4 I already transferred FSMO roles to the new server "DC2" . Is there any other thing I need to do before demoting the primary DC. Anything else I must check or be careful with? About the NEW ad-dc "DC2" I have 4 full server backups a day on that server, do you think I need to backup samba anyway or is this enough if something fails. Thx in advance. El lun, 28 nov 2022 a las 13:45, Rowland Penny via samba (< samba at lists.samba.org>) escribi?:> > > On 28/11/2022 16:11, Juan Ignacio wrote: > > I didn't log into unix directly, I logged on a windows machine. > > The problem is I needed the administrator account to manage some gpos > > and move the files from one member server to another and rewrite the > > permissions, timestamp and file ownership on windows. > > If I write a file on the member it shows as root what seems correct for > > me because I don't want anyone accessing that share right now. > > At least until I finish migrating the files. > > > > Administrator is the Windows > > administrator with thr RID '500', so with your DOMAIN low range it > will > > have the Unix ID 10500, it is just a normal Unix user. > > > > > > How can I know that? > > > > We are not mapping administrator to root? > > > > OURDOMAIN\administrator is not equal to root and the uid=0? > > > > Sorry im trying to understand better. > > > > You are (or were) mapping Administrator to root, you had in smb.conf > this line: > > username map = /etc/samba/user.map > > which should contain one line: > > !root = OURDOMAIN\Administrator > > This would, when Administrator connects via Samba have mapped the > Windows user 'Administrator' to the Unix user 'root' > However, due to a recent change, any RID under '1000' is ignored unless > you also set 'min uid = 0' in smb.conf > > If you run 'getent passwd Administrator' on a Unix machine, you should > get something like this: > > administrator:*:10500:10513::/home/administrator:/bin/bash > > This is using the 'rid' idmap backend. > > As you can see, Unix knows 'Administrator by the ID '10500'. '10500' !> '0' ('0' being the Unix ID for 'root') > > Do not do anything directly on Unix as Administrator, If you want to use > Administrator on Unix, use the 'root' user instead. > > I hope this helps. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >