Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] SAMBA4: pdbedit not changing SID
921 views
Skip to first unread message
simon...@matthews.eu
Mar 31, 2013, 8:50:01 PM3/31/13
to
Since I don't seem to be having any luck with the classicupgrade, I
decided to try starting from scratch and then adding users.
I ran the command:
/usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
--domain=<mydomain> --adminpass 'mypass' --server-role=dc \
--dns-backend=BIND9_DLZ
Then I tried both adding and changing users. In neither case can I change
the SID with pdbedit. It seems to be added with a system-defined SID,
irrespective of what I specify. pdbedit -v is able to list the user's
parameters, including the SID.
Any suggestions? I am pretty much stuck here trying to figure out how to
migrate from an existing SAMBA3 domain to SAMBA4.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
decided to try starting from scratch and then adding users.
I ran the command:
/usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
--domain=<mydomain> --adminpass 'mypass' --server-role=dc \
--dns-backend=BIND9_DLZ
Then I tried both adding and changing users. In neither case can I change
the SID with pdbedit. It seems to be added with a system-defined SID,
irrespective of what I specify. pdbedit -v is able to list the user's
parameters, including the SID.
Any suggestions? I am pretty much stuck here trying to figure out how to
migrate from an existing SAMBA3 domain to SAMBA4.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gémes Géza
Apr 1, 2013, 3:30:01 AM4/1/13
to
2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
> Since I don't seem to be having any luck with the classicupgrade, I
> decided to try starting from scratch and then adding users.
>
> I ran the command:
> /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> --dns-backend=BIND9_DLZ
>
> Then I tried both adding and changing users. In neither case can I
> change the SID with pdbedit. It seems to be added with a
> system-defined SID, irrespective of what I specify. pdbedit -v is able
> to list the user's parameters, including the SID.
>
> Any suggestions? I am pretty much stuck here trying to figure out how
> to migrate from an existing SAMBA3 domain to SAMBA4.
>
>
Hi,
> Since I don't seem to be having any luck with the classicupgrade, I
> decided to try starting from scratch and then adding users.
>
> I ran the command:
> /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> --dns-backend=BIND9_DLZ
>
> Then I tried both adding and changing users. In neither case can I
> change the SID with pdbedit. It seems to be added with a
> system-defined SID, irrespective of what I specify. pdbedit -v is able
> to list the user's parameters, including the SID.
>
> Any suggestions? I am pretty much stuck here trying to figure out how
> to migrate from an existing SAMBA3 domain to SAMBA4.
>
>
Trying to add users one by one (preserving SID) is IMHO a lot harder
(you would probably need to ldbmodify the user record of each one) to
do, than fixing your samba3 install to have it classicupgraded.
Regards
Geza Gemes
Andrew Bartlett
Apr 1, 2013, 6:20:01 PM4/1/13
to
On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
> > Since I don't seem to be having any luck with the classicupgrade, I
> > decided to try starting from scratch and then adding users.
> >
> > I ran the command:
> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> > --dns-backend=BIND9_DLZ
> >
> > Then I tried both adding and changing users. In neither case can I
> > change the SID with pdbedit. It seems to be added with a
> > system-defined SID, irrespective of what I specify. pdbedit -v is able
> > to list the user's parameters, including the SID.
> >
> > Any suggestions? I am pretty much stuck here trying to figure out how
> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >
> >
> Hi,
>
> Trying to add users one by one (preserving SID) is IMHO a lot harder
> (you would probably need to ldbmodify the user record of each one) to
> do, than fixing your samba3 install to have it classicupgraded.
> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
> > Since I don't seem to be having any luck with the classicupgrade, I
> > decided to try starting from scratch and then adding users.
> >
> > I ran the command:
> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> > --dns-backend=BIND9_DLZ
> >
> > Then I tried both adding and changing users. In neither case can I
> > change the SID with pdbedit. It seems to be added with a
> > system-defined SID, irrespective of what I specify. pdbedit -v is able
> > to list the user's parameters, including the SID.
> >
> > Any suggestions? I am pretty much stuck here trying to figure out how
> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >
> >
> Hi,
>
> Trying to add users one by one (preserving SID) is IMHO a lot harder
> (you would probably need to ldbmodify the user record of each one) to
> do, than fixing your samba3 install to have it classicupgraded.
Indeed. The only way to safely import a list of users who already have
SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
migration tools.
