[Samba] Issues post AD migration
- Date: Thu, 12 Apr 2018 06:47:45 +0000
- From: Praveen Ghimire via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Issues post AD migration
We ran the classic upgrade and migrated the domain . We were then able to add a Windows Server 2008R2 and dcpromo it.
Here are some of the issues we are seeing post migration
- Pre the migration, the password backend was LDAP. We had some groups that we had migrated into LDAP from TBD. These groups doesn't seem to have come up in AD.
- Any groups that were created in LDAP did show up in AD.
- We have a member server which we joined to the AD using the following
net ads join -U administrator
Enter administrator's password:
Using short domain name -- TESTDOM
Joined 'fs01' to dns domain 'testdom.group'
net_update_dns_internal: Failed to connect to our DC!
DNS update failed!
Ran the samba_dnsupdate -verbose -all-names in the Samba 4 AD DC box and got the following
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 27 entries
- Using a Windows 7 machine , we tried to access the shares in member server and it fails with the following in the logs
user 'TESTDOM\pghimire' (from session setup) not permitted to access this share (downloads)
The user is a member of a group who has permissions for the folder (in smb.conf). This was one of the groups that didn't migrate to AD, so we setup the group in AD and added the user as a member.
Using smblient the user account is able to enumerate all the shares in the Samba 4 DC and the member server
- Getent passwd does find the user
getent passwd "testdom\pghimire"
- Even if we add the permissions for the user in smb.conf the above still fails.
The following is the nsswitch.conf
passwd: files winbind
group: files winbind
The following is the member server's smb.conf
netbios name = FS01
security = ADS
workgroup = TESTDOM
realm = TESTDOM.GROUP
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# wins server = 192.168.1.18
log level = 2 auth:5
syslog = 0
log file = /var/log/samba-ad-dc/log.%m
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
To unsubscribe from this list go to the following URL and read the