[Samba] Migrating samba file server OS, group id different on the source and the target server.

Mario Pio Russo mariopiorusso at ie.ibm.com
Sun Sep 6 14:03:25 UTC 2015

Good Day All

I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a
samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze")

Now we want to migrate the file share server from Debian+samba3 to Ubuntu
14.04 +samba4. this for various reason, the most important being that
samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).

Please note that the file server has been implemented long time ago,
unfortunatelly not from me. So I notice that few parameter were not
implemented in the smb.conf

(e.g    #idmap config CCDC : backend = ad
         #idmap config CCDC : range = 10000-20000

etcc. )

now I have a file share test enviroment based on ubuntu 14 and samba4 . I
have noticed that the groups and the users have completely different group
and user ids.

For example the group domainusers has gid 10003 on the old server and gid
10122 on the new one.

Because all the file share directory are mounted on dedicated disks, the
Idea of the migration is to detach the disks from the old file server and
attach them to the new one. However because of this group discrepancy, all
the access permission rights will be messed up. Considering that we have
about 10 TB of data to transfer, and a huge number of files, Re-assigning
the access permission after the migration is pratically impossible (also
considering that we do not have lots of time for the migration itself.)

The only option is to make sure that the GID and the UID of the new file
share match excatlly the old file share. I have tryed already with few
options by using the idmap, but this didn t resolve my issue.

I wonder if there is a way to manually map gid and uid, or any other way to
get this problem solved.

on following the 2 smb.conf.


orignal samba3 file share:

root at seadog://etc/samba# less smb.conf
      log file = /var/log/samba/log.%m
      log level = 3

      max log size = 2000
      syslog = 0

      # using these options copied from clearcase.
      # back in the day we did research these to death
#      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
      socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE

      # This disables print options
      # we are not a print server
      load printers = No
      disable spoolss = Yes

      smb ports = 139

      # every mount from the SAN has a lost+found folder
      # to avoid user confusion, have set this to hidden
      hide files = /lost+found/

      aio read size = 1
      aio write size = 1
      follow symlinks          = no


         workgroup = CCDC
         realm = CCDC.LAN
         security = ADS
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = CSI Samba Server
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind cache time = 15
         winbind refresh tickets = Yes
         winbind uid = 10000-20000
         winbind gid = 10000-20000

         #idmap config * : backend = tdb
         #idmap config * : range = 2000-9999
         #idmap config CCDC : backend = ad
         #idmap config CCDC : range = 10000-20000
         map untrusted to domain = Yes
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 2000
         #smb ports = 139
         name resolve order = wins, host, bcast
         server signing = required
         load printers = No
         disable spoolss = Yes
         local master = No
         domain master = No
         dns proxy = No
         wins server =
         template homedir = /home/winbind
         full_audit:priority = NOTICE
         full_audit:facility = local7
         full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
         full_audit:prefix = %u,%I,%m,%S
         invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
sshd, ntpd
         acl group control = Yes
         aio read size = 1
         aio write size = 1
         map acl inherit = Yes
         hide files = /lost+found/
         follow symlinks = No
         dos filemode = Yes
         vfs objects = acl_xattr full_audit
         store dos attributes = Yes


Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic02427.gif)

More information about the samba mailing list