[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes
rowlandpenny at googlemail.com
Wed Jun 18 08:42:43 MDT 2014
On 18/06/14 14:47, Henrik Langos wrote:
> I've been using Samba 3 (standalone server, workgroup setup) for a
> long looong time and now I want to migrate to Samba 4 AD DC setup with
> clients joined to the newly created AD domain and all the bells and
> whistles that come with it.
> I've setup an AD DC (Debian wheezy with samba from backports) that
> will only handle authentication and a second AD DC that will also
> serve shares. Replication between those works fine. Group policies
> work. Even roaming profiles. So far so good.
> Now I'd like to transfer all files from the current shares that only
> have user/group information (no xattr / ACLs) onto the new shares server.
> I tried to create the users using samba-tool and giving "--uid" and
> "--uid-number" as parameters.
> This apparently works nicely and (thanks to winbind) I can see those
> users on the shares server with exactly the uidNumber (in the
> 2000-3000 range) that I've provided on the "samba-tool user create"
> command line, using "getent passwd".
> My plan was to simply run "rsync --numeric-ids" to copy the content of
> those old shares over to the new shares server. I'd have to use
> "--numeric-ids" since winbind will make the users visible to linux as
> "SADOM+user" instead of simply "user".
> However, if I use ADUC and activate the "Unix Attributes" (selecting a
> "NIS Domain" to do so) for a user, the uidNumber, uid, and loginShell
> attributes get overwritten. The uidNumber visible via winbind and
> ldapsearch changes to something in the "10000-20000" range, uid
> changes to the Windows username (currently that is not an issue as
> they are the same but it may become one) and login shell changes to
> the one visible in ADUC.
This is what I 'think' is happening, ADUC cannot find the
'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes, they are not
in the standard samba4 AD, so ADUC falls back to 10000 (windows
standard) and is ignoring what ever is in a users AD, but it shouldn't
do this. Is there any chance of posting a users ldif from your AD, this
should be one of your users created by samba-tool and not trampled on by
> If I change back (deselecting the NIS Domain) then ldapsearch shows
> that those attributes are gone and "getent passwd" will report a uid
> number in the 3000000+ range. (As if they never had any posix
I think that what you are doing here is: selecting the nisdomain,
deselecting the nisdomain then clicking the 'OK' button, this will (I am
fairly sure) remove all unix attributes from a user, have you tried the
cancel button ??
> ADUC is currently not the way I do user administration but I may not
> stay the only System Administrator and Windows-trained administrators
> will certainly want to use it. Changing uid numbers sometime later
> seems like a very bad idea thus my question on how to do it right the
> first time.
> I'd like to know how to best migrate those shares without losing the
> ownership information and timestamps, and without losing the ability
> to use ADUC in the future to manage the posix attributes.
The timestamps shouldn't be a problem, I frequently destroy my test
samba4 domain and start again, I use a laptop to connect to the domain
and have had to join this to the new domain every time, a quick chown
resets the user of the files in 'my' directory and does not touch the
> Any ideas / further information you need?
> Thanks for your help!
More information about the samba