No subject
Wed Oct 20 02:45:58 MDT 2010
samba fails to allow this operation.
4.11. documentation ...
-----------------------
In [8] there is very helpful tip to take migration using temporal root acco=
unt.
These two sentences was that break point...
4.12. Searching for root
------------------------
As stated in [7] net command operates on two servers, both of them is conne=
cted
using same account name. On other side DST account must have UID 0. This UI=
D
has account root. How to connect to SRC as root but have administrator righ=
ts?
ideas:
- create user inside of domain with name root. But root/MSHOME isn't that =
same
as root on DST. root and root/MSHOME will be enumerated on DST. Inelegant.
- create local user on SRC with name root. Possible same name
collision problem.
Need to configure some archaic system, which was unmaintained very long.
later ideas (untested):
- use samba id mapping subsystem to map Administrator/MSHOME to UID 0.
seems that this way we can't go. We need somehow Administrator/MSHOME bind =
with
UID 0.
here comes smb.conf with parameter "admin users (S)". Manpage of smb.conf(5=
)
not very helpful with examples.
tried:
admin users =3D Administrator,root,@"DOMAIN+Domain Admins"
after half hour and smbd debug came to idea:
admin users =3D MSHOME+administrator
Note: samba/linux uses all lover cases for names. This seems that naming
scheme is: case insensitive (sometimes), case not preserving, lowercase.
So better to use lover case, and hope for best.
DST# smbstatus
shows connection UID =3D 0
4.13. Samba works
-----------------
after test from WINXP station seems that HSHOME/Administrator can change fi=
le
owners, and add ACL's
4.14. Samba compiling
---------------------
DST# net rpc share migrate files testshare -S SRC -U
Administrator%password --acls --attrs --timestamps
syncing [testshare] files and directories including ACLs, including
DOS Attributes (preserving timestamps)
[2010/12/28 16:50:10, 0] utils/net_rpc_printer.c:net_copy_fileattr(275)
failed to set file-attrs: NT_STATUS_ACCESS_DENIED
Could handle directory attributes for top level directory of share
testshare. Error NT_STATUS_ACCESS_DENIED
Could not handle the top level directory permissions for the share: testsha=
re
This net tool tries change timestamp on \\DST\testshare but samba
refuses to do that.
code showing this error is[10]:
if (copy_attrs || copy_timestamps) {
/* get file attributes */
if (!cli_getattrE(cli_share_src, fnum_src, &attr, NULL,
&f_ctime, &f_atime, &f_mtime)) {
DEBUG(0,("failed to get file-attrs: %s\n",
cli_errstr(cli_share_src)));
nt_status =3D cli_nt_error(cli_share_src);
goto out;
}
}
If there is error then go out without any continue. This is ok, I want
get error on oher
failures. But this is first one....
after some smbd debug found this peace of code [9]
if (fname[0] =3D=3D '.' && fname[1] =3D=3D '\0') {
/*
* Not sure here is the right place to catch this
* condition. Might be moved to somewhere else later -- vl
*/
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsetatr);
return;
}
This seem to be rational. From Samba POV there is posible that samba
don't control directory which is root for share. But in other hand
samba has share_info.tdb....
so a little diff will help us:
--- samba-3.2.5.orig/source/smbd/reply.c
+++ samba-3.2.5/source/smbd/reply.c
@@ -1105,7 +1105,8 @@
* Not sure here is the right place to catch this
* condition. Might be moved to somewhere else later -- vl
*/
- reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ //reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ reply_nterror(req, NT_STATUS_OK);
END_PROFILE(SMBsetatr);
return;
}
seems that same was reported[11] but no one tried this mode. Seems that it =
isn't
technically possible that Samba can work this way. So a little 5
years, no one care, no tests...
Back to compile:
LNX-debian# apt-get build-dep samba
LNX-debian$ apt-get source samba
LNX-debian$ cd samba-3.2.5
do online patch
LNX-debian$ debuild -us -uc
after ~20 min deploy new samba server:
DST# dpkg -i samba_3.2.5-4lenny13_amd64.deb
and net rpc share migrate files testshare -S SRC -U
Administrator%password --acls --attrs --timestamps
copied 127GB data in ~10 hours.
4.15. Limitations of net rpc share migrate
------------------------------------------
this tool can migrate only whole share. This is insane limitation....
If my share
migration takes 24 times, but i have only 6 hours window on night to
take operation?
What to do? Split into smaller parts? NO! net rpc share decides that for yo=
u!:
No one wants copy smaller units than share. Only sissies uses files
and folders. Real admins uses shares.... Big shame.
5. Migrations isn't migration
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
why 20 days downtime isn't acceptable?
When 20 days downtime is acceptable?
- when user in advance is trained to expect service availability 20%
or less. Sadly our users expects over 95% availability.
- when You are BOFH and user fears of You.
- when You are far far away from users....
- when You have no users. :) (possible best theoretical case).
So this term "migration" is chosen incorrect as subcommand for tool
net. This is only slow/dumb file copy, no magic.
5.1. How to do better?
---------------------
Let's say we can't shrink data set, or increase bandwidth. But our
goal is to minimize downtime. If there was possible to have long
transition time, but short downtime for one file/directory, then this
can be not so perfect solution, but almost ideal.
Plan:
- use msdfs samba extension to create stub shares, and link files to
SRC from DST.
- copy one directory by one, from SRC to DST.
- if folder is to big, then split into multiply copies.
Automation:
this is possible on LNX:
- list SRC directory content from DST
- create directories on DST
- create msdfs links
impossible on LNX:
- copy files from SRC to DST preserving ACL
END
References:
[1] http://www.google.com/search?q=3D4+TB+%2F+20Mbps
(4 terabytes) / (20 Mbps) =3D 19.4180741 days
[1-END]
[2] http://lists-archives.org/samba/56962-keeping-windows-acl-s-when-migrat=
ing-to-samba-server.html
Date: Sat, 18 Dec 2010 23:56:06 -0500
From: George <greenadmins at xxxxxxxxx>
Subject: Re: [Samba] Keeping Windows ACL's when migrating to SAMBA Server
Rightnow i got it half working but am having trouble with part of
it. If I use robocopy, It copies the files and ACL but not the
correct create of modify dates
robocopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /sec /e
If I use xxcopy I can copy all the files with the proper create and
modify dates but it wont copy the ACL's.
xxcopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /backup
George
On 12/12/2010 1:08 PM, Jeremy Allison wrote:
On Sun, Dec 12, 2010 at 09:21:32AM -0600, Chris Weiss wrote:
On Sat, Dec 11, 2010 at 1:01 PM, George<greenadmins at xxxxxxxxx> w=
rote:
We setup a Ubuntu SAMBA 3.5 server and would like it to
replace our current
Windows 2003 file server. I can manually copy the files
over but need to
keep all the Windows UID's and GID's but am having
trouble copying the files
over. Does anyone have any idea what im doing wrong or
have any ideas for me
to do this?
what are you using to copy? a normal file copy wont' keep permis=
sions
even windows to windows, but robocoy will, and I think xcopy can
I just helped an OEM do a (successful) file migration complete
with ACLs from Windows to Samba using robocopy, so I'd suggest
that as the tool of choice.
Remember to do the migration as a (temporary) root account,
as robocopy may need to write ACLs that the migrating user
cannot access.
Will get fixed properly when I finish implementing SE_RESTORE
and SE_BACKUP privileges but until then the root account works
just as well.
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[2-END]
[3] http://lists-archives.org/samba/56963-keeping-windows-acl-s-when-migrat=
ing-to-samba-server.html
Date: Sun, 19 Dec 2010 14:19:40 +0900
From: TAKAHASHI Motonobu <monyo at xxxxxxxxx>
Subject: Re: [Samba] Keeping Windows ACL's when migrating to SAMBA Server
2010/12/19 George <greenadmins at xxxxxxxxx>:
> Rightnow i got it half working but am having trouble with part of it. I=
f I
> use robocopy, It copies the files and ACL but not the correct create of
> modify dates
>
> robocopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /sec /=
e
>
> If I use xxcopy I can copy all the files with the proper create and mod=
ify
> dates but it wont copy the ACL's.
>
> xxcopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /backup
>
> George
How about "net share migrate" command?
I once tried to examine this command like:
$ net -S oldsrv rpc share migrate all --destination newsrv --acls temp2
migrating: [TEMP2], path: C:\TEMP2, comment: comments, without share-ACLs
syncing [TEMP2] files and directories including ACLs, without DOS
Attributes
migrating: [TEMP2], path: C:\TEMP2, comment: comments, including share-AC=
Ls
Note that you must set "add share command" parameter in the target server=
.
And "force unknown acl user =3D yes" may be helpfull.
---
TAKAHASHI Motonobu <monyo at xxxxxxxxxxx>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[3-END]
[4] http://en.wikipedia.org/wiki/XCOPY
[5] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/index.html
[6] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessContro=
ls.html
... Samba handles Windows ACLs from the perspective of UNIX file
system administration and thus adopts the limitations of POSIX ACLs.
Therefore, where POSIX ACLs lack a capability of the Windows NT/200X
ACLs, the POSIX semantics and limitations are imposed on the Windows
administrator. ...
[6-END]
[7] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.h=
tml
... The migration process can be completed only with the Samba server
already being fully operational. The user and group accounts must be
migrated before attempting to migrate data share, files, and printers.
...
[8] http://lists-archives.org/samba/56856-keeping-windows-acl-s-when-migrat=
ing-to-samba-server.html
Date: Sun, 12 Dec 2010 10:08:11 -0800
From: Jeremy Allison <jra at xxxxxxxxx>
Subject: Re: [Samba] Keeping Windows ACL's when migrating to SAMBA Server
On Sun, Dec 12, 2010 at 09:21:32AM -0600, Chris Weiss wrote:
> On Sat, Dec 11, 2010 at 1:01 PM, George <greenadmins at xxxxxxxxx> wrote:
> > We setup a Ubuntu SAMBA 3.5 server and would like it to replace our cu=
rrent
> > Windows 2003 file server. I can manually copy the files over but need =
to
> > keep all the Windows UID's and GID's but am having trouble
copying the files
> > over. Does anyone have any idea what im doing wrong or have any
ideas for me
> > to do this?
>
> what are you using to copy? a normal file copy wont' keep permissions
> even windows to windows, but robocoy will, and I think xcopy can
I just helped an OEM do a (successful) file migration complete
with ACLs from Windows to Samba using robocopy, so I'd suggest
that as the tool of choice.
Remember to do the migration as a (temporary) root account,
as robocopy may need to write ACLs that the migrating user
cannot access.
Will get fixed properly when I finish implementing SE_RESTORE
and SE_BACKUP privileges but until then the root account works
just as well.
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[8-END]
[9] http://gitweb.samba.org/?p=3Dsamba.git;a=3Dblob;f=3Dsource3/smbd/reply.=
c;h=3De5067cca7e9d93484f0e4c220de2d65f631ac99d;hb=3DHEAD#l1230
[10] http://gitweb.samba.org/?p=3Dsamba.git;a=3Dblob;f=3Dsource3/utils/net_=
rpc_printer.c#l244
[11] http://lists.samba.org/archive/samba/2005-September/110456.html
Previous message: [Samba] winbindd ADS Windows 2003 SFU idmap=3Dad,
with Suse Linux9.1, no AD UI
Next message: [Samba] Data migration using net rpc share migrate
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I=C2=B9m in the process of testing out the net rpc share migrate data migra=
tion
tool but keep running into an error message when using the --acl option.
I=C2=B9m testing using the following command:
net rpc share migrate files -S 10.36.32.36 --acls --attrs --timestamps -v -=
U
"gibbss"
but get with this error for each file in the share:
[2005/09/05 16:50:02, 0] utils/net_rpc_printer.c:net_copy_fileattr(384)
could not set secdesc on \WinAXE_Plus_v7\xwpdllid.dll:
NT_STATUS_ACCESS_DENIED
could not copy file \WinAXE_Plus_v7\xwpdllid.dll: NT_STATUS_ACCESS_DENIED
Each file copies OK and the timestamp is correct but none of the ACL=C2=B9s=
are
there.
ACL/xattrs mount options have already been added to the filesystem and I ca=
n
use setfacl/getfacl so can=C2=B9t see a problem with ACL support and the sh=
are is
on a PC logged in with the user account specified so all the files are owne=
d
by that account. I guess this must be a permission problem somewhere but
can=C2=B9t think what it may be.
Can anyone point me in the right direction?
Thanks,
Simon
***************************************************************************=
*****
The information contained in this email message may be confidential.
If you are not the intended recipient, any use, interference with,
disclosure or copying of this material is unauthorised and prohibited.
Although this message and any attachments are believed to be free of
viruses, no responsibility is accepted by T&F Informa for any loss or
damage arising in any way from receipt or use thereof. Messages to
and from the company are monitored for operational reasons and in
accordance with lawful business practices.
If you have received this message in error, please notify us by return
and delete the message and any attachments. Further enquiries/returns
can be sent to postmaster at tfinforma.com
[11-END]
[12] http://xkcd.com/501/
roma1390
p.s. references was copied inside letter, because links makes dead to
fast these days...
More information about the samba
mailing list