[Samba] Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Henrik Langos hlangos-samba at innominate.com
Thu Jun 19 04:35:08 MDT 2014 

On 06/18/14 22:05, Rowland Penny wrote:
> On 18/06/14 20:38, Henrik Langos wrote:
>> On 06/18/14 19:53, Rowland Penny wrote:
>>> On 18/06/14 18:15, Henrik Langos wrote:
>>>> I also tried to set it all on the command line:
>>>>
>>>> samba-tool user create mmuster5 --must-change-at-next-login 
>>>> --random-password --surname="Muster5" --given-name="Max" 
>>>> --job-title="Test Victim" --mail-address="mmuster5 at example.com" 
>>>> --uid=mmuster --uid-number=12345 --gid-number=10001 
>>>> --home-directory=/foo --login-shell=/bin/bash
>>>>
>>>> Still no luck. ADUC waltzes over the uidNumber when I select the 
>>>> NIS domain and click OK.
>>>
>>> This is where it does what it shouldn't do, it should pull the users 
>>> info and use that. What version of windows is ADUC running on ? is 
>>> the windows machine joined to the domain ?
>>
>> Windows 7 pro 32bit running in virtualbox.
>>
>> It is joined to the domain and ADUC is run by a user who is a member 
>> of "Domain Admins".
>
> I wonder if it is a permissions problem, could you try as the 
> Administrator ?

Apparently not. I tried and ran ADUC as Administrator but had the same 
results.

>>>>
>>>>
>>>>
>>>> Let's assume I can't get ADUC to leave those numbers alone.
>>>
>>> But ADUC should.
>>
>> Does it leave those numbers alone for you, or do you simply use a 
>> different way of creating users?
>
> AH, slight problem there, my users actually start at 10000, but ADUC 
> shows the correct login shell from AD and yes I do have a different 
> way of creating users that has nothing to do with samba-tool or ADUC.
>

EUREKA! I figured out a way to make ADUC leave those numbers alone!

Instead of going straight for the "Unix Attributes" tab, I first go the 
the "Attribute Editor" and manually set
"msSFU30NisDomain".
Then I close the properties dialog with OK. (Apparently you can't change 
tabs after you messed with the attributes directly. Makes sense from a 
programmers point of view since you'd have to reinitialize the dialog 
anyway.)

Next time I open the properties and go to the "Unix Attributes" tab the 
dialog elements are active and I see the data (uid, shell) that I 
entered on the samba-tool command line. FINALLY!

Apparently what happens is that ADUC assumes that you don't have those 
posix attributes set if you don't have msSFU30NisDomain set yet. Thus it 
enthusiastically clobbers your data and replaces it with defaults.

I further confirmed that removing "msSFU30NisDomain" via the "Attribute 
Editor" tab will leave your posix attributes intact, while using the 
"UNIX Attributes" tab to deselect the NIS domain will delete the posix 
attributes.

Maybe that behavior is something that changed in recent versions of ADUC 
and thus has not been reported before?



>
>>
>>>
>>>>
>>>> - I.E. Is there anything I'd need to adjust if my users had 
>>>> uidNumbers in the 2000-3000 range rather than 10000-20000 range?
>>>
>>> No, but you could set the ADUC range lower.
>>>
>>>>
>>>> If there is reason to believe that having uid/gid numbers outside 
>>>> the default range will cause trouble down the road I'd rather have 
>>>> the work now (something like "find . -uid <olduid> -execdir chown 
>>>> <newuid> \{\} \;" for each uidnumber and gidnumber) than having to 
>>>> debug that stuff later.
>>>
>>> I wouldn't think so, there must be lots of other people out there 
>>> using similar ranges.
>>>
>> I guess I'm a chicken there... I'll try to solve the ADUC problem but 
>> in the end I might decide to live with the changed uids instead. :-)
>
> If you created the numbers yourself in the first place, then it might 
> be easier to just accept the new numbers.
>

I guess I'll go with the new numbers, but it is satisfying to know how 
to work around that pesky ADUC if I needed to.
And maybe there's somebody who will use that information to create a 
couple of thousand users.
In my case I can go with manually activating the UNIX attributes via 
ADUC and getting those new numbers.

>
>>
>> There's 
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_ACLs
>> and there's 
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>
>> But I haven't found any documentation on how to get from one to the 
>> other.
>> I know I can't use the former, but the later only deals with new shares.
>> Not with shares that are already populated by files that don't have 
>> the extended ACLs.
>>
>
> You might be able to write the required page after you get it to work ;-)
>

I'll try. We'll see where it goes.

cheers
-henrik

More information about the samba mailing list