Re: [Samba] How to install a replacement PDC?
Thanks for all the info. It sounds like the process might be more involved than I’d hoped, although I had a feeling it might not be totally straightforward. I need to do a bit of reading up on Samba so that I have a better idea of how it hangs together with regard to passwords, groups and SIDs etc. At least I’ve got a bit of time to do the upgrade. Thanks also for the info about the Sernet build – I did think it would be nicer to have a later version of Samba than the one packaged by Debian, so I’ll look into that. On Tue, 30 Jul 2013 18:56:51 +0100 Chris Smith smb...@chrissmith.org wrote: On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith smb...@chrissmith.org wrote: Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Just read somewhere else the run level 2 is the default for Debian - in that case I think Sernet should modify the init script. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Actually, I seem to have it working now! I’ll need to document what I did, and will have to test it again from scratch as I may have done one or two things which weren’t necessary etc. The PC is logging onto the Debian server with no nasty warnings or errors, the server-side login script is working, and I can access the test network share. I think it might be slightly slow to login, but it is an ancient test PC, and it might also be trying to do other things requiring a DNS server and internet connection (I’ve just got the test PC and Debian server on a crossover cable). Once I have it documented I might post again to check that the process I’m using is good practice etc. On Tue, 30 Jul 2013 18:56:51 +0100 Chris Smith smb...@chrissmith.org wrote: On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith smb...@chrissmith.org wrote: Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Just read somewhere else the run level 2 is the default for Debian - in that case I think Sernet should modify the init script. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Thanks very much for your detailed reply. I’m sure it will be very helpful. Is there an easy way to search for your earlier posts? I’m looking in the archives, and opening them by month, then searching for your name. It just seems a bit long-winded – I’m not sure when you would have posted them! Thanks again. On Mon, 29 Jul 2013 16:49:48 +0100 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
On Mon, Jul 29, 2013 at 6:47 AM, sam...@nym.hush.com wrote: I’d appreciate some pointers on what to do. I don’t want to have the exact same users on the new Debian server (some of the users on the Unix server have left) so was hoping to just create users and groups manually rather than copy existing files across. Do I need to edit the UIDs and GIDs somehow, and then export/import some password/security files? I’ve seen that on the Unix server there’s a file named /etc/smbpasswd, but that isn’t on the Debian server, so I’m wondering if they’re using a different type of security back- end… Is there a command which will report this, or which smb.conf parameters will identify this? I don’t do a lot of this stuff, so any help would be appreciated. Most likely is that It would have simplest to copy the old Samba configuration to the new system. Update the smb.conf for necessary changes (review all of the Changelog's from the old version to the new version), change from the smbpasswd backend to the tdbsam backend (the new default), then remove the users you no longer want or need. Having said that I just finished migrating an NT4 PDC with Exchange 5.5 to two new VM's; the PDC part to a new Debian Samba installation by hand (the long way), and the Exchange 5.5 part to a new NT4 server install (sounds like fun, right?). Fortunately the client install base was under 25 so doing it the long way was not out of the question. Had I been moving between Samba version I would not even have been tempted to do anything except follow the first paragraph above. Basically, in the long way, you need the same domain SID, the same user SID's and I believe also the same machine SID's (I manually set all of these as well), etc. and the proper group mappings (no longer automatic, see chapter 9 of the official howto). Then you'll have to rejoin all machines to the new PDC although really you are just resetting the trust password. The UID/GID's are meaningless to the Windows side, no need to mess with those, although I prefer to use different ranges for Windows users, and Machines (and also a different group for Machines - just a nicety for scripting later on). Done properly the users will see no difference when they login to the domain, same profile, etc. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
You may want to look into using the Sernet packages instead of the Debian ones, then you'll have an up-to-date Samba 3.6.16 installation. Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Chris On Tue, Jul 30, 2013 at 9:00 AM, sam...@nym.hush.com wrote: Thanks very much for your detailed reply. I’m sure it will be very helpful. Is there an easy way to search for your earlier posts? I’m looking in the archives, and opening them by month, then searching for your name. It just seems a bit long-winded – I’m not sure when you would have posted them! Thanks again. On Mon, 29 Jul 2013 16:49:48 +0100 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith smb...@chrissmith.org wrote: Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Just read somewhere else the run level 2 is the default for Debian - in that case I think Sernet should modify the init script. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to install a replacement PDC?
I’m testing moving a current Samba PDC configuration from an existing Unix server to a new Debian server, and as expected, can’t login to the new PDC from a PC which had been connected to the old PDC. The new Debian Samba configuration is working okay in that I can join a new PC to it, login, and access shares. In a test environment I renamed the Debian server’s host and domain names to be the same as that of the Unix server, and manually created a user account in Debian and Samba for an existing test user and PC. I noted that the UIDs and GIDs are within different ranges on the two servers – In Unix they’re allocated from 100, whereas in Debian they’re allocated from 1000, so the test user and machine have been allocated different IDs on the two servers. Also, the SIDs are obviously different between the two servers. I used ‘net getlocalsid’ to find the two SIDs, and ‘net setlocalsid’ to set the SID of the new server to that of the old server. I’d appreciate some pointers on what to do. I don’t want to have the exact same users on the new Debian server (some of the users on the Unix server have left) so was hoping to just create users and groups manually rather than copy existing files across. Do I need to edit the UIDs and GIDs somehow, and then export/import some password/security files? I’ve seen that on the Unix server there’s a file named /etc/smbpasswd, but that isn’t on the Debian server, so I’m wondering if they’re using a different type of security back- end… Is there a command which will report this, or which smb.conf parameters will identify this? I don’t do a lot of this stuff, so any help would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Sorry, forgot to say that the Unix server has Samba 3.0.10, and the Debian server is 3.5.6. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
