[Samba] Migrating samba file server OS, group id different on the source and the target server.

Mario Pio Russo mariopiorusso at ie.ibm.com
Mon Sep 7 10:26:35 UTC 2015 

thank you once again Rowland

just a some clarification:

1) I have one Domain Controller based on Samba4 in AD mode, how can I
verify that I am using IDMU on it?
2) YES - the samba3 file share is a standalone server, using tdbsam and
local users.
3)

"the second is from an AD client but you are
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000
"

I did comment those out just for testing, but if I put them back, nothing
changes and the gid and uid are still different from the standalone server

4) to be honest all I need is that all the domain guid/uid on the new file
server match exactly the domain guid/uid that are present in the old file
server, whatever mechanism I have to use.

For example , the AD group domainusers is defined as following into the
Domain controller

Samba4 AD DC:

dn: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
cn: DomainUsers
description: Domain Users
instanceType: 4
whenCreated: 20150713152248.0Z
uSNCreated: 3780
name: DomainUsers
objectGUID:: wzVim3m0yUiKEj7cF10BYA==
objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf69wIAAA==
sAMAccountName: DomainUsers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
gidNumber: 759
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: ccdc
memberOf: CN=CCDC - Remote Desktop
Users,OU=Security,OU=CCDC-Groups,DC=ccdc,DC
 =lan
memberOf: CN=Domain Users,CN=Users,DC=ccdc,DC=lan
memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94629,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94768,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94243,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68184,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68199,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68243,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68284,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68298,CN=Users,DC=ccdc,DC=lan


that's what I see on the 2 file share servers:

Samba 3.5.6
getent group | grep domainusers | cut -f 1 -d ","
domainusers:x:10003:mooreof

Samba 4.1.6
getent group | grep domainusers | cut -f 1 -d ","
domainusers:x:10122:mooreof

what I need is this:

Samba 4.1.2 - domainusers had GID 10003


any idea?

thanks

___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic11980.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	06/09/2015 16:09
Subject:	Re: [Samba] Migrating samba file server OS, group id different
            on the source and the target server.
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 06/09/15 15:03, Mario Pio Russo wrote:
> Good Day All
>
> I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and
a
> samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze")
>
> Now we want to migrate the file share server from Debian+samba3 to Ubuntu
> 14.04 +samba4. this for various reason, the most important being that
> samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).
>
> Please note that the file server has been implemented long time ago,
> unfortunatelly not from me. So I notice that few parameter were not
> implemented in the smb.conf
>
> (e.g    #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>
> etcc. )
>
> now I have a file share test enviroment based on ubuntu 14 and samba4 . I
> have noticed that the groups and the users have completely different
group
> and user ids.
>
> For example the group domainusers has gid 10003 on the old server and gid
> 10122 on the new one.
>
> Because all the file share directory are mounted on dedicated disks, the
> Idea of the migration is to detach the disks from the old file server and
> attach them to the new one. However because of this group discrepancy,
all
> the access permission rights will be messed up. Considering that we have
> about 10 TB of data to transfer, and a huge number of files, Re-assigning
> the access permission after the migration is pratically impossible (also
> considering that we do not have lots of time for the migration itself.)
>
> The only option is to make sure that the GID and the UID of the new file
> share match excatlly the old file share. I have tryed already with few
> options by using the idmap, but this didn t resolve my issue.
>
> I wonder if there is a way to manually map gid and uid, or any other way
to
> get this problem solved.
>
> on following the 2 smb.conf.
>
> thanks
>
>
> orignal samba3 file share:
>
> root at seadog://etc/samba# less smb.conf
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
>
> NEW FILE SHARE
>
> [global]
>           workgroup = CCDC
>           realm = CCDC.LAN
>           security = ADS
>           dedicated keytab file = /etc/krb5.keytab
>           kerberos method = secrets and keytab
>           server string = CSI Samba Server
>           winbind enum users = Yes
>           winbind enum groups = Yes
>           winbind use default domain = Yes
>           winbind cache time = 15
>           winbind refresh tickets = Yes
>           winbind uid = 10000-20000
>           winbind gid = 10000-20000
>
>           #idmap config * : backend = tdb
>           #idmap config * : range = 2000-9999
>           #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>           map untrusted to domain = Yes
>           syslog = 0
>           log file = /var/log/samba/log.%m
>           max log size = 2000
>           #smb ports = 139
>           name resolve order = wins, host, bcast
>           server signing = required
>           load printers = No
>           disable spoolss = Yes
>           local master = No
>           domain master = No
>           dns proxy = No
>           wins server = 9.161.96.220
>           template homedir = /home/winbind
>           full_audit:priority = NOTICE
>           full_audit:facility = local7
>           full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>           full_audit:prefix = %u,%I,%m,%S
>           invalid users = root, daemon, bin, sys, sync, games, man, lp,
> mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
> sshd, ntpd
>           acl group control = Yes
>           aio read size = 1
>           aio write size = 1
>           map acl inherit = Yes
>           hide files = /lost+found/
>           follow symlinks = No
>           dos filemode = Yes
>           vfs objects = acl_xattr full_audit
>           store dos attributes = Yes
>
>
___________________________________________________________________________________________

>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic02427.gif)

OK, the first smb.conf looks like it is from a standalone server, using
tdbsam and local users, the second is from an AD client but you are
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000

Now if you want to use AD (do you have an AD DC ? ) then what you have
commented out is actually what you need.

You will need to be using samba4 or a windows DC with  IDMU, if you use
samba4, you may be able to use the 'classicupgrade' method. If not, you
will need to extract your users & groups along with their uid/gid
numbers and add these to the user/group objects in AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list