These are 'samba-tool domain join dc' and 'samba-tool domain
classicupgrade'.
The reason is that we have to ensure that we never re-allocate the same
SID to a new user later. For that reason, we have protection in the
domain controller code to prevent the administrator specifying the SID.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
Apr 1, 2013, 7:10:02 PM4/1/13
to
On Mon, 2013-04-01 at 15:59 -0700, Simon Matthews wrote:
>
> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>
> > On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
> >> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
> >> > Since I don't seem to be having any luck with the classicupgrade, I
> >> > decided to try starting from scratch and then adding users.
> >> >
> >> > I ran the command:
> >> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> >> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> >> > --dns-backend=BIND9_DLZ
> >> >
> >> > Then I tried both adding and changing users. In neither case can I
> >> > change the SID with pdbedit. It seems to be added with a
> >> > system-defined SID, irrespective of what I specify. pdbedit -v is able
> >> > to list the user's parameters, including the SID.
> >> >
> >> > Any suggestions? I am pretty much stuck here trying to figure out how
> >> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >> >
> >> >
> >> Hi,
> >>
> >> Trying to add users one by one (preserving SID) is IMHO a lot harder
> >> (you would probably need to ldbmodify the user record of each one) to
> >> do, than fixing your samba3 install to have it classicupgraded.
> >
> > Indeed. The only way to safely import a list of users who already have
> > SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
> > migration tools.
> >
> > These are 'samba-tool domain join dc' and 'samba-tool domain
> > classicupgrade'.
>
> Perhaps I need to address why the "classicupgrade" did not work. I see now
> that I did not pass the --dbdir option when running it before. I'll try
> again.
>
> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>
> > On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
> >> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
> >> > Since I don't seem to be having any luck with the classicupgrade, I
> >> > decided to try starting from scratch and then adding users.
> >> >
> >> > I ran the command:
> >> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
> >> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
> >> > --dns-backend=BIND9_DLZ
> >> >
> >> > Then I tried both adding and changing users. In neither case can I
> >> > change the SID with pdbedit. It seems to be added with a
> >> > system-defined SID, irrespective of what I specify. pdbedit -v is able
> >> > to list the user's parameters, including the SID.
> >> >
> >> > Any suggestions? I am pretty much stuck here trying to figure out how
> >> > to migrate from an existing SAMBA3 domain to SAMBA4.
> >> >
> >> >
> >> Hi,
> >>
> >> Trying to add users one by one (preserving SID) is IMHO a lot harder
> >> (you would probably need to ldbmodify the user record of each one) to
> >> do, than fixing your samba3 install to have it classicupgraded.
> >
> > Indeed. The only way to safely import a list of users who already have
> > SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
> > migration tools.
> >
> > These are 'samba-tool domain join dc' and 'samba-tool domain
> > classicupgrade'.
>
> that I did not pass the --dbdir option when running it before. I'll try
> again.
Thanks. Please work with our tools rather than trying to work around
them.
Andrew Bartlett
Apr 1, 2013, 7:10:03 PM4/1/13
to
On Mon, 2013-04-01 at 15:59 -0700, Simon Matthews wrote:
>
>
> If I could change the subject somewhat, I am also not clear on how to
>
>
> configure SAMBA4 and the DNS server if my network has an existing DNS
> server on another machine and I don't really want to move it. The DNS
> server is a stock install of bind from the distro's repository:
> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
Samba must locally host it's own DNS domain, on the Samba 4.0 AD DC.
You may wish to have your existing BIND instance forward the Samba 4.0
subdomain to Samba using a zone type of 'forward'.
I hope this helps,
simon...@matthews.eu
Apr 1, 2013, 7:50:02 PM4/1/13
to
If I could change the subject somewhat, I am also not clear on how to configure
SAMBA4 and the DNS server if my network has an existing DNS server on another
machine and I don't really want to move it. The DNS server is a stock install
of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64
SimonSAMBA4 and the DNS server if my network has an existing DNS server on another
machine and I don't really want to move it. The DNS server is a stock install
of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64
Gregory Sloop
Apr 1, 2013, 8:10:02 PM4/1/13
to
ssme> If I could change the subject somewhat, I am also not clear on how to configure
ssme> SAMBA4 and the DNS server if my network has an existing DNS server on another
ssme> machine and I don't really want to move it. The DNS server is a stock install
ssme> of bind from the distro's repository:
ssme> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
I'd guess the easiest way would be to setup the Samba AD domain as a
subdomain of the existing DNS domain. Say
"samba.third-level.somedomain.com"
Then for queries for "samba.third-level.somedomain.com" the exiting
DNS server could forward them to the Samba AD running the
Internal_Samba_DNS, and for queries outside
"samba.third-level.somedomain.com" the Samba4 AD could send them to
the existing DNS server.
