[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Henrik Langos hlangos-samba at innominate.com
Wed Jun 18 13:38:46 MDT 2014

On 06/18/14 19:53, Rowland Penny wrote:
> On 18/06/14 18:15, Henrik Langos wrote:
>> I also tried to set it all on the command line:
>> samba-tool user create mmuster5 --must-change-at-next-login 
>> --random-password --surname="Muster5" --given-name="Max" 
>> --job-title="Test Victim" --mail-address="mmuster5 at example.com" 
>> --uid=mmuster --uid-number=12345 --gid-number=10001 
>> --home-directory=/foo --login-shell=/bin/bash
>> Still no luck. ADUC waltzes over the uidNumber when I select the NIS 
>> domain and click OK.
> This is where it does what it shouldn't do, it should pull the users 
> info and use that. What version of windows is ADUC running on ? is the 
> windows machine joined to the domain ?

Windows 7 pro 32bit running in virtualbox.

It is joined to the domain and ADUC is run by a user who is a member of 
"Domain Admins".

> I know that samba-tool is a bit lacking in the attributes that get 
> added when you add unix attributes with regards to what ADUC adds, but 
> this should not give you the problems you are having.
> How did you provision samba 4 ?

samba-tool domain provision  --use-rfc2307 --interactive 
--function-level=2008_R2 --use-xattrs=yes

> Do you have ldbtools installed ? if so what does this return:
>  ldbsearch -H /var/lib/samba/private/sam.ldb -b 
> "CN=<your-domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com" 
> msSFU30MaxUidNumber
msSFU30MaxUidNumber: 10009

>> Let's assume I can't get ADUC to leave those numbers alone.
> But ADUC should.

Does it leave those numbers alone for you, or do you simply use a 
different way of creating users?

>> - Can I safely use ADUC to change the uidNumber back to the value I 
>> wanted it to have? (e.g. 2047 instead of 10003)
> Well yes
>> - Can I safely change "Domain Users" gidnumber to 513 instead of 
>> having it at 10001 ?
> I wouldn't , it would be inside the unix local range.

Well, anything below 65535 would that range. But I see what you mean.
And I guess I can work around that with a
"find /new-share-path -gid 513 -execdir chown :10001 \{\} \;"

>> - I.E. Is there anything I'd need to adjust if my users had 
>> uidNumbers in the 2000-3000 range rather than 10000-20000 range?
> No, but you could set the ADUC range lower.
>> If there is reason to believe that having uid/gid numbers outside the 
>> default range will cause trouble down the road I'd rather have the 
>> work now (something like "find . -uid <olduid> -execdir chown 
>> <newuid> \{\} \;" for each uidnumber and gidnumber) than having to 
>> debug that stuff later.
> I wouldn't think so, there must be lots of other people out there 
> using similar ranges.
I guess I'm a chicken there... I'll try to solve the ADUC problem but in 
the end I might decide to live with the changed uids instead. :-)

>> On a side note: Does it cause any trouble to copy those old files 
>> onto a share and (initially) only have them have the unix owner/group 
>> instead of the whole acl stuff? Is there anything I'd have to do to 
>> "enable" fine grained ACLs on those files, or will samba add those on 
>> demand? (I enabled the necessary file system stuff and made sure it 
>> works on a newly created share.)
> There is a page on the wiki all about the above.

Well, there are quite a lot of pages on the wiki, if you don't mind me 
saying that. ;-)

and there's https://wiki.samba.org/index.php/Setup_and_configure_file_shares

But I haven't found any documentation on how to get from one to the other.
I know I can't use the former, but the later only deals with new shares.
Not with shares that are already populated by files that don't have the 
extended ACLs.

cheers and thanks!


More information about the samba mailing list