[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Stéphane PURNELLE stephane.purnelle at corman.be
Wed Jun 18 08:12:14 MDT 2014


Answer in the text

Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 18/06/2014 15:47:38:

> De : Henrik Langos <hlangos-samba at innominate.com>
> A : samba at lists.samba.org, 
> Date : 18/06/2014 15:48
> Objet : [Samba] Howto migrate shares from samba 3 / ADUC changing 
> uid/uidnumber when activating UNIX (posix) attributes
> Envoyé par : samba-bounces at lists.samba.org
> Hi,
> I've been using Samba 3 (standalone server, workgroup setup) for a long 
> looong time and now I want to migrate to Samba 4 AD DC setup with 
> clients joined to the newly created AD domain and all the bells and 
> whistles that come with it.
> I've setup an AD DC (Debian wheezy with samba from backports) that will 
> only handle authentication and a second AD DC that will also serve 
> shares. Replication between those works fine. Group policies work. Even 
> roaming profiles. So far so good.

Why a second DC for that ?
A simple samba 4 as file-server will be more great for that
> Now I'd like to transfer all files from the current shares that only 
> have user/group information (no xattr / ACLs) onto the new shares 
> I tried to create the users using samba-tool and giving "--uid" and 
> "--uid-number" as parameters.
> This apparently works nicely and (thanks to winbind) I can see those 
> users on the shares server with exactly the uidNumber (in the 2000-3000 
> range) that I've provided on the "samba-tool user create" command line, 
> using "getent passwd".
> My plan was to simply run "rsync --numeric-ids" to copy the content of 
> those old shares over to the new shares server. I'd have to use 
> "--numeric-ids" since winbind will make the users visible to linux as 
> "SADOM+user" instead of simply "user".
> However, if I use ADUC and activate the "Unix Attributes" (selecting a 
> "NIS Domain" to do so) for a user, the uidNumber, uid, and loginShell 
> attributes get overwritten. The uidNumber visible via winbind and 
> ldapsearch changes to something in the "10000-20000" range, uid changes 
> to the Windows username (currently that is not an issue as they are the 
> same but it may become one) and login shell changes to the one visible 
> in ADUC.
> If I change back (deselecting the NIS Domain) then ldapsearch shows that 

> those attributes are gone and "getent passwd" will report a uid number 
> in the 3000000+ range. (As if they never had any posix attributes.)
> ADUC is currently not the way I do user administration but I may not 
> stay the only System Administrator and Windows-trained administrators 
> will certainly want to use it. Changing uid numbers sometime later seems 

> like a very bad idea thus my question on how to do it right the first 
> I'd like to know how to best migrate those shares without losing the 
> ownership information and timestamps, and without losing the ability to 
> use ADUC in the future to manage the posix attributes.
> Any ideas / further information you need?

For the AD part (user and group) I used the classic-upgrade feature

With that I have same uid/uidNumber than my older server
For the file-server I use nslcd for getting uid/uidnumber from AD

> Thanks for your help!
> cheers
> -henrik
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list