samba - Dec 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Excellent.
Thx, for your explanation Rowland, now I can understand lots better.
I'm close to shutting down the old primary ad-dc to test if everyone can
login and next try to demote it.

Some things I want to know before demoting.

I need to make a backup of the old samba 4.1 ad-dc on the old server
"DC1".
I backed up manually all the /usr/local/samba/ directory

I was thinking of using this script of samba4 on GIT, which is more updated
than the one I was using.
https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4

I already transferred  FSMO roles to the new server "DC2" . Is there
any
other thing I need to do before demoting the primary DC.
Anything else I must check or be careful with?

About the NEW ad-dc "DC2"
I have 4 full server backups a day on that server, do you think I need to
backup samba anyway or is this enough if something fails.

Thx in advance.









El lun, 28 nov 2022 a las 13:45, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 28/11/2022 16:11, Juan Ignacio wrote:
> > I didn't log into unix directly, I logged on a windows machine.
> > The problem is I needed the administrator account to manage some gpos
> > and move the files from one member server to another and rewrite the
> > permissions, timestamp and file ownership on windows.
> > If I write a file on the member it shows as root what seems correct
for
> > me because I don't want anyone accessing that share right now.
> > At least until I finish migrating the files.
> >
> >     Administrator is the Windows
> >     administrator with thr RID '500', so with your DOMAIN low
range it
> will
> >     have the Unix ID 10500, it is just a normal Unix user.
> >
> >
> > How can I know that?
> >
> > We are not mapping administrator to root?
> >
> > OURDOMAIN\administrator is not equal to root and the uid=0?
> >
> > Sorry im trying to understand better.
> >
>
> You are (or were) mapping Administrator to root, you had in smb.conf
> this line:
>
> username map = /etc/samba/user.map
>
> which should contain one line:
>
> !root = OURDOMAIN\Administrator
>
> This would, when Administrator connects via Samba have mapped the
> Windows user 'Administrator' to the Unix user 'root'
> However, due to a recent change, any RID under '1000' is ignored
unless
> you also set 'min uid = 0' in smb.conf
>
> If you run 'getent passwd Administrator' on a Unix machine, you
should
> get something like this:
>
> administrator:*:10500:10513::/home/administrator:/bin/bash
>
> This is using the 'rid' idmap backend.
>
> As you can see, Unix knows 'Administrator by the ID '10500'.
'10500' !> '0' ('0' being the Unix ID for
'root')
>
> Do not do anything directly on Unix as Administrator, If you want to use
> Administrator on Unix, use the 'root' user instead.
>
> I hope this helps.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 30/11/2022 19:30, Juan Ignacio wrote:
> Excellent.
> Thx, for your explanation Rowland, now I can understand lots better.
> I'm close to shutting down the old primary ad-dc to test if everyone
can
> login and next try to demote it.
> 
> Some things I want to know before demoting.
> 
> I need to make a backup of the old samba 4.1 ad-dc on the old server
"DC1".
> I backed up manually all the /usr/local/samba/ directory
That is not how you backup Samba AD.
> 
> I was thinking of using this script of samba4 on GIT, which is more 
> updated than the one I was using.
> https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4 
>
<https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4>
No, that was the old way and should no longer be used.
> 
> I already transferred? FSMO roles to the new server "DC2" . Is
there any
> other thing I need to do before demoting the primary DC.
What, you want to demote the DC that holds the FSMO roles ('primary' is 
what most people call the DC that holds the FSMO roles, even though 
there is no such thing as a primary DC)
> Anything else I must check or be careful with?
Yes, you must be very careful that you create another DC to replace the 
one that you are going to demote. One DC = bad, multiple DC's = good.
> 
> About the NEW ad-dc "DC2"
> I have 4 full server backups a day on that server, do you think I need 
> to backup samba anyway or is this enough if something fails.

Sorry, but you do not backup a DC, you backup the domain with 
'samba-tool domain backup offline' or 'samba-tool domain backup
online'

Rowland

>
> That is not how you backup Samba AD
>
I thought that was the way, at least that's what wiki said at the time when
I installed the dc with samba 4.1, remember that this server is the old one
in production.
I just want to make sure that if something goes wrong I can go back.

No, that was the old way and should no longer be used.
>
My script is older than that one hehe...good to know.

What, you want to demote the DC that holds the FSMO roles ('primary'
is
> what most people call the DC that holds the FSMO roles, even though
> there is no such thing as a primary DC)
>
No, I want to demote the old DC that was in production "old primary",
with
samba 4.1.

I transferred the FSMO roles to the new AD-DC with samba 4.16 "DC2"
Now it
is the primary
I used
samba-tool fsmo transfer --role=all -UAdministrator

Yes, you must be very careful that you create another DC to replace
the
> one that you are going to demote. One DC = bad, multiple DC's = good.
>
For now i have 2 DCs, the old production one and the new one with samba
4.16.
The idea is to make more than 2 after I can demote the old.

Sorry, but you do not backup a DC, you backup the domain
with
> 'samba-tool domain backup offline' or 'samba-tool domain backup
online'

Ok im going to try to use that command in the old server but I thought it
didn't exist in samba 4.1.

Thx.


El mi?, 30 nov 2022 16:51, Rowland Penny via samba <samba at
lists.samba.org>
escribi?:
>
>
> On 30/11/2022 19:30, Juan Ignacio wrote:
> > Excellent.
> > Thx, for your explanation Rowland, now I can understand lots better.
> > I'm close to shutting down the old primary ad-dc to test if
everyone can
> > login and next try to demote it.
> >
> > Some things I want to know before demoting.
> >
> > I need to make a backup of the old samba 4.1 ad-dc on the old server
> "DC1".
> > I backed up manually all the /usr/local/samba/ directory
>
> That is not how you backup Samba AD.
>
> >
> > I was thinking of using this script of samba4 on GIT, which is more
> > updated than the one I was using.
> >
https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4
> > <
>
https://github.com/thctlo/samba4/blob/master/backup-script/backup_samba4>
>
> No, that was the old way and should no longer be used.
>
> >
> > I already transferred  FSMO roles to the new server "DC2" .
Is there any
> > other thing I need to do before demoting the primary DC.
>
> What, you want to demote the DC that holds the FSMO roles
('primary' is
> what most people call the DC that holds the FSMO roles, even though
> there is no such thing as a primary DC)
>
> > Anything else I must check or be careful with?
>
> Yes, you must be very careful that you create another DC to replace the
> one that you are going to demote. One DC = bad, multiple DC's = good.
>
> >
> > About the NEW ad-dc "DC2"
> > I have 4 full server backups a day on that server, do you think I need
> > to backup samba anyway or is this enough if something fails.
>
>
> Sorry, but you do not backup a DC, you backup the domain with
> 'samba-tool domain backup offline' or 'samba-tool domain backup
online'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>