[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Rowland Penny rowlandpenny at googlemail.com
Wed Jun 18 09:37:51 MDT 2014

On 18/06/14 16:25, Henrik Langos wrote:
> On 06/18/14 16:42, Rowland Penny wrote:
>> On 18/06/14 14:47, Henrik Langos wrote:
>>> Hi,
>>> I've been using Samba 3 (standalone server, workgroup setup) for a 
>>> long looong time and now I want to migrate to Samba 4 AD DC setup 
>>> with clients joined to the newly created AD domain and all the bells 
>>> and whistles that come with it.
>>> I've setup an AD DC (Debian wheezy with samba from backports) that 
>>> will only handle authentication and a second AD DC that will also 
>>> serve shares. Replication between those works fine. Group policies 
>>> work. Even roaming profiles. So far so good.
>>> Now I'd like to transfer all files from the current shares that only 
>>> have user/group information (no xattr / ACLs) onto the new shares 
>>> server.
>>> I tried to create the users using samba-tool and giving "--uid" and 
>>> "--uid-number" as parameters.
>>> This apparently works nicely and (thanks to winbind) I can see those 
>>> users on the shares server with exactly the uidNumber (in the 
>>> 2000-3000 range) that I've provided on the "samba-tool user create" 
>>> command line, using "getent passwd".
>>> My plan was to simply run "rsync --numeric-ids" to copy the content 
>>> of those old shares over to the new shares server. I'd have to use 
>>> "--numeric-ids" since winbind will make the users visible to linux 
>>> as "SADOM+user" instead of simply "user".
>>> However, if I use ADUC and activate the "Unix Attributes" (selecting 
>>> a "NIS Domain" to do so) for a user, the uidNumber, uid, and 
>>> loginShell attributes get overwritten. The uidNumber visible via 
>>> winbind and ldapsearch changes to something in the "10000-20000" 
>>> range, uid changes to the Windows username (currently that is not an 
>>> issue as they are the same but it may become one) and login shell 
>>> changes to the one visible in ADUC.
>> This is what I 'think' is happening, ADUC cannot find the 
>> 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes, they are 
>> not in the standard samba4 AD, so ADUC falls back to 10000 (windows 
>> standard) and is ignoring what ever is in a users AD, but it 
>> shouldn't do this. Is there any chance of posting a users ldif from 
>> your AD, this should be one of your users created by samba-tool and 
>> not trampled on by ADUC.
> Sure.
> dn: CN=Max Muster2,CN=Users,DC=ads,DC=example,DC=local
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Max Muster2
> sn: Muster2
> title: Test Victim
> givenName: Max
> instanceType: 4
> whenCreated: 20140618144830.0Z
> whenChanged: 20140618144830.0Z
> displayName: Max Muster2
> uSNCreated: 3941
> uSNChanged: 3941
> name: Max Muster2
> objectGUID:: GtsjVXJz1EelQ65V8QKgRg==
> userAccountControl: 512
> codePage: 0
> countryCode: 0
> pwdLastSet: 0
> primaryGroupID: 513
> accountExpires: 9223372036854775807
> sAMAccountName: mmuster2
> sAMAccountType: 805306368
> userPrincipalName: mmuster2 at ads.example.local
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=ads,DC=example,DC=l
>  ocal
> uid: mmuster
> mail: mmuster2 at example.com
> uidNumber: 2345
> distinguishedName: CN=Max Muster2,CN=Users,DC=ads,DC=example,DC=local
> And before you ask here's the diff:
> # diff -u muster2*
> --- muster2a    2014-06-18 17:18:48.000000000 +0200
> +++ muster2b    2014-06-18 17:19:05.000000000 +0200
> @@ -10,10 +10,8 @@
>  givenName: Max
>  instanceType: 4
>  whenCreated: 20140618144830.0Z
> -whenChanged: 20140618144830.0Z
>  displayName: Max Muster2
>  uSNCreated: 3941
> -uSNChanged: 3941
>  name: Max Muster2
>  objectGUID:: GtsjVXJz1EelQ65V8QKgRg==
>  userAccountControl: 512
> @@ -28,8 +26,16 @@
>  userPrincipalName: mmuster2 at ads.example.local
>  objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=ads,DC=example,DC=l
>   ocal
> -uid: mmuster
>  mail: mmuster2 at example.com
> -uidNumber: 2345
> +whenChanged: 20140618151020.0Z
> +uSNChanged: 3948
> +unixUserPassword: ABCD!efgh12345$67890
> +uid: mmuster2
> +msSFU30Name: mmuster2
> +msSFU30NisDomain: example
> +uidNumber: 10007
> +gidNumber: 10001
> +unixHomeDirectory: /home/mmuster2
> +loginShell: /bin/sh
>  distinguishedName: CN=Max Muster2,CN=Users,DC=ads,DC=example,DC=local
> #
> I also just tried to create a user with --uid-number=12345 (well in 
> the default range I guess) and that also got replaced by 10008 when 
> selecting a nis domain in ADUC.
> BTW: ADUC trampling on the user does gain him some attributes that 
> samba-tool apparently doesn't set (even if adding "--home-directory", 
> "--gid-number", and "--login-shell" to the command line):
> +unixUserPassword: ABCD!efgh12345$67890
> +msSFU30Name: mmuster2
> +msSFU30NisDomain: example
> +unixHomeDirectory: /home/mmuster2
> Maybe having samba-tool add those attributes would stop ADUC from 
> assuming it can trample all over the other attributes?
>>> If I change back (deselecting the NIS Domain) then ldapsearch shows 
>>> that those attributes are gone and "getent passwd" will report a uid 
>>> number in the 3000000+ range. (As if they never had any posix 
>>> attributes.)
>> I think that what you are doing here is: selecting the nisdomain, 
>> deselecting the nisdomain then clicking the 'OK' button, this will (I 
>> am fairly sure) remove all unix attributes from a user, have you 
>> tried the cancel button ??
> Yes, that is exactly what happens. If I cancel, ADUC leaves those 
> attributes alone. I just put that case in to make clear that there was 
> no easy way back to the uid numbers that I gave samba-tool, once ADUC 
> had set its own.
>>> ADUC is currently not the way I do user administration but I may not 
>>> stay the only System Administrator and Windows-trained 
>>> administrators will certainly want to use it. Changing uid numbers 
>>> sometime later seems like a very bad idea thus my question on how to 
>>> do it right the first time.
>>> I'd like to know how to best migrate those shares without losing the 
>>> ownership information and timestamps, and without losing the ability 
>>> to use ADUC in the future to manage the posix attributes.
>> The timestamps shouldn't be a problem, I frequently destroy my test 
>> samba4 domain and start again, I use a laptop to connect to the 
>> domain and have had to join this to the new domain every time, a 
>> quick chown resets the user of the files in 'my' directory and does 
>> not touch the timestamps.
> Sadly I can't do a quick chown here since I want to preserve ownership 
> of files on shares that are used by several people.
> Also, AFAIK making changes to the ownership of files changes the 
> modified timestamp on the directory they reside in.
> I'd like to avoid that.
> cheers
> -henrik
OK, could you give 'Domain Users' a gidNumber, then give one of your 
users this gidNumber, then look at the user in the ADUC UNIX Attributes tab.

I think that this is your problem, I am willing to bet that all of your 
users shown by getent have the group number '100'. If you could go to 
another unix machine that was a member server using winbind and ran 
getent, you would not get any domain users displayed.


More information about the samba mailing list