[Samba] Migrating samba file server OS, group id different on the source and the target server.

Rowland Penny rowlandpenny241155 at gmail.com
Mon Sep 7 11:09:45 UTC 2015 

On 07/09/15 11:26, Mario Pio Russo wrote:
> thank you once again Rowland
>
> just a some clarification:
>
> 1) I have one Domain Controller based on Samba4 in AD mode, how can I
> verify that I am using IDMU on it?

You don't install IDMU on a Samba4 AD DC, it comes with it.

> 2) YES - the samba3 file share is a standalone server, using tdbsam and
> local users.
> 3)
>
> "the second is from an AD client but you are
> using a depreciated uid/gid mechanism and have commented this out:
>
>            #idmap config * : backend = tdb
>            #idmap config * : range = 2000-9999
>            #idmap config CCDC : backend = ad
>            #idmap config CCDC : range = 10000-20000
> "
>
> I did comment those out just for testing, but if I put them back, nothing
> changes and the gid and uid are still different from the standalone server

If you want your AD users to have the same uid numbers as on the 
standalone server, you will have to extract the uid numbers from the 
standalone server and then give the AD domain users the same uid number 
by adding them to the users object in AD using the 'uidNumber' 
attribute. The same goes for the groups, but in this case using the 
'gidNumber' attribute. You will then have to use the lines you have 
commented out, setting the 'range' so that all of your uidNumbers & 
gidNumbers are inside it, you will also have to add this line:

idmap config CCDC : schema_mode = rfc2307

Your users will also have to use the same password in AD and on the 
standalone server, how you do this is your problem.

>
> 4) to be honest all I need is that all the domain guid/uid on the new file
> server match exactly the domain guid/uid that are present in the old file
> server, whatever mechanism I have to use.
>
> For example , the AD group domainusers is defined as following into the
> Domain controller
>
> Samba4 AD DC:
>
> dn: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
> cn: DomainUsers
> description: Domain Users
> instanceType: 4
> whenCreated: 20150713152248.0Z
> uSNCreated: 3780
> name: DomainUsers
> objectGUID:: wzVim3m0yUiKEj7cF10BYA==
> objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf69wIAAA==
> sAMAccountName: DomainUsers
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
> gidNumber: 759
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> msSFU30NisDomain: ccdc
> memberOf: CN=CCDC - Remote Desktop
> Users,OU=Security,OU=CCDC-Groups,DC=ccdc,DC
>   =lan
> memberOf: CN=Domain Users,CN=Users,DC=ccdc,DC=lan
> memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu94629,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu94768,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu94243,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu68184,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu68199,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu68243,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu68284,CN=Users,DC=ccdc,DC=lan
> member: CN=ieu68298,CN=Users,DC=ccdc,DC=lan
>
>
> that's what I see on the 2 file share servers:
>
> Samba 3.5.6
> getent group | grep domainusers | cut -f 1 -d ","
> domainusers:x:10003:mooreof
>
> Samba 4.1.6
> getent group | grep domainusers | cut -f 1 -d ","
> domainusers:x:10122:mooreof
>
> what I need is this:
>
> Samba 4.1.2 - domainusers had GID 10003
>
>
> any idea?
>
> thanks
>
>

To be honest, I would start again, I know this will probably mean more 
work, but if all your machines are members of the AD domain, 
authentication will be centralised and you would only have to deal with 
one set of users. You could also do away with your 'domainusers' group 
and use 'Domain Users' instead.

Rowland

More information about the samba mailing list