Web lists-archives.com

Re: [Samba] wiki suggestions, part 2

Am 10.04.2018 um 18:46 schrieb Rowland Penny via samba:
Thanks for the updates, I just wish more people would report errors &

I can send some more, this time from classicupgrade.

Again I do not want to do these changes myself, a samba expert should have a look.

Feedback for wiki page

Tried on Devuan 1 with compiled samba 4.7.6.


When going the classicupgrade route, there is no mention of DNS forwarder.
The "setting up" page points to the classicupgrade page before forwarders are mentioned, and the jump back happens to a section behind it.
The classicupgrade page itself does not mention forwarders.


The description of provision says that the file /etc/krb5.conf needs to be deleted before retrying, and copied there after provisioning. The description of classicupgrade does not mention these.

Also classicupgrade recommends only to delete smb.conf and the private directory.
Provision recommends to delete additionally *.tdb and *.ldb files from
LOCKDIR: /usr/local/samba/var/lock/
STATEDIR: /usr/local/samba/var/locks/
CACHEDIR: /usr/local/samba/var/cache/

And the samba processes should also be killed before retrying.

Failure to do so can completely mess everything up, should be mentioned.


The page says:
"To find duplicate SID's on other passdb backends (smbpasswd, tdbsam), you have to script around the output of the following two commands: pdbedit -Lv, net groupmap list"

Is that really so difficult? How about these two commands:

pdbedit -Lv  | grep "User SID" | sort | uniq -d
net groupmap list | cut -d- -f8 | sort | uniq -d

Is it enough when these both return nothing?
Maybe I misunderstand it.


The sample upgrade command creates this error message:
  error: no such option: --use-xattrs
It does work when the option --use-xattrs is left out.


The command "samba-tool domain classicupgrade" complains about missing file wins.dat.
Should that file be copied from the old server as well?
If so the command for that would probably be:
cp -p /usr/local/samba.PDC/var/locks/wins.dat /usr/local/samba.PDC/dbdir/


The description of doing classicupgrade on a new server should mention that /etc/passwd and /etc/group must contain the samba users.
Yes it is obvious, but it should be mentioned.


I have no idea what this sentence wants to tell me:

"It used to be thought that setting the Unix ID to the windows RID was acceptable, time has proven otherwise. If you have users and groups that use the Windows RID as their Unix ID, you should consider changing these before carrying out the upgrade. You should also consider removing any Unix IDs from the 'Well known SIDs', except for the 'Domain Users' group."

Is this referring to "net groupmap" ?
That lists in my case more than just Domain Users below 1000.
It also shows 512 as Domain Admins, and 514 as nobody.
Is this a problem?


"If any of your users have a RID less than '1000' and you wish these to exist in the new AD domain, you will need to change their RID, see below for how to do this."

How about this command:
pdbedit -Lv | grep SID | grep -v Group | cut -d- -f8

Does it do the right thing? Then it could be added as example.


The description of classicupgrade should tell that doing so affects the choice of workgroup name: Provisioning sets the workgroup to the domain, which is the first part of the realm.
Classicupgrade keeps the old workgroup name from the PDC.
It affects the login names, they are workgroup\user instead of domain\user.


The last line of the output of classicupgrade claims that the password
for administrator is set to the password of root.
This is not true, the administrator accounts keeps its password.


And one unrelated note:
The last three "restrict" lines on
could probably be replaced with one line "restrict source".
And "mask" appears to be the default, is thus not necessary.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba