s4 managing posixAccount and posixGroup with samba-tool?

[David Mansfield]

On 11/27/2012 05:32 AM, Rowland Penny wrote:
> On 26/11/12 22:08, David Mansfield wrote:
>>
>> On 11/26/2012 04:59 PM, Rowland Penny wrote:
>>> On 26/11/12 21:01, Bernd Markgraf wrote:
>>>>> How about exporting all the users somehow, then writing a script to
>>>>> create them as new users in a S4 domain?
>>>>> OK, they all get new UID's through RID but this shouldn't be a problem
>>>>> really and once completed all your user details will be in one place,
>>>>> your S4 AD.
>>>> That ignores the fact that there may be one or more other services
>>>> involved that rely on already existing UID numbers. NFS being a nice
>>>> example.
>>>> Recreating the users may seem like a nice idea in order to have all
>>>> user
>>>> info in one place. Chown'ing millions of files (I would currently have
>>>> about 40 million files on 3 nfs servers with about 1000 different uids,
>>>> ~250 currently being active) to get the mapping to new UIDS right is
>>>> just not that much fun. I think it was/is a better idea to manually
>>>> assign posix UID/GID numbers to new users in such cases.
>>>>
>>>> just my .02¢
>>>>      Bernd
>>>>
>>>>
>>>>
>>>>
>>> Ok, for your installation it wouldn't be feasible, but the OP states
>>> that he only has approx 100 unix users, with only  about 25 of them
>>> connected to a samba DC. It may be possible to add the other 75 users to
>>> the DC and then perform a classicupgrade to S4, but then it may be
>>> quicker to start anew. I think that the OP needs to tell us just what he
>>> needs the finished setup to be and if Windows is involved in any way.
>> I want to authenticate all users, unix and windows to a replicated s4
>> environment.  Unix users should keep existing UID/GID.  Windows users
>> should keep existing SID.  User-private groups are also in play here,
>> which will be my next headache assuming this migraine can be tamed.
>>
>> Currently unix users are authenticating largely using local passwords
>> which get set on as needed basis (most machines use ssh-key
>> authentication so no password is necessary), however the haystack of
>> passwords is growing and s4 looks like a slick way to eliminate that.
>>
>> Thanks,
>> David
>>
>>
>>
> Hi, as I see it you have a Samba3 DC with approx 25 unix users and
> another 75 approx unix users, you also have an unquantified  number of
> windows users. Is the S3 DC running as a PDC i.e. are any of the other
> machines joined to it in a domain, or is it a workgroup and the DC is
> just a fileserver?
It's a domain.  The 25 users on the samba DC are windows desktop users 
(they are unix users as well, as this server uses a plain smbpassword 
backend, with RID mapping formula).  If I change their SID they will 
lose their local registry at least, not to mention all of the group 
permissions (which I can live with).

The win desktop user's roaming profiles are stored on the samba server, 
which also handles printing.  Users do log into different desktops from 
time-to-time, but mostly stick to their own PC.

Up until now the non-windows users (approx 75) have nothing to do with 
samba, because auth. management doesn't use samba, and that's what I'd 
like to change.

If it comes down to "you can't have both" then I will sacrifice the 
windows users (surprise) and keep my unix UID/GID.

> As for the SID, I do not think that you will be able to keep it (someone
> will jump in here and explain if I am wrong, if so TIA) because the SID
> is different for every workgroup&  domain.
The classicupgrade did manage to migrate the user's existing SIDs to s4 
fwiw, after some cleanup (user's had been deleted from /etc/passwd but 
never from samba tdb or smbpasswd files, and two machine accounts had 
the same UID!).

> Is there a Windows Server on the network?

Nope. Nothing but XPPro and win7 clients.

David