[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Rowland Penny rowlandpenny at googlemail.com
Wed Jun 18 11:53:39 MDT 2014

On 18/06/14 18:15, Henrik Langos wrote:
> On 06/18/14 17:37, Rowland Penny wrote:
>> OK, could you give 'Domain Users' a gidNumber, then give one of your 
>> users this gidNumber, then look at the user in the ADUC UNIX 
>> Attributes tab.
>> I think that this is your problem, I am willing to bet that all of 
>> your users shown by getent have the group number '100'. If you could 
>> go to another unix machine that was a member server using winbind and 
>> ran getent, you would not get any domain users displayed.
> Hi Rowland,
> Sorry to have you chase that red herring.

No problem

> I already gave the Domain Users group a gidNumber. Otherwise I 
> wouldn't be able to click OK in ADUC when setting the NIS Domain. You 
> have to have a group with a gidNumber and that then becomes the 
> default group that is selected in ADUC when I select a NIS Domain.

OK, this I understand

> I also tried to set it all on the command line:
> samba-tool user create mmuster5 --must-change-at-next-login 
> --random-password --surname="Muster5" --given-name="Max" 
> --job-title="Test Victim" --mail-address="mmuster5 at example.com" 
> --uid=mmuster --uid-number=12345 --gid-number=10001 
> --home-directory=/foo --login-shell=/bin/bash
> Still no luck. ADUC waltzes over the uidNumber when I select the NIS 
> domain and click OK.

This is where it does what it shouldn't do, it should pull the users 
info and use that. What version of windows is ADUC running on ? is the 
windows machine joined to the domain ?

I know that samba-tool is a bit lacking in the attributes that get added 
when you add unix attributes with regards to what ADUC adds, but this 
should not give you the problems you are having.

How did you provision samba 4 ?

Do you have ldbtools installed ? if so what does this return:

  ldbsearch -H /var/lib/samba/private/sam.ldb -b 

> Let's assume I can't get ADUC to leave those numbers alone.

But ADUC should.

> - Can I safely use ADUC to change the uidNumber back to the value I 
> wanted it to have? (e.g. 2047 instead of 10003)

Well yes

> - Can I safely change "Domain Users" gidnumber to 513 instead of 
> having it at 10001 ?

I wouldn't , it would be inside the unix local range.

> - I.E. Is there anything I'd need to adjust if my users had uidNumbers 
> in the 2000-3000 range rather than 10000-20000 range?

No, but you could set the ADUC range lower.

> If there is reason to believe that having uid/gid numbers outside the 
> default range will cause trouble down the road I'd rather have the 
> work now (something like "find . -uid <olduid> -execdir chown <newuid> 
> \{\} \;" for each uidnumber and gidnumber) than having to debug that 
> stuff later.

I wouldn't think so, there must be lots of other people out there using 
similar ranges.

> On a side note: Does it cause any trouble to copy those old files onto 
> a share and (initially) only have them have the unix owner/group 
> instead of the whole acl stuff? Is there anything I'd have to do to 
> "enable" fine grained ACLs on those files, or will samba add those on 
> demand? (I enabled the necessary file system stuff and made sure it 
> works on a newly created share.)

There is a page on the wiki all about the above.


> cheers
> -henrik

More information about the samba mailing list