Web lists-archives.com

Re: [Samba] AD migration issues




On Thu, 11 Apr 2019 13:46:25 +0000
Praveen Ghimire <PGhimire@xxxxxxxxxxxxxx> wrote:

> Hi Rowland,
> 
> Thank you for that.
> 
> We did the testing in a Vmware VM, the actual production box is
> hosted in SmartOS. Didn't encounter the issues during testing.
> 
> I am pretty sure it is not a group, it is a user. When I check the
> AD , I see it as  a user. The user with the issue is doesn't have
> that listed in members of section.

Here is an interesting fact, a group on a Samba AD DC can also be a
user.
Try running this 9as root) on your DC:

ldbedit -e nano -H /path/to/idmap.ldb

Then search for '3000002' (use Ctrl-W)

Once found, there will be a line 'type', I believe it will be
'ID_TYPE_BOTH'

> 
> With the idmap stuff, the server in question is both DC and file
> server. So I thought we need the idmap config

No, this is one of the problems of using a DC as a fileserver.

> 
> With the ACLs, I read the following Wiki article
> If you must use the Samba DC as a fileserver, you should be aware
> that the auto-enabled acl_xattr virtual file system (VFS) object
> enables you to only configure shares with Windows access control
> lists (ACL). Using POSIX ACLs with shares on a Samba DC does not
> work. However the document mentions not to add it to the config in
> the DC. 
> 
> Does it mean, we need to change the share permissions to something
> like chown root:"Domain Admins" /srv/samba/Demo? Including the sysvol

Do not touch Sysvol and what it means is that you MUST set the ACL's
from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> 
> What about the smb.conf file? Do we leave it with just 
> server role = active directory domain controller

Start with the smb.conf that the provision gave you and only add lines
after thoroughly investigating them, if in doubt, ask here.
 
> 
> We had to roll back (reverted the tbd files and smb conf) due to the
> issues, we only had a few test machine online during the testing.
> Then we found same issues with users in non-AD server. The users had
> no issue with the shares previously.

A non AD server is just that, a server that is not part of the domain,
any users on it will not be the same users as in AD, even if they have
the same username.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba