[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Henrik Langos hlangos-samba at innominate.com
Wed Jun 18 07:47:38 MDT 2014 

Hi,

I've been using Samba 3 (standalone server, workgroup setup) for a long 
looong time and now I want to migrate to Samba 4 AD DC setup with 
clients joined to the newly created AD domain and all the bells and 
whistles that come with it.

I've setup an AD DC (Debian wheezy with samba from backports) that will 
only handle authentication and a second AD DC that will also serve 
shares. Replication between those works fine. Group policies work. Even 
roaming profiles. So far so good.

Now I'd like to transfer all files from the current shares that only 
have user/group information (no xattr / ACLs) onto the new shares server.

I tried to create the users using samba-tool and giving "--uid" and 
"--uid-number" as parameters.

This apparently works nicely and (thanks to winbind) I can see those 
users on the shares server with exactly the uidNumber (in the 2000-3000 
range) that I've provided on the "samba-tool user create" command line, 
using "getent passwd".

My plan was to simply run "rsync --numeric-ids" to copy the content of 
those old shares over to the new shares server. I'd have to use 
"--numeric-ids" since winbind will make the users visible to linux as 
"SADOM+user" instead of simply "user".


However, if I use ADUC and activate the "Unix Attributes" (selecting a 
"NIS Domain" to do so) for a user, the uidNumber, uid, and loginShell 
attributes get overwritten. The uidNumber visible via winbind and 
ldapsearch changes to something in the "10000-20000" range, uid changes 
to the Windows username (currently that is not an issue as they are the 
same but it may become one) and login shell changes to the one visible 
in ADUC.

If I change back (deselecting the NIS Domain) then ldapsearch shows that 
those attributes are gone and "getent passwd" will report a uid number 
in the 3000000+ range. (As if they never had any posix attributes.)

ADUC is currently not the way I do user administration but I may not 
stay the only System Administrator and Windows-trained administrators 
will certainly want to use it. Changing uid numbers sometime later seems 
like a very bad idea thus my question on how to do it right the first time.

I'd like to know how to best migrate those shares without losing the 
ownership information and timestamps, and without losing the ability to 
use ADUC in the future to manage the posix attributes.

Any ideas / further information you need?

Thanks for your help!
cheers
-henrik

More information about the samba mailing list