Web lists-archives.com

Re: [Samba] Upgrade 4.8 to 4.9 with Backend-Change to lmdb?




On Wed, 26 Sep 2018 19:08:52 +0200
Denis Cardon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Louis,
> >
> > At this point i can not recommend to upgrade to 4.9.0 or 4.9.1, a
> > side note on this. The bug in question why im blocking it for
> > production, does not happen for domain members and AD-DC's but it's
> > still a risk in my opinion. Because for this bug, your obligated to
> > set the idmap ... : settings or run : net groupmap add
> > sid=S-1-5-32-546 unixgroup=nobody type=builtin
> >
> > For the member, you need to adjust the install order a bit to get
> > past it without problems.
> >
> > As temp workaround (for member installation) ADDC should go fine
> > once provisioned. For a stand-alone server use the same steps, but
> > leave out the idmap domain settings.
> 
> I've done extensive stress testing on the DC (compiled version, not 
> packaged one) and I confirm that it works very well.
> 
> > - Steps
> > apt-get install samba
> >
> > - Then stop smbd and nmbd
> > systemctl stop smbd nmbd
> >
> > - Option 1: ( my personal choice, because this keeps thing in sight
> > )
> > - ( Domain Member settings and/or Stand-Alone installs )
> > - Configure smb.conf  ( make sure you have configured the idmap
> > settings. ) # - You must set a DOMAIN backend configuration, see
> > below idmap config * : backend = tdb
> >        idmap config * : range = 3000-7999
> >
> > - Domain Member only setting, choose one of these 2, read and
> > choose. https://wiki.samba.org/index.php/Idmap_config_ad
> > https://wiki.samba.org/index.php/Idmap_config_rid
> 
> I have always been configuring a tdb backend for builtin users aside 
> from the rfc2307 or rid backend for domain users (like in [1]). In
> which documentation is it missing this piece of information?

I will turn that on its head ;-)

If you read 'man idmap_tdb', you will find this:

 [global]
 # "backend = tdb" is redundant here since it is the default
 idmap config * : backend = tdb
 idmap config * : range = 1000000-2000000

Which means that you do not have to add the 'backend' line.

> 
> Cheers,
> 
> Denis
> 
> [1] 
> https://dev.tranquil.it/wiki/SAMBA_-_Installation_d%27un_nouveau_serveur_de_fichiers_Samba4#Configuration_smb.conf

Your wiki page needs updating, all supported Samba versions now use a
slightly different 'ad' setup and I wish I knew who thought it was good
idea to recommend putting the '*' domain above the 'DOMAIN' domain.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba