Web lists-archives.com

Re: [Samba] samba 4 joining samba 3 pdc - group mismatch




On Wed, 2 May 2018 21:46:52 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Wed, 2 May 2018 17:12:30 -0300
> "Ethy H. Brito via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > 
> > Hi all
> > 
> > Background: I am not a samba expert, not even close!
> > 
> > I have a ancient samba 3 (Server role: ROLE_DOMAIN_PDC) and I intend
> > to migrate all files to a samba 4 (Server role: ROLE_DOMAIN_MEMBER)
> > 
> > Users will stay in S3 for now.
> > 
> > Samba 4 joined samba 3 with no problems.
> > I rsync'ed all files and its permissions (rsync -a ...).
> > 
> > But...
> > I cannot find a way that makes S4 sees S3 users and groups in a
> > "ordered" manner.
> > 
> > "id some_user" returns "almost" valid data for some users and 
> > "id: ‘some_user’: no such user" for others.
> > I say "almost" because not all groups for all users are returned.
> > 
> > Example:
> > 	S4# id jgarcia
> > 	uid=10000(jgarcia) gid=100513(none) \
> > 	groups=100513(none),101094(5p6l3d1$),101119(jgomes-pc$),
> > 	10001(BUILTIN\users)
> > 
> > jgarcia id should be 101016 (100000 + 1016), and there are missing
> > groups
> > 
> > 	S3# id jgarcia
> > 	uid=1016(jgarcia) gid=1094(jgarcia)\
> > 	groups=1094(jgarcia),1000(G00),2009(G01),3011(G02),1119(G03)
> > 
> > 
> > For groups is about the same.
> > for instance: 
> > 	S4# wbinfo --gid-info 100513
> > 	none:x:100513:
> > 	S4# wbinfo -G 100513
> > 	S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513
> > 
> > Where did this group "513" come from ?? "Domain Users" ?? 
> > If so, why the group name does not come along ??
> > 
> > What smb.conf options should I care so that S4 sees S3 users and
> > groups like S4[ug]id=S3[ug]id+100000 ??
> > "idmap config" seams not to be effective.
> > 
> > Is there any options in S3 that I should also change??
> > 
> > How do I make S4 "forget" everything it learned so far about uids and
> > gids from S3 so I can start fresh??
> > 
> > 
> > Cheers
> > 
> > Ethy
> > 
> 
> I think you are going to have to give us a bit more info, smb.conf from
> the S3 PDC and the S4 machine, for a start.

As requested, those files follows.

Samba 3 config file

S3# grep -v -e ^# -e '^;' /etc/samba/smb.conf | uniq | less -S

[global]
   workgroup = PEGASE
   server string = RedePEGASE
    netbios name = PegaseSRV
    hosts allow = 192.168.0.  192.168.1. 127.0.0.1 
    hosts deny = ALL EXCEPT 192.168.0.  127.0.0.1 192.168.1.
    #unix charset = iso8859-1
   wins support = yes
   dns proxy = yes
   name resolve order = bcast host lmhosts wins
   interfaces = lo,eth0
   bind interfaces only = yes
   log file = /var/log/samba/%U.%m.log
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = Bad User
   domain logons = yes
   logon drive = 
   logon home = 
   add user script = /usr/sbin/adduser --quiet --disabled-password --shell /bin/false --gecos "Added by Samba" %u

   add machine script  = /usr/sbin/useradd -c "%u machine account" -g machines --home /var/lib/samba -s /bin/false %u

   add group script = /usr/sbin/addgroup --force-badname %g
   load printers = no
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
   domain master = yes
   admin users = root jgarcia sysadm
    domain logons = yes
    local master = yes
    os level = 64
    preferred master = yes
    wins proxy = no
    Level2 oplocks = no
    ntlm auth = Yes
    lanman auth = Yes
    client ntlmv2 auth = Yes
    use client driver = Yes
    client lanman auth = Yes
    guest account = nobody
    time server = yes
    directory mask = 0771
    create mask = 0655
    force create mode = 0664
    force directory mode = 0771
    map archive = yes
    map system = yes
    map hidden = no
    hide dot files = yes
    mangled names = yes
    default case = lower
    preserve case = yes
    max xmit = 65535
    locking = yes
    oplocks = yes
    level2 oplocks = no
    lock directory = /var/state/samba
    cache directory = /var/state/samba
    state directory = /var/state/samba
    veto oplock files = /prf*.tmp/
    oplocks = false
    kernel oplocks = false
    level2 oplocks = false
    template shell = /bin/false
    usershare allow guests = yes
    inherit permissions = no
    inherit owner = No

  ... SHARES FOLLOWS ...

SAMBA 4 config file

S4# grep -v -e ^# -e '^;' /etc/samba/smb.conf | uniq | less -S

[global]

   workgroup = PEGASE
   netbios name = pegasus
   netbios aliases = safebits
   security = DOMAIN
   server role = member server
   encrypt passwords = yes
   client ipc signing = auto
   server string = %h server (Safe.bitS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = bad user
   idmap uid = 100000-200000
   idmap gid = 100000-200000
   idmap cache time = 60
   idmap config *:range = 100000-200000
   idmap config *:backend = rid
   winbind use default domain = yes
   usershare allow guests = yes

... SHARES FOLLOWS ...

Cheers

Ethy


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba