[Samba] Samba 2.2 PDC to ADS member server migration issues

[Pete Cridland]

Hi, our company has for the last 3 years run a SAMBA PDC/Fileserver. Sadly 
circumstances dictate that we now need to move to an Active Directory 
infrastructure, and I want to migrate the existing PDC to a Samba3 ADS member 
server. All our SAMBA domain users have identical accounts on our AD domain, 
and I have successfully joined our SAMBA3 test box to the AD domain as a native 
ADS/Kerberos authentication member, and the original linux users and some test 
files in place. 

The problem is this: I've been playing with the 'winbind trusted domains only' 
switch to try to get AD SIDs to map to existing linux UIDs. with 'winbind 
trusted domains only' switched OFF all users authenticating from the AD server 
have a brand new linux UID automatically mapped to their AD SID, and cannot 
access the files owned by the equivalently named linux user. This is not an 
option as we have 3 years worth of files with ownerships based on the existing 
users.

With 'winbind trusted domains only' switched ON, the system does manage to map 
the AD SID to the correct UID for the equivalently named linux user, however 
only AD users with an existing linux user account are recognised (ie a setfacl 
or chown to an AD user without a corresponding linux user account fails, and 
ditto for AD groups). This is far from an ideal option as not only would we 
have to add all new users to both the AD server and SAMBA member, we wouldn't 
be able to use AD groups for security.

If I could convince Winbind to map the AD SIDs to the existing UIDs for the 
corresponding user then I would like to run with 'winbind trusted domains only' 
switched OFF. Is there a way to do this automatically, or failing that is there 
a way to edit the SID/UID mappings in the windbind idmap manually (a perfectly 
acceptable fallback choice)? Also will net groupmap deal with SID/GID group 
mappings for our existing groups?

Thanks,
Pete Cridland