[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Henrik Langos hlangos-samba at innominate.com
Wed Jun 18 08:41:14 MDT 2014

Hi Stéphane,

On 06/18/14 16:12, Stéphane PURNELLE wrote:
> Hi
> Answer in the text
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
> samba-bounces at lists.samba.org wrote on 18/06/2014 15:47:38:
>> De : Henrik Langos <hlangos-samba at innominate.com>
>> A : samba at lists.samba.org,
>> Date : 18/06/2014 15:48
>> Objet : [Samba] Howto migrate shares from samba 3 / ADUC changing
>> uid/uidnumber when activating UNIX (posix) attributes
>> Envoyé par : samba-bounces at lists.samba.org
>> Hi,
>> I've been using Samba 3 (standalone server, workgroup setup) for a long
>> looong time and now I want to migrate to Samba 4 AD DC setup with
>> clients joined to the newly created AD domain and all the bells and
>> whistles that come with it.
>> I've setup an AD DC (Debian wheezy with samba from backports) that will
>> only handle authentication and a second AD DC that will also serve
>> shares. Replication between those works fine. Group policies work. Even
>> roaming profiles. So far so good.
> Why a second DC for that ?
> A simple samba 4 as file-server will be more great for that

Reliability and scalability.
- I wanted to make sure that the whole replication business works.
- In case the primary AD goes down I want to make sure the shares server 
can keep working.
- In case I have to take the shares server down, I want authentication 
to continue to work.
- If the shares server is under heavy load I don't want the 
authentication to suffer.

I have a separate LDAP/Kerberos infrastructure already and if the whole 
thing works reliably I may even move those functions to the samba 
cluster some day.

>> I'd like to know how to best migrate those shares without losing the
>> ownership information and timestamps, and without losing the ability to
>> use ADUC in the future to manage the posix attributes.
>> Any ideas / further information you need?
> For the AD part (user and group) I used the classic-upgrade feature
> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
> With that I have same uid/uidNumber than my older server
> For the file-server I use nslcd for getting uid/uidnumber from AD

My current Samba server is a stand alone Samba 3 server (security = user)
with the user information stored in LDAP.
I think the classic-upgrade only works if you have a NT4 Domain, doesn't it?
In my case there is no prior domain.

Also I'd like to avoid messing with the current server to
A) have a fall back option if things go horribly wrong, and
B) to have a clean start without a lot of legacy data lurking in the 

(There are lots of LDAP attributes in user objects on that old LDAP 
server that
never got used because of "security = user" and I wouldn't want that 
mostly unmaintained
data to suddenly become "active".)


More information about the samba mailing list