[Samba] samba 4 joining samba 3 pdc - group mismatch

Thu May 3 14:07:30 UTC 2018

On Thu, 3 May 2018 10:17:48 -0300
"Ethy H. Brito via samba" <samba at lists.samba.org> wrote:

> > You will never get the same IDs on the PDC and Unix domain member
> > (this isn't really a problem)
> 
> I know that. But at least the returned uid should respect the "idmap
> config" displacement and always return the source uid plus a constant
> displacement. At least it is what I was expecting. Am I wrong?

No, you should get the same UID on the Unix domain member at all times,
it will just be a different on to the PDC.

> 
> > 
> > Try it like this:
> > 
> >    idmap config *:range = 3000-7999
> >    idmap config *:backend = tdb