[Samba] Question about samba 4 member server of a pure Windows AD

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Aug 3 08:27:51 UTC 2015 

Hi,

I'm not try.

My actual configuration is rfc2307.  And it work fine.

But if I must replace my AD DC by a other AD DC (not managed by me and not 
use rfc2307), my question was What can I do ?
Rid backend is not a solution, because I have too many ACL to apply on 
files and directory ( > 1Tb of data)

So the answer is : the newer AD DC must use rfc2307.

regards

        Stéphane Purnelle




De :    Sébastien Le Ray <sebastien-samba at orniz.org>
A :     Stéphane PURNELLE <stephane.purnelle at corman.be>, 
samba at lists.samba.org, 
Date :  03/08/2015 10:17
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows 
AD



Hi,

What you're trying to do is mixing RID and rfc2307. This is not possible.

I've the same kind of issue here (Samba 3 migrated DC with samba unix 
users created in the same range as regular unix users), but still use 
rfc2307 so I can renumber users one by one as follow :
Save old uid (1000-2000 range)
Give a new one (10000+ range)
Launch a command like (multiple -e are possible) on every unix computer 
having shares
find | while read file; do echo getfacl "$file" | sed -e 
"s,user:olduid:,user:newuid:," | setfacl --set-file=- "$file"; done
What for user support ticket escalation :-)
If your Windows AD does not use rf2307, you can switch to rid but then 
you'll have to perform the whole ACL change at once (since rf2307 allows 
me to choose UID I can perform the changes smoothly along time).
Regards

Le 03/08/2015 09:43, Stéphane PURNELLE a écrit :
Hi,

A account created with samba3/ldap (created before 2014-02-20): 

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108

A account created with Users and computers (samba 4 AD DC)

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023


My actual config (in file-server) : 
idmap config XXXXXX:backend = ad 
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000

If I apply RID backend : 

ID = RID - BASE_RID + LOW_RANGE_ID.

For the first account : 
3216 - 0 + 1005 = 4221 => bad must be 1108

For the latest created account : 
5878 - 0 + 1005 = 6883 => bad must be 10023

if generated uidNumber not the same that actual uidNumber, I will lose my 
ACL.

regards

        Stéphane Purnelle

More information about the samba mailing list