[Samba] Migrating samba file server OS, group id different on the source and the target server.

Rowland Penny rowlandpenny241155 at gmail.com
Sun Sep 6 15:04:13 UTC 2015


On 06/09/15 15:03, Mario Pio Russo wrote:
> Good Day All
>
> I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a
> samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze")
>
> Now we want to migrate the file share server from Debian+samba3 to Ubuntu
> 14.04 +samba4. this for various reason, the most important being that
> samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).
>
> Please note that the file server has been implemented long time ago,
> unfortunatelly not from me. So I notice that few parameter were not
> implemented in the smb.conf
>
> (e.g    #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>
> etcc. )
>
> now I have a file share test enviroment based on ubuntu 14 and samba4 . I
> have noticed that the groups and the users have completely different group
> and user ids.
>
> For example the group domainusers has gid 10003 on the old server and gid
> 10122 on the new one.
>
> Because all the file share directory are mounted on dedicated disks, the
> Idea of the migration is to detach the disks from the old file server and
> attach them to the new one. However because of this group discrepancy, all
> the access permission rights will be messed up. Considering that we have
> about 10 TB of data to transfer, and a huge number of files, Re-assigning
> the access permission after the migration is pratically impossible (also
> considering that we do not have lots of time for the migration itself.)
>
> The only option is to make sure that the GID and the UID of the new file
> share match excatlly the old file share. I have tryed already with few
> options by using the idmap, but this didn t resolve my issue.
>
> I wonder if there is a way to manually map gid and uid, or any other way to
> get this problem solved.
>
> on following the 2 smb.conf.
>
> thanks
>
>
> orignal samba3 file share:
>
> root at seadog://etc/samba# less smb.conf
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
>
> NEW FILE SHARE
>
> [global]
>           workgroup = CCDC
>           realm = CCDC.LAN
>           security = ADS
>           dedicated keytab file = /etc/krb5.keytab
>           kerberos method = secrets and keytab
>           server string = CSI Samba Server
>           winbind enum users = Yes
>           winbind enum groups = Yes
>           winbind use default domain = Yes
>           winbind cache time = 15
>           winbind refresh tickets = Yes
>           winbind uid = 10000-20000
>           winbind gid = 10000-20000
>
>           #idmap config * : backend = tdb
>           #idmap config * : range = 2000-9999
>           #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>           map untrusted to domain = Yes
>           syslog = 0
>           log file = /var/log/samba/log.%m
>           max log size = 2000
>           #smb ports = 139
>           name resolve order = wins, host, bcast
>           server signing = required
>           load printers = No
>           disable spoolss = Yes
>           local master = No
>           domain master = No
>           dns proxy = No
>           wins server = 9.161.96.220
>           template homedir = /home/winbind
>           full_audit:priority = NOTICE
>           full_audit:facility = local7
>           full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>           full_audit:prefix = %u,%I,%m,%S
>           invalid users = root, daemon, bin, sys, sync, games, man, lp,
> mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
> sshd, ntpd
>           acl group control = Yes
>           aio read size = 1
>           aio write size = 1
>           map acl inherit = Yes
>           hide files = /lost+found/
>           follow symlinks = No
>           dos filemode = Yes
>           vfs objects = acl_xattr full_audit
>           store dos attributes = Yes
>
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic02427.gif)

OK, the first smb.conf looks like it is from a standalone server, using 
tdbsam and local users, the second is from an AD client but you are 
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000

Now if you want to use AD (do you have an AD DC ? ) then what you have 
commented out is actually what you need.

You will need to be using samba4 or a windows DC with  IDMU, if you use 
samba4, you may be able to use the 'classicupgrade' method. If not, you 
will need to extract your users & groups along with their uid/gid 
numbers and add these to the user/group objects in AD.

Rowland



More information about the samba mailing list