[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes
Rowland Penny
rowlandpenny at googlemail.com
Wed Jun 18 14:05:34 MDT 2014
On 18/06/14 20:38, Henrik Langos wrote:
> On 06/18/14 19:53, Rowland Penny wrote:
>> On 18/06/14 18:15, Henrik Langos wrote:
>>> I also tried to set it all on the command line:
>>>
>>> samba-tool user create mmuster5 --must-change-at-next-login
>>> --random-password --surname="Muster5" --given-name="Max"
>>> --job-title="Test Victim" --mail-address="mmuster5 at example.com"
>>> --uid=mmuster --uid-number=12345 --gid-number=10001
>>> --home-directory=/foo --login-shell=/bin/bash
>>>
>>> Still no luck. ADUC waltzes over the uidNumber when I select the NIS
>>> domain and click OK.
>>
>> This is where it does what it shouldn't do, it should pull the users
>> info and use that. What version of windows is ADUC running on ? is
>> the windows machine joined to the domain ?
>
> Windows 7 pro 32bit running in virtualbox.
>
> It is joined to the domain and ADUC is run by a user who is a member
> of "Domain Admins".
I wonder if it is a permissions problem, could you try as the
Administrator ?
>
>
>>
>> I know that samba-tool is a bit lacking in the attributes that get
>> added when you add unix attributes with regards to what ADUC adds,
>> but this should not give you the problems you are having.
>>
>> How did you provision samba 4 ?
>
> samba-tool domain provision --use-rfc2307 --interactive
> --function-level=2008_R2 --use-xattrs=yes
>
>>
>> Do you have ldbtools installed ? if so what does this return:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b
>> "CN=<your-domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com"
>> msSFU30MaxUidNumber
>>
>>
> msSFU30MaxUidNumber: 10009
>
This proves that the NIS part of AD is setup correctly
>>>
>>>
>>>
>>> Let's assume I can't get ADUC to leave those numbers alone.
>>
>> But ADUC should.
>
> Does it leave those numbers alone for you, or do you simply use a
> different way of creating users?
AH, slight problem there, my users actually start at 10000, but ADUC
shows the correct login shell from AD and yes I do have a different way
of creating users that has nothing to do with samba-tool or ADUC.
>
>>
>>>
>>> - Can I safely use ADUC to change the uidNumber back to the value I
>>> wanted it to have? (e.g. 2047 instead of 10003)
>>
>> Well yes
>>
>>>
>>>
>>> - Can I safely change "Domain Users" gidnumber to 513 instead of
>>> having it at 10001 ?
>>
>> I wouldn't , it would be inside the unix local range.
>
> Well, anything below 65535 would that range. But I see what you mean.
well, I think you are arguing over nothing (or is that nobody?) ;-)
> And I guess I can work around that with a
> "find /new-share-path -gid 513 -execdir chown :10001 \{\} \;"
>
>>
>>>
>>> - I.E. Is there anything I'd need to adjust if my users had
>>> uidNumbers in the 2000-3000 range rather than 10000-20000 range?
>>
>> No, but you could set the ADUC range lower.
>>
>>>
>>> If there is reason to believe that having uid/gid numbers outside
>>> the default range will cause trouble down the road I'd rather have
>>> the work now (something like "find . -uid <olduid> -execdir chown
>>> <newuid> \{\} \;" for each uidnumber and gidnumber) than having to
>>> debug that stuff later.
>>
>> I wouldn't think so, there must be lots of other people out there
>> using similar ranges.
>>
> I guess I'm a chicken there... I'll try to solve the ADUC problem but
> in the end I might decide to live with the changed uids instead. :-)
If you created the numbers yourself in the first place, then it might be
easier to just accept the new numbers.
>
>
>>>
>>> On a side note: Does it cause any trouble to copy those old files
>>> onto a share and (initially) only have them have the unix
>>> owner/group instead of the whole acl stuff? Is there anything I'd
>>> have to do to "enable" fine grained ACLs on those files, or will
>>> samba add those on demand? (I enabled the necessary file system
>>> stuff and made sure it works on a newly created share.)
>>>
>>
>> There is a page on the wiki all about the above.
>
> Well, there are quite a lot of pages on the wiki, if you don't mind me
> saying that. ;-)
Blame Marc for that ;-)
>
> There's
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_ACLs
> and there's
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>
> But I haven't found any documentation on how to get from one to the
> other.
> I know I can't use the former, but the later only deals with new shares.
> Not with shares that are already populated by files that don't have
> the extended ACLs.
>
You might be able to write the required page after you get it to work ;-)
Rowland
> cheers and thanks!
>
> -henrik
>
More information about the samba
mailing list