s4 managing posixAccount and posixGroup with samba-tool?

[David Mansfield]

On 11/26/2012 10:04 AM, Rowland Penny wrote:
> On 26/11/12 14:39, David Mansfield wrote:
>> Hi all:
>>
>> Is it possible to add a user using samba-tool with an existing
>> uidNumber and other posixAccount attributes and to add a group with a
>> gidNumber?  Or after adding with samba-tool, is there a utility other
>> than ldbmodify to manage the attributes?
>>
>> I see a long discussion in bug#8635
>> (https://bugzilla.samba.org/show_bug.cgi?id=8635) where "steve" has
>> posted some homegrown scripts s4user and s4group which are the only
>> way I can find where these attributes are being set.
>>
>> May there's an option other than the ones that are given in --help for
>> samba-tool?
>>
>> In any case, is there a "best practice" for managing unix users using
>> s4?  I need the UID/GID to be stable across my enterprise, so I'm
>> planning on using idmap_ad on the winbind clients, I assume this will
>> work once I get the uidNumber and gidNumber properly set in s4...
>>
> There is another way, forget Unix UID&  GID's, use 'idmap config
> HOME:backend = rid' in smb.conf and get reliable unique UIDs and GIDs
> based on the RID part of Windows SID's. You also get getent to see all
> domain users and groups, i.e. you do not need special unix groups&  users.
>
>
Ok.  I've tried this and it does work well - for creating a new setup 
from scratch.  My problem is that I have a legacy migration issue, I 
have a hundred or so (unix only) users across about 30 machines with a 
specific UID (and GID), and about 25 of them exist on a legacy samba3 DC 
with existing SID (the SID there is the old 1000 + 2*UID thing).

It doesn't sound like it's going to be doable to use idmap_rid unless I 
can control the RID in the SID for new users, and even then it will fail 
for the existing samba3 legacy users.

Despite the clean and hands-off approach that idmap_rid gives me, it 
doesn't seem feasible unless I'm missing something.

Thanks,
David