The Samba AD must have it's own DNS, either the Samba_Internal or
Bind9_DLZ.
[I've not heard of anyone doing a Samba4 setup with DNS completely
external to the Samba4 AD hardware, though perhaps it's possible - but
I'd guess one would be better off partitioning the two - DNS related
to the Samba domain and DNS outside of it.)
HTH - I'm no expert, but that's the way I've seen it done [and done it
myself] and that seems the most straight-forward to my way of thinking.
-Greg
ssme> SAMBA4 and the DNS server if my network has an existing DNS server on another
ssme> machine and I don't really want to move it. The DNS server is a stock install
ssme> of bind from the distro's repository:
ssme> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
I'd guess the easiest way would be to setup the Samba AD domain as a
subdomain of the existing DNS domain. Say
"samba.third-level.somedomain.com"
Then for queries for "samba.third-level.somedomain.com" the exiting
DNS server could forward them to the Samba AD running the
Internal_Samba_DNS, and for queries outside
"samba.third-level.somedomain.com" the Samba4 AD could send them to
the existing DNS server.
The Samba AD must have it's own DNS, either the Samba_Internal or
Bind9_DLZ.
[I've not heard of anyone doing a Samba4 setup with DNS completely
external to the Samba4 AD hardware, though perhaps it's possible - but
I'd guess one would be better off partitioning the two - DNS related
to the Samba domain and DNS outside of it.)
HTH - I'm no expert, but that's the way I've seen it done [and done it
myself] and that seems the most straight-forward to my way of thinking.
-Greg
simon...@matthews.eu
Apr 1, 2013, 11:40:02 PM4/1/13
to
/usr/local/samba/bin/samba-tool domain classicupgrade \
--dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \
/etc/samba/smb.conf --use-xattrs=yes
For the realm, I used a subdomain of one of the two existing dns domains
in the LAN. It appears to be processing the information from the old
domain tdb files, although I see some errors:
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Importing groups
Could not add group name=Remote Desktop Users ((68, "samldb: Account name
(sAMAccountName) 'Remote Desktop Users' already in use!"))
Could not modify AD idmap entry for
sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077,
type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, "Base-DN
'<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
Group already exists sid=S-1-5-21-4254857281-3346836279-4152649156-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
However, after this, all I get from pdbedit -L is:
# pdbedit -L
RAIDSERVER$:4294967295:
Administrator:4294967295:
[root@samba ~]# pdbedit -L
RAIDSERVER$:4294967295:
Administrator:4294967295:
krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b
/etc/samba/smb.confnobody:99:Nobody
Any ideas? What information might help debug this?
Simon
Hef
Apr 2, 2013, 12:50:02 AM4/2/13
to
On Mon, Apr 1, 2013 at 11:33 PM, Andrew Bartlett <abar...@samba.org> wrote:
> On Mon, 2013-04-01 at 23:26 -0500, Hef wrote:
> > I thought that samba was supposed to be able to use nsupdate to
> > perform dynamic dns updates. Is this not accurate?
>
> Please keep comments on the list.
>
Apologies, I misused the reply button.
>
> These updates still have to be against a Samba DNS server.
>
> Even if Samba is configured to somehow update a different server, the
> windows clients and other DCs also need to do the same. And if they
> did, you couldn't add a windows DC with it's DNS server to the mix,
> because the data wouldn't be in the directory where it is expected to
> be.
>
My thought was to have the DNS registrations against samba4 and then have
samba4 re-register against a dns server via nsupdate. I hadn't considered
interacting with other windows based PDC's in the domain.
Would that imply that for an upsteam DNS server, I should have an NS record
pointing to the samba4 server as a subdomain? and instead of having a AD
domain example.com, I should have ad.example.com?
> On Mon, 2013-04-01 at 23:26 -0500, Hef wrote:
> > I thought that samba was supposed to be able to use nsupdate to
> > perform dynamic dns updates. Is this not accurate?
>
> Please keep comments on the list.
>
Apologies, I misused the reply button.
>
> These updates still have to be against a Samba DNS server.
>
> Even if Samba is configured to somehow update a different server, the
> windows clients and other DCs also need to do the same. And if they
> did, you couldn't add a windows DC with it's DNS server to the mix,
> because the data wouldn't be in the directory where it is expected to
> be.
>
My thought was to have the DNS registrations against samba4 and then have
samba4 re-register against a dns server via nsupdate. I hadn't considered
interacting with other windows based PDC's in the domain.
Would that imply that for an upsteam DNS server, I should have an NS record
pointing to the samba4 server as a subdomain? and instead of having a AD
domain example.com, I should have ad.example.com?
Gémes Géza
Apr 2, 2013, 1:50:02 AM4/2/13
to
I recommend doing upgrade on a new box/virtual machine where no samba3
is installed, and copying the tdb files to the new box.
Regards
Geza Gemes
Ricky Nance
Apr 2, 2013, 2:00:02 AM4/2/13
to
http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO<https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO>
should
help.
Ricky
On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza <ge...@kzsdabas.hu> wrote:
> 2013-04-02 05:35 keltezéssel, simon...@matthews.eu írta:
>
>
>>
>> On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>>
>>
>>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>>
>>> On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>>>> > 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
>>>> > > Since I don't seem to be having any luck with the classicupgrade,
>>>> I > > decided to try starting from scratch and then adding users.
>>>> > > > > I ran the command:
>>>> > > /usr/local/samba/bin/samba-**tool domain provision --realm=<my
>> id=5077, type=ID_TYPE_GID ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>> not found"))
>> Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555,
>> ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>> not found"))
>> Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512,
>> /etc/samba/smb.confnobody:99:**Nobody
>
--
should
help.
Ricky
On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza <ge...@kzsdabas.hu> wrote:
> 2013-04-02 05:35 keltezéssel, simon...@matthews.eu írta:
>
>
>>
>> On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>>
>>
>>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>>
>>> On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>>>> > 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
>>>> > > Since I don't seem to be having any luck with the classicupgrade,
>>>> I > > decided to try starting from scratch and then adding users.
>>>> > > > > I ran the command:
>>>> realm> \ > > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
>>>> > > --dns-backend=BIND9_DLZ
>>>> > > > > Then I tried both adding and changing users. In neither case
>>>> can I > > change the SID with pdbedit. It seems to be added with a > >
>>>> system-defined SID, irrespective of what I specify. pdbedit -v is > >
>>>> able to list the user's parameters, including the SID.
>>>> > > > > Any suggestions? I am pretty much stuck here trying to figure
>>>> out how > > to migrate from an existing SAMBA3 domain to SAMBA4.
>>>> > > > > > Hi,
>>>> > > Trying to add users one by one (preserving SID) is IMHO a lot
>>>> harder > (you would probably need to ldbmodify the user record of each
>>>> one) to > do, than fixing your samba3 install to have it classicupgraded.
>>>>
>>>> Indeed. The only way to safely import a list of users who already
>>>> have
>>>> SIDs is to migrate them to Samba 4.0's AD DC using one of the
>>>> supported
>>>> migration tools.
>>>>
>>>> These are 'samba-tool domain join dc' and 'samba-tool domain
>>>> classicupgrade'.
>>>>
>>>
>>> Perhaps I need to address why the "classicupgrade" did not work. I see
>>> now that I did not pass the --dbdir option when running it before. I'll try
>>> again.
>>>
>>>
>> I went back to trying to get the classicupgrade to work:
>> /usr/local/samba/bin/samba-**tool domain classicupgrade \
>>>> > > --dns-backend=BIND9_DLZ
>>>> > > > > Then I tried both adding and changing users. In neither case
>>>> can I > > change the SID with pdbedit. It seems to be added with a > >
>>>> system-defined SID, irrespective of what I specify. pdbedit -v is > >
>>>> able to list the user's parameters, including the SID.
>>>> > > > > Any suggestions? I am pretty much stuck here trying to figure
>>>> out how > > to migrate from an existing SAMBA3 domain to SAMBA4.
>>>> > > > > > Hi,
>>>> > > Trying to add users one by one (preserving SID) is IMHO a lot
>>>> harder > (you would probably need to ldbmodify the user record of each
>>>> one) to > do, than fixing your samba3 install to have it classicupgraded.
>>>>
>>>> Indeed. The only way to safely import a list of users who already
>>>> have
>>>> SIDs is to migrate them to Samba 4.0's AD DC using one of the
>>>> supported
>>>> migration tools.
>>>>
>>>> These are 'samba-tool domain join dc' and 'samba-tool domain
>>>> classicupgrade'.
>>>>
>>>
>>> Perhaps I need to address why the "classicupgrade" did not work. I see
>>> now that I did not pass the --dbdir option when running it before. I'll try
>>> again.
>>>
>>>
>> I went back to trying to get the classicupgrade to work:
>> --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \
>> /etc/samba/smb.conf --use-xattrs=yes
>>
>> For the realm, I used a subdomain of one of the two existing dns domains
>> in the LAN. It appears to be processing the information from the old domain
>> tdb files, although I see some errors:
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>> Importing groups
>> Could not add group name=Remote Desktop Users ((68, "samldb: Account name
>> (sAMAccountName) 'Remote Desktop Users' already in use!"))
>> Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555,
>> /etc/samba/smb.conf --use-xattrs=yes
>>
>> For the realm, I used a subdomain of one of the two existing dns domains
>> in the LAN. It appears to be processing the information from the old domain
>> tdb files, although I see some errors:
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>> Importing groups
>> Could not add group name=Remote Desktop Users ((68, "samldb: Account name
>> (sAMAccountName) 'Remote Desktop Users' already in use!"))
>> id=5077, type=ID_TYPE_GID ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>> not found"))
>> Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555,
>> ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>> not found"))
>> Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512,
>> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
>>
>> However, after this, all I get from pdbedit -L is:
>> # pdbedit -L
>> RAIDSERVER$:4294967295:
>> Administrator:4294967295:
>> [root@samba ~]# pdbedit -L
>> RAIDSERVER$:4294967295:
>> Administrator:4294967295:
>> krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b
>>
>> However, after this, all I get from pdbedit -L is:
>> # pdbedit -L
>> RAIDSERVER$:4294967295:
>> Administrator:4294967295:
>> [root@samba ~]# pdbedit -L
>> RAIDSERVER$:4294967295:
>> Administrator:4294967295:
>> /etc/samba/smb.confnobody:99:**Nobody
>>
>> Any ideas? What information might help debug this?
>>
>> Simon
>>
>>
>> Could this happen because pdbedit is from the samba3 install?
>
> I recommend doing upgrade on a new box/virtual machine where no samba3 is
> installed, and copying the tdb files to the new box.
>
> Regards
>
> Geza Gemes
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>> Any ideas? What information might help debug this?
>>
>> Simon
>>
>>
>> Could this happen because pdbedit is from the samba3 install?
>
> I recommend doing upgrade on a new box/virtual machine where no samba3 is
> installed, and copying the tdb files to the new box.
>
> Regards
>
> Geza Gemes
>
> --
> To unsubscribe from this list go to the following URL and read the
>
--
simon...@matthews.eu
Apr 2, 2013, 2:50:02 AM4/2/13
to
On Tue, 2 Apr 2013, Ricky Nance wrote:
> http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO<https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO>
> should
> help.
working on a VM that does not have SAMBA3 installed. The command:
# samba-tool user list
does not show my users.
Interestingly, the groups seem to be there. If I use
# samba-tool group list
I see the expected groups.
Simon
>
> Ricky
>
>
> On Tue, Apr 2, 2013 at 12:06 AM, G�mes G�za <ge...@kzsdabas.hu> wrote:
>
>> 2013-04-02 05:35 keltez�ssel, simon...@matthews.eu �rta:
>>
>>
>>>
>>> On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>>>
>>>
>>>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>>>
>>>> On Mon, 2013-04-01 at 09:26 +0200, G�mes G�za wrote:
>>
>>>
>>> On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>>>
>>>
>>>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>>>
>>>>>> 2013-04-01 02:36 keltez�ssel, simon...@matthews.eu �rta:
Andrew Bartlett
Apr 2, 2013, 3:20:03 AM4/2/13
to
On Mon, 2013-04-01 at 23:46 -0500, Hef wrote:
> On Mon, Apr 1, 2013 at 11:33 PM, Andrew Bartlett <abar...@samba.org> wrote:
>
> > On Mon, 2013-04-01 at 23:26 -0500, Hef wrote:
> > > I thought that samba was supposed to be able to use nsupdate to
> > > perform dynamic dns updates. Is this not accurate?
