Web lists-archives.com

Re: [Samba] Questions about adding a DC




On Mon, 18 Jun 2018, Rowland Penny via samba wrote:

On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

In reading
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
it says "If the other DCs are Samba DCs and were provisioned with
--use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
to the join command"

So does this mean that rfc2307 should not be used if the other DCs
are MS DCs? Does the answer change if the ultimate goal is to
decommission the MS DCs?

Do you have any Unix clients or do have an intention of either using
the Samba DC as a fileserver, or adding any Unix domain members ?

If you do, then add the line to any Samba DC's, if not then you can
ignore it.

There are no Unix clients today but the plan is to add them once the Samba DC
is up and running. So if I understand you correctly, I should add rfc2307
attributes so that I have them available when we provision the member server.
Then on the member server add something like the following to the smb.conf:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999

This will also necessitate adding unix attributes to the user accounts.

Does this sound reasonable?


In addition,
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
states that "you must Create a hot-backup of
the /usr/local/samba/private/idmap.ldb file on the existing DC:" and
import into the new DC.

If The existing DC is an MS DC, how do I accomplish this step?

You cannot, because a windows DC will not have that file. There is a
problem (or is it a feature ?) with idmap.ldb on Samba DC's, they can,
and most probably will, return different ID's from each other. So for
Sysvol, you must copy idmap.ldb from the first Samba DC to any other
Samba DC's

So is it safe to just ignore this part until I add a 2nd Samba DC or is there
something special I need to do to get the ID's to match when one of the DC's
is an MS DC?

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba