[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Henrik Langos hlangos-samba at innominate.com
Wed Jun 18 11:15:21 MDT 2014

On 06/18/14 17:37, Rowland Penny wrote:
> OK, could you give 'Domain Users' a gidNumber, then give one of your 
> users this gidNumber, then look at the user in the ADUC UNIX 
> Attributes tab.
> I think that this is your problem, I am willing to bet that all of 
> your users shown by getent have the group number '100'. If you could 
> go to another unix machine that was a member server using winbind and 
> ran getent, you would not get any domain users displayed.

Hi Rowland,

Sorry to have you chase that red herring.

I already gave the Domain Users group a gidNumber. Otherwise I wouldn't 
be able to click OK in ADUC when setting the NIS Domain. You have to 
have a group with a gidNumber and that then becomes the default group 
that is selected in ADUC when I select a NIS Domain.

I also tried to set it all on the command line:

samba-tool user create mmuster5 --must-change-at-next-login 
--random-password --surname="Muster5" --given-name="Max" 
--job-title="Test Victim" --mail-address="mmuster5 at example.com" 
--uid=mmuster --uid-number=12345 --gid-number=10001 
--home-directory=/foo --login-shell=/bin/bash

Still no luck. ADUC waltzes over the uidNumber when I select the NIS 
domain and click OK.

Let's assume I can't get ADUC to leave those numbers alone.

- Can I safely use ADUC to change the uidNumber back to the value I 
wanted it to have? (e.g. 2047 instead of 10003)

- Can I safely change "Domain Users" gidnumber to 513 instead of having 
it at 10001 ?

- I.E. Is there anything I'd need to adjust if my users had uidNumbers 
in the 2000-3000 range rather than 10000-20000 range?

If there is reason to believe that having uid/gid numbers outside the 
default range will cause trouble down the road I'd rather have the work 
now (something like "find . -uid <olduid> -execdir chown <newuid> \{\} 
\;" for each uidnumber and gidnumber) than having to debug that stuff later.

On a side note: Does it cause any trouble to copy those old files onto a 
share and (initially) only have them have the unix owner/group instead 
of the whole acl stuff? Is there anything I'd have to do to "enable" 
fine grained ACLs on those files, or will samba add those on demand? (I 
enabled the necessary file system stuff and made sure it works on a 
newly created share.)


More information about the samba mailing list