[Samba] Question about samba 4 member server of a pure Windows AD
Stéphane PURNELLE
stephane.purnelle at corman.be
Mon Aug 3 08:27:51 UTC 2015
Hi,
I'm not try.
My actual configuration is rfc2307. And it work fine.
But if I must replace my AD DC by a other AD DC (not managed by me and not
use rfc2307), my question was What can I do ?
Rid backend is not a solution, because I have too many ACL to apply on
files and directory ( > 1Tb of data)
So the answer is : the newer AD DC must use rfc2307.
regards
Stéphane Purnelle
De : Sébastien Le Ray <sebastien-samba at orniz.org>
A : Stéphane PURNELLE <stephane.purnelle at corman.be>,
samba at lists.samba.org,
Date : 03/08/2015 10:17
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows
AD
Hi,
What you're trying to do is mixing RID and rfc2307. This is not possible.
I've the same kind of issue here (Samba 3 migrated DC with samba unix
users created in the same range as regular unix users), but still use
rfc2307 so I can renumber users one by one as follow :
Save old uid (1000-2000 range)
Give a new one (10000+ range)
Launch a command like (multiple -e are possible) on every unix computer
having shares
find | while read file; do echo getfacl "$file" | sed -e
"s,user:olduid:,user:newuid:," | setfacl --set-file=- "$file"; done
What for user support ticket escalation :-)
If your Windows AD does not use rf2307, you can switch to rid but then
you'll have to perform the whole ACL change at once (since rf2307 allows
me to choose UID I can perform the changes smoothly along time).
Regards
Le 03/08/2015 09:43, Stéphane PURNELLE a écrit :
Hi,
A account created with samba3/ldap (created before 2014-02-20):
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108
A account created with Users and computers (samba 4 AD DC)
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023
My actual config (in file-server) :
idmap config XXXXXX:backend = ad
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000
If I apply RID backend :
ID = RID - BASE_RID + LOW_RANGE_ID.
For the first account :
3216 - 0 + 1005 = 4221 => bad must be 1108
For the latest created account :
5878 - 0 + 1005 = 6883 => bad must be 10023
if generated uidNumber not the same that actual uidNumber, I will lose my
ACL.
regards
Stéphane Purnelle
More information about the samba
mailing list