> >
> > Please keep comments on the list.
> >
> Apologies, I misused the reply button.
Thanks,
> On Mon, Apr 1, 2013 at 11:33 PM, Andrew Bartlett <abar...@samba.org> wrote:
>
> > On Mon, 2013-04-01 at 23:26 -0500, Hef wrote:
> > > I thought that samba was supposed to be able to use nsupdate to
> > > perform dynamic dns updates. Is this not accurate?
> >
> > Please keep comments on the list.
> >
> Apologies, I misused the reply button.
> >
> > These updates still have to be against a Samba DNS server.
> >
> > Even if Samba is configured to somehow update a different server, the
> > windows clients and other DCs also need to do the same. And if they
> > did, you couldn't add a windows DC with it's DNS server to the mix,
> > because the data wouldn't be in the directory where it is expected to
> > be.
> >
>
> My thought was to have the DNS registrations against samba4 and then have
> samba4 re-register against a dns server via nsupdate.
> I hadn't considered
> interacting with other windows based PDC's in the domain.
>
> Would that imply that for an upsteam DNS server, I should have an NS record
> pointing to the samba4 server as a subdomain? and instead of having a AD
> domain example.com, I should have ad.example.com?
there, and every DNS query already goes via that server).
simon...@matthews.eu
Apr 2, 2013, 4:30:02 PM4/2/13
to
I have tried everything that I can think of, but the users are still not
being imported.
I deleted and re-created the /usr/local/samba directory (using make
install), I added users to the local passwd file (ypcat passwd >>
/etc/passwd) and then stopped ypbind.
Still the same. The users are not imported while the groups are.
I would really appreciate some help in getting past this step.
The transcript of my last attempt at classicupgrade can be found here:
http://pastebin.com/tP8bG5Yb
I changed the realm that I used to "a.b" and made edits to the file to
make it consistent.
Simon
On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>
>
> On Tue, 2 Apr 2013, Ricky Nance wrote:
>
>> http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO<https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO>
>> should
>> help.
>
> I have been following those instructions. I have a tdb backend, I am working
> on a VM that does not have SAMBA3 installed. The command:
> # samba-tool user list
> does not show my users.
>
> Interestingly, the groups seem to be there. If I use
> # samba-tool group list
> I see the expected groups.
>
> Simon
>
>
>
>>
>> Ricky
>>
>>
>> On Tue, Apr 2, 2013 at 12:06 AM, G�mes G�za <ge...@kzsdabas.hu> wrote:
>>
>> > 2013-04-02 05:35 keltez�ssel, simon...@matthews.eu �rta:
>> >
>> >
>> > >
>> > > On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>> > >
>> > >
>> > > > On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>> > > >
>> > > > On Mon, 2013-04-01 at 09:26 +0200, G�mes G�za wrote:
>> > > > > > 2013-04-01 02:36 keltez�ssel, simon...@matthews.eu �rta:
>> > > > > > > Since I don't seem to be having any luck with the
>> > > > > > > classicupgrade,
>> > > > > I > > decided to try starting from scratch and then adding
>> > > > > I > > users.
being imported.
I deleted and re-created the /usr/local/samba directory (using make
install), I added users to the local passwd file (ypcat passwd >>
/etc/passwd) and then stopped ypbind.
Still the same. The users are not imported while the groups are.
I would really appreciate some help in getting past this step.
The transcript of my last attempt at classicupgrade can be found here:
http://pastebin.com/tP8bG5Yb
I changed the realm that I used to "a.b" and made edits to the file to
make it consistent.
Simon
On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>
>
> On Tue, 2 Apr 2013, Ricky Nance wrote:
>
>> http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO<https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO>
>> should
>> help.
>
> I have been following those instructions. I have a tdb backend, I am working
> on a VM that does not have SAMBA3 installed. The command:
> # samba-tool user list
> does not show my users.
>
> Interestingly, the groups seem to be there. If I use
> # samba-tool group list
> I see the expected groups.
