Web lists-archives.com

Re: [Samba] classic upgrade woes, ignores realm





Am 31.03.19 um 14:08 schrieb Rowland Penny via samba:
On Sun, 31 Mar 2019 13:37:44 +0200
Patrick von der Hagen via samba <samba@xxxxxxxxxxxxxxx> wrote:

I am running samba as a fileserver, having some users (LDAP backend)
and lots of files. No machines ever joined this setup. Now I want to
join some clients, but want to upgrade to AD before I do that.
Configuration is quite old, but had no issues so far. I've been
following
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

Since the LDAP backend runs on the old server and blocks ports
389/636, I want to follow "Upgrading on a new server" and I want to
follow "Domain Controller name" because the new server has a
different name, which should be "DC1".

The new server ist running Ubuntu 18.10, which provides samba 4.8.4.
Provisioning a new domain works flawless, no issues there. But I
really want to perform an upgrade, migrating users and groups.

In smb.conf, "netbios name = DC1" and "workgroup = WORKGROUP",
hostname returns "dc1", hostname -f returns "dc1.samdom.domain.de".

I prepared a local slapd and copied the samba-databases.

I start the process like this:

samba-tool domain classicupgrade --dbdir=/root/samba/
--realm=samdom.domain.de --dns-backend=SAMBA_INTERNAL -d
2 /root/smb.conf

Output:
...
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DC1))]
...
sid S-1-5-21-... does not belong to our domain
...
Cannot open wins database, Ignoring: [Errno 2] No such file or
directory: '/root/samba/wins.dat'
...
Adding DomainDN: DC=DC1
DN: DC=DC1 is a NC
...
Admin password:        xxxxxxxxxxxxxxxxxxxxx
Server Role:           standalone server
Hostname:              dc1
NetBIOS Domain:        DC1
DNS Domain:            dc1
DOMAIN SID:            S-1-5-21-2467318493-10260708-2946515883
...
Cannot open idmap database, Ignoring: [Errno 2] No such file or
directory ...

Content of /etc/samba/smb.conf (complete!):
[global]
          log level = 2
          netbios name = DC1
          passdb backend = samba_dsdb
          realm = SAMDOM.DOMAIN.DE
          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
          workgroup = WORKGROUP
          idmap_ldb:use rfc2307 = yes

Obviously, smb.conf is no complete.

My questions:

Documentation says, to change "netbios name" before upgrade if you
want to change the domain controller name. But it is used in the ldap
query for sambaDomainName, so currently I have to change it to
WORKGROUP in order to import the LDAP data. How do I fix that?

"DNS Domain" should be the realm I specified at the commandline? Why
is it ignored and why is sambaDomainName used instead?

Is it normal to get a smb.conf file that does not work? Is it
indended as a starting point of should it convert my previous
configuration? At least "server role" is missing and "server
services" contains "dnsupdate" which it should not with
SAMBA_INTERNAL.

Do I have to worry about wins.dat missing? I don't have such a file.

Best regards
Patrick


Lets start with the obvious questions:

What is the original OS ?
What OS are you moving to ?
What version of Samba is on the original OS ?
and finally and most importantly, What is in the original smb.conf ?

the old server runs Ubuntu 18.04 (LTS) and samba 4.7.6-Ubuntu. I'd stick with LTS, but it has the same issues, so I upgraded the new server to Ubuntu 18.10 and samba 4.8.4

Configuration:

[global]
security = user
   workgroup = WORKGROUP
   netbios name = DC1
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = ldapsam:ldap://localhost
   ldap suffix = dc=domain,dc=de
   ldap user suffix = ou=People
   ldap group suffix = ou=Group
   ldap machine suffix = ou=machines
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=admin,dc=domain,dc=de
   ldap ssl = off
   ldap passwd sync = yes
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

and some shares, which should not matter.

Best regards
Patrick


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba