[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Wed Jun 18 08:42:43 MDT 2014

On 18/06/14 14:47, Henrik Langos wrote:
> Hi,
>
> I've been using Samba 3 (standalone server, workgroup setup) for a 
> long looong time and now I want to migrate to Samba 4 AD DC setup with 
> clients joined to the newly created AD domain and all the bells and 
> whistles that come with it.
>
> I've setup an AD DC (Debian wheezy with samba from backports) that 
> will only handle authentication and a second AD DC that will also 
> serve shares. Replication between those works fine. Group policies 
> work. Even roaming profiles. So far so good.
>
> Now I'd like to transfer all files from the current shares that only 
> have user/group information (no xattr / ACLs) onto the new shares server.
>
> I tried to create the users using samba-tool and giving "--uid" and 
> "--uid-number" as parameters.
>
> This apparently works nicely and (thanks to winbind) I can see those 
> users on the shares server with exactly the uidNumber (in the 
> 2000-3000 range) that I've provided on the "samba-tool user create" 
> command line, using "getent passwd".
>
> My plan was to simply run "rsync --numeric-ids" to copy the content of 
> those old shares over to the new shares server. I'd have to use 
> "--numeric-ids" since winbind will make the users visible to linux as 
> "SADOM+user" instead of simply "user".
>
>
> However, if I use ADUC and activate the "Unix Attributes" (selecting a 
> "NIS Domain" to do so) for a user, the uidNumber, uid, and loginShell 
> attributes get overwritten. The uidNumber visible via winbind and 
> ldapsearch changes to something in the "10000-20000" range, uid 
> changes to the Windows username (currently that is not an issue as 
> they are the same but it may become one) and login shell changes to 
> the one visible in ADUC.

This is what I 'think' is happening, ADUC cannot find the 
'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes, they are not 
in the standard samba4 AD, so ADUC falls back to 10000 (windows 
standard) and is ignoring what ever is in a users AD, but it shouldn't 
do this. Is there any chance of posting a users ldif from your AD, this 
should be one of your users created by samba-tool and not trampled on by 
ADUC.

>
> If I change back (deselecting the NIS Domain) then ldapsearch shows 
> that those attributes are gone and "getent passwd" will report a uid 
> number in the 3000000+ range. (As if they never had any posix 
> attributes.)

I think that what you are doing here is: selecting the nisdomain, 
deselecting the nisdomain then clicking the 'OK' button, this will (I am 
fairly sure) remove all unix attributes from a user, have you tried the 
cancel button ??

>
> ADUC is currently not the way I do user administration but I may not 
> stay the only System Administrator and Windows-trained administrators 
> will certainly want to use it. Changing uid numbers sometime later 
> seems like a very bad idea thus my question on how to do it right the 
> first time.
>
> I'd like to know how to best migrate those shares without losing the 
> ownership information and timestamps, and without losing the ability 
> to use ADUC in the future to manage the posix attributes.

The timestamps shouldn't be a problem, I frequently destroy my test 
samba4 domain and start again, I use a laptop to connect to the domain 
and have had to join this to the new domain every time, a quick chown 
resets the user of the files in 'my' directory and does not touch the 
timestamps.

Rowland

>
> Any ideas / further information you need?
>
> Thanks for your help!
> cheers
> -henrik
>