>
> Simon
>
>
>
>>
>> Ricky
>>
>>
>> On Tue, Apr 2, 2013 at 12:06 AM, G�mes G�za <ge...@kzsdabas.hu> wrote:
>>
>> > 2013-04-02 05:35 keltez�ssel, simon...@matthews.eu �rta:
>> >
>> >
>> > >
>> > > On Mon, 1 Apr 2013, simon...@matthews.eu wrote:
>> > >
>> > >
>> > > > On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>> > > >
>> > > > On Mon, 2013-04-01 at 09:26 +0200, G�mes G�za wrote:
>> > > > > > 2013-04-01 02:36 keltez�ssel, simon...@matthews.eu �rta:
>> > > > > > > Since I don't seem to be having any luck with the
>> > > > > > > classicupgrade,
>> > > > > I > > decided to try starting from scratch and then adding
>> > > > > > > > > I ran the command:
>> > > > > > > /usr/local/samba/bin/samba-**tool domain provision
>> > > > > > > --realm=<my
>> > > > > realm> \ > > --domain=<mydomain> --adminpass 'mypass'
>> > > > > realm> --server-role=dc \
>> > > > > > > /usr/local/samba/bin/samba-**tool domain provision
>> > > > > > > --realm=<my
>> > > > > realm> \ > > --domain=<mydomain> --adminpass 'mypass'
Chris Smith
Apr 3, 2013, 3:10:02 PM4/3/13
to
On Mon, Apr 1, 2013 at 7:05 PM, Andrew Bartlett <abar...@samba.org> wrote:
>> If I could change the subject somewhat, I am also not clear on how to
>> configure SAMBA4 and the DNS server if my network has an existing DNS
>> server on another machine and I don't really want to move it. The DNS
>> server is a stock install of bind from the distro's repository:
>> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
>
> Samba must locally host it's own DNS domain, on the Samba 4.0 AD DC.
>
> You may wish to have your existing BIND instance forward the Samba 4.0
> subdomain to Samba using a zone type of 'forward'.
I've been wondering...
>> If I could change the subject somewhat, I am also not clear on how to
>> configure SAMBA4 and the DNS server if my network has an existing DNS
>> server on another machine and I don't really want to move it. The DNS
>> server is a stock install of bind from the distro's repository:
>> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
>
> Samba must locally host it's own DNS domain, on the Samba 4.0 AD DC.
>
> You may wish to have your existing BIND instance forward the Samba 4.0
> subdomain to Samba using a zone type of 'forward'.
Do the Windows clients, if they aren't sharing anything, actually need
DNS resolution?
Could Samba just host the DNS for the SRV (and other "special")
records as a subdomain and therefore have all queries go to another
DNS server which, for the special subdomain, forwards only those
requests to the Samba server?
Thanks,
Chris
Andrew Bartlett
Apr 3, 2013, 9:40:02 PM4/3/13
to
On Wed, 2013-04-03 at 15:05 -0400, Chris Smith wrote:
> On Mon, Apr 1, 2013 at 7:05 PM, Andrew Bartlett <abar...@samba.org> wrote:
> >> If I could change the subject somewhat, I am also not clear on how to
> >> configure SAMBA4 and the DNS server if my network has an existing DNS
> >> server on another machine and I don't really want to move it. The DNS
> >> server is a stock install of bind from the distro's repository:
> >> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
> >
> > Samba must locally host it's own DNS domain, on the Samba 4.0 AD DC.
> >
> > You may wish to have your existing BIND instance forward the Samba 4.0
> > subdomain to Samba using a zone type of 'forward'.
>
> I've been wondering...
> Do the Windows clients, if they aren't sharing anything, actually need
> DNS resolution?
> Could Samba just host the DNS for the SRV (and other "special")
> records as a subdomain and therefore have all queries go to another
> DNS server which, for the special subdomain, forwards only those
> requests to the Samba server?
That would be a very good way to create confusion and an un-debug-able
> On Mon, Apr 1, 2013 at 7:05 PM, Andrew Bartlett <abar...@samba.org> wrote:
> >> If I could change the subject somewhat, I am also not clear on how to
> >> configure SAMBA4 and the DNS server if my network has an existing DNS
> >> server on another machine and I don't really want to move it. The DNS
> >> server is a stock install of bind from the distro's repository:
> >> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
> >
> > Samba must locally host it's own DNS domain, on the Samba 4.0 AD DC.
> >
> > You may wish to have your existing BIND instance forward the Samba 4.0
> > subdomain to Samba using a zone type of 'forward'.
>
> I've been wondering...
> Do the Windows clients, if they aren't sharing anything, actually need
> DNS resolution?
> Could Samba just host the DNS for the SRV (and other "special")
> records as a subdomain and therefore have all queries go to another
> DNS server which, for the special subdomain, forwards only those
> requests to the Samba server?
network.
Clients, member servers and DCs register A records, and DCs also
register and require SRV records.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
simon...@matthews.eu
Apr 4, 2013, 12:40:01 PM4/4/13
to
Does anyone have any ideas what I might have done wrong or why this is not
working?
Simon
working?
Simon
simon...@matthews.eu
Apr 8, 2013, 11:00:02 PM4/8/13
to
I finally found the solution. I was moving from a Gentoo system to Centos
and the layout of the files is different under Gentoo.
In the Gentoo layout, the default location for passdb.tdb,
schannel_store.tdb and secrets.tdb is in /var/lib/samba/private .
When I first tried to import, I had got an error message about secrets.tdb
not being found, so I had made a link /var/lib/samba/secrets.tdb that
pointed to /var/lib/samba/private/secrets.tdb, but, crucially, I did not
do this for the other files in the secrets subdirectory.
Once I made the links for the other files, all I had to do was clean up my
old tdb files (duplicate and otherwise bad entries) and then the import
worked!
Simon
Simon Matthews
Apr 29, 2013, 11:30:02 PM4/29/13
to
On Tue, 2 Apr 2013, Andrew Bartlett wrote:
> On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
>> > Since I don't seem to be having any luck with the classicupgrade, I
>> > decided to try starting from scratch and then adding users.
>> >
>> > I ran the command:
>> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
>> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
>> > --dns-backend=BIND9_DLZ
>> >
>> > Then I tried both adding and changing users. In neither case can I
>> > change the SID with pdbedit. It seems to be added with a
>> > system-defined SID, irrespective of what I specify. pdbedit -v is able
>> > to list the user's parameters, including the SID.
>> >
>> > Any suggestions? I am pretty much stuck here trying to figure out how
>> > to migrate from an existing SAMBA3 domain to SAMBA4.
>> >
>> >
>> Hi,
>>
>> Trying to add users one by one (preserving SID) is IMHO a lot harder
>> (you would probably need to ldbmodify the user record of each one) to
>> do, than fixing your samba3 install to have it classicupgraded.
>
> Indeed. The only way to safely import a list of users who already have
> SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
> migration tools.
>
> These are 'samba-tool domain join dc' and 'samba-tool domain
> classicupgrade'.
>> 2013-04-01 02:36 keltezéssel, simon...@matthews.eu írta:
>> > Since I don't seem to be having any luck with the classicupgrade, I
>> > decided to try starting from scratch and then adding users.
>> >
>> > I ran the command:
>> > /usr/local/samba/bin/samba-tool domain provision --realm=<my realm> \
>> > --domain=<mydomain> --adminpass 'mypass' --server-role=dc \
>> > --dns-backend=BIND9_DLZ
>> >
>> > Then I tried both adding and changing users. In neither case can I
>> > change the SID with pdbedit. It seems to be added with a
>> > system-defined SID, irrespective of what I specify. pdbedit -v is able
>> > to list the user's parameters, including the SID.
>> >
>> > Any suggestions? I am pretty much stuck here trying to figure out how
>> > to migrate from an existing SAMBA3 domain to SAMBA4.
>> >
>> >
>> Hi,
>>
>> Trying to add users one by one (preserving SID) is IMHO a lot harder
>> (you would probably need to ldbmodify the user record of each one) to
>> do, than fixing your samba3 install to have it classicupgraded.
>
> Indeed. The only way to safely import a list of users who already have
> SIDs is to migrate them to Samba 4.0's AD DC using one of the supported
> migration tools.
>
> These are 'samba-tool domain join dc' and 'samba-tool domain
> classicupgrade'.
Perhaps I need to address why the "classicupgrade" did not work. I see now
that I did not pass the --dbdir option when running it before. I'll try
again.
that I did not pass the --dbdir option when running it before. I'll try
again.
If I could change the subject somewhat, I am also not clear on how to
configure SAMBA4 and the DNS server if my network has an existing DNS
server on another machine and I don't really want to move it. The DNS
server is a stock install of bind from the distro's repository:
bind-9.8.2-0.17.rc1.el6_4.4.x86_64
Simon
configure SAMBA4 and the DNS server if my network has an existing DNS
server on another machine and I don't really want to move it. The DNS
server is a stock install of bind from the distro's repository:
bind-9.8.2-0.17.rc1.el6_4.4.x86_64
0 new messages