[Samba] Migration 2.x-> 3.0 with new server, sharing files during migration process?

Tue Sep 5 19:10:36 GMT 2006

Hi!

Felipe Augusto van de Wiel schrieb:

>> Old Samba server/environment:
>>  Samba 2.x
>>  Authentication via W2k Server (security = DOMAIN)
>>  Server has more than 100 netbios aliases
>>  No POSIX-ACL's
>>  Users and Groups are stored in /etc/{passwd,groups}
>>  Access to shares via "valid users = @group" in smb.conf
>>  other authorization done via file/directory rights
>>
>> New Samba Server/environment:
>>  Samba 3 as AD Member Server (security = ADS)
>>  POSIX-ACLs
>>  winbind

[...]

> 	Why 01 month to migrate the users? It could be done with
> a script in a few hours. As I see you scenario, you should be
> able to prepare the new environment at least with the new users
> and share the account information.
> 
> 	If you are speaking about phisically migrate them, that
> I can understand, but if you are able to set two environments
> sharing the underground information using Samba, you should be
> able to achieve what you want.

OK, I think I have to start a bit more at the beginning.

There is an existing network with a Samba 2.2.8a server in "OLDDOMAIN"
("old environment") and I have to setup a completely new designed
network. There are about 200 Users in about 30 subsidiaries connected
via VPN to the old network, which have to switched step by step to the
new network "NEWDOMAIN" ("new environment").

Lets make it a bit more illustrated: Lets say the headquarter with the
old Samba server is located in New York and there are 2 subsidiary, one
in Los Angeles and the other one in San Francisco. There are 3 users:

* User "bob", works in the Los Angeles office, belongs to the group
"marketing" and have access to the Samba share "marketing"

* User "mary", works in the San Francisco also belongs to the group
"marketing" and have also access to the share "marketing"

* User "john", works in both offices (one day in LA, next day SF), also
belongs to the group "marketing" and therefore have also have access to
the marketing share.

The files in that share have the acl 0770 with the group "marketing", so
all 3 user can read/write the files and if "mary" has opened a file, it
will be locked, so everything is working fine..

Because I can't switch 30 subsidiaries within one day, I have to switch
them step by step, so lets say, I will switch the LA office to the new
network with the new Samba server, so "bob" is in the new network,
"mary" is still in the old network and for "john" it changes where ever 
he is. Just copy the files do not work, I must have access to the same
data (files) with locking, etc.

I think, there is only one way for me to solve this problem: copy the
files to the new server and running 2 instances of Samba on one machine
which shares the same files within 2 different networks (domains).
1) migrate the users from "OLDDOMAIN" to one instance of Samba on the
new server with ADS support (winbind), bind on one interface within the
old network.
2) run a second instance of Samba on the same machine, bound to the NIC
in the new network, ADS-connected to "NEWDOMAIN".
3) hoping that the Linux kernel as well as Samba handles the locking
correctly.

Of course I have to correct the SID <-> UID/GID mapping within one of
both instance "by hand", so that user "OLDDOMAIN\bob" (uid: 12334/gid:
56789) has the same uid/gid then "NEWDOMAIN\new_username_of_bob".

What do you think? Does this solution work?

regards,
Andy