[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Wed Jun 18 14:05:34 MDT 2014

On 18/06/14 20:38, Henrik Langos wrote:
> On 06/18/14 19:53, Rowland Penny wrote:
>> On 18/06/14 18:15, Henrik Langos wrote:
>>> I also tried to set it all on the command line:
>>>
>>> samba-tool user create mmuster5 --must-change-at-next-login 
>>> --random-password --surname="Muster5" --given-name="Max" 
>>> --job-title="Test Victim" --mail-address="mmuster5 at example.com" 
>>> --uid=mmuster --uid-number=12345 --gid-number=10001 
>>> --home-directory=/foo --login-shell=/bin/bash
>>>
>>> Still no luck. ADUC waltzes over the uidNumber when I select the NIS 
>>> domain and click OK.
>>
>> This is where it does what it shouldn't do, it should pull the users 
>> info and use that. What version of windows is ADUC running on ? is 
>> the windows machine joined to the domain ?
>
> Windows 7 pro 32bit running in virtualbox.
>
> It is joined to the domain and ADUC is run by a user who is a member 
> of "Domain Admins".

I wonder if it is a permissions problem, could you try as the 
Administrator ?

>
>
>>
>> I know that samba-tool is a bit lacking in the attributes that get 
>> added when you add unix attributes with regards to what ADUC adds, 
>> but this should not give you the problems you are having.
>>
>> How did you provision samba 4 ?
>
> samba-tool domain provision  --use-rfc2307 --interactive 
> --function-level=2008_R2 --use-xattrs=yes
>
>>
>> Do you have ldbtools installed ? if so what does this return:
>>
>>  ldbsearch -H /var/lib/samba/private/sam.ldb -b 
>> "CN=<your-domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com" 
>> msSFU30MaxUidNumber
>>
>>
> msSFU30MaxUidNumber: 10009
>

This proves that the NIS part of AD is setup correctly

>>>
>>>
>>>
>>> Let's assume I can't get ADUC to leave those numbers alone.
>>
>> But ADUC should.
>
> Does it leave those numbers alone for you, or do you simply use a 
> different way of creating users?

AH, slight problem there, my users actually start at 10000, but ADUC 
shows the correct login shell from AD and yes I do have a different way 
of creating users that has nothing to do with samba-tool or ADUC.

>
>>
>>>
>>> - Can I safely use ADUC to change the uidNumber back to the value I 
>>> wanted it to have? (e.g. 2047 instead of 10003)
>>
>> Well yes
>>
>>>
>>>
>>> - Can I safely change "Domain Users" gidnumber to 513 instead of 
>>> having it at 10001 ?
>>
>> I wouldn't , it would be inside the unix local range.
>
> Well, anything below 65535 would that range. But I see what you mean.

well, I think you are arguing over nothing (or is that nobody?) ;-)

> And I guess I can work around that with a
> "find /new-share-path -gid 513 -execdir chown :10001 \{\} \;"
>
>>
>>>
>>> - I.E. Is there anything I'd need to adjust if my users had 
>>> uidNumbers in the 2000-3000 range rather than 10000-20000 range?
>>
>> No, but you could set the ADUC range lower.
>>
>>>
>>> If there is reason to believe that having uid/gid numbers outside 
>>> the default range will cause trouble down the road I'd rather have 
>>> the work now (something like "find . -uid <olduid> -execdir chown 
>>> <newuid> \{\} \;" for each uidnumber and gidnumber) than having to 
>>> debug that stuff later.
>>
>> I wouldn't think so, there must be lots of other people out there 
>> using similar ranges.
>>
> I guess I'm a chicken there... I'll try to solve the ADUC problem but 
> in the end I might decide to live with the changed uids instead. :-)

If you created the numbers yourself in the first place, then it might be 
easier to just accept the new numbers.

>
>
>>>
>>> On a side note: Does it cause any trouble to copy those old files 
>>> onto a share and (initially) only have them have the unix 
>>> owner/group instead of the whole acl stuff? Is there anything I'd 
>>> have to do to "enable" fine grained ACLs on those files, or will 
>>> samba add those on demand? (I enabled the necessary file system 
>>> stuff and made sure it works on a newly created share.)
>>>
>>
>> There is a page on the wiki all about the above.
>
> Well, there are quite a lot of pages on the wiki, if you don't mind me 
> saying that. ;-)

Blame Marc for that ;-)

>
> There's 
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_ACLs
> and there's 
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>
> But I haven't found any documentation on how to get from one to the 
> other.
> I know I can't use the former, but the later only deals with new shares.
> Not with shares that are already populated by files that don't have 
> the extended ACLs.
>

You might be able to write the required page after you get it to work ;-)

Rowland

> cheers and thanks!
>
> -henrik
>