[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Wed Jun 18 13:38:46 MDT 2014

On 06/18/14 19:53, Rowland Penny wrote:
> On 18/06/14 18:15, Henrik Langos wrote:
>> I also tried to set it all on the command line:
>>
>> samba-tool user create mmuster5 --must-change-at-next-login 
>> --random-password --surname="Muster5" --given-name="Max" 
>> --job-title="Test Victim" --mail-address="mmuster5 at example.com" 
>> --uid=mmuster --uid-number=12345 --gid-number=10001 
>> --home-directory=/foo --login-shell=/bin/bash
>>
>> Still no luck. ADUC waltzes over the uidNumber when I select the NIS 
>> domain and click OK.
>
> This is where it does what it shouldn't do, it should pull the users 
> info and use that. What version of windows is ADUC running on ? is the 
> windows machine joined to the domain ?

Windows 7 pro 32bit running in virtualbox.

It is joined to the domain and ADUC is run by a user who is a member of 
"Domain Admins".

>
> I know that samba-tool is a bit lacking in the attributes that get 
> added when you add unix attributes with regards to what ADUC adds, but 
> this should not give you the problems you are having.
>
> How did you provision samba 4 ?

samba-tool domain provision  --use-rfc2307 --interactive 
--function-level=2008_R2 --use-xattrs=yes

>
> Do you have ldbtools installed ? if so what does this return:
>
>  ldbsearch -H /var/lib/samba/private/sam.ldb -b 
> "CN=<your-domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com" 
> msSFU30MaxUidNumber
>
>
msSFU30MaxUidNumber: 10009

>>
>>
>>
>> Let's assume I can't get ADUC to leave those numbers alone.
>
> But ADUC should.

Does it leave those numbers alone for you, or do you simply use a 
different way of creating users?

>
>>
>> - Can I safely use ADUC to change the uidNumber back to the value I 
>> wanted it to have? (e.g. 2047 instead of 10003)
>
> Well yes
>
>>
>>
>> - Can I safely change "Domain Users" gidnumber to 513 instead of 
>> having it at 10001 ?
>
> I wouldn't , it would be inside the unix local range.

Well, anything below 65535 would that range. But I see what you mean.
And I guess I can work around that with a
"find /new-share-path -gid 513 -execdir chown :10001 \{\} \;"

>
>>
>> - I.E. Is there anything I'd need to adjust if my users had 
>> uidNumbers in the 2000-3000 range rather than 10000-20000 range?
>
> No, but you could set the ADUC range lower.
>
>>
>> If there is reason to believe that having uid/gid numbers outside the 
>> default range will cause trouble down the road I'd rather have the 
>> work now (something like "find . -uid <olduid> -execdir chown 
>> <newuid> \{\} \;" for each uidnumber and gidnumber) than having to 
>> debug that stuff later.
>
> I wouldn't think so, there must be lots of other people out there 
> using similar ranges.
>
I guess I'm a chicken there... I'll try to solve the ADUC problem but in 
the end I might decide to live with the changed uids instead. :-)

>>
>> On a side note: Does it cause any trouble to copy those old files 
>> onto a share and (initially) only have them have the unix owner/group 
>> instead of the whole acl stuff? Is there anything I'd have to do to 
>> "enable" fine grained ACLs on those files, or will samba add those on 
>> demand? (I enabled the necessary file system stuff and made sure it 
>> works on a newly created share.)
>>
>
> There is a page on the wiki all about the above.

Well, there are quite a lot of pages on the wiki, if you don't mind me 
saying that. ;-)

There's 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_ACLs
and there's https://wiki.samba.org/index.php/Setup_and_configure_file_shares

But I haven't found any documentation on how to get from one to the other.
I know I can't use the former, but the later only deals with new shares.
Not with shares that are already populated by files that don't have the 
extended ACLs.

cheers and thanks!

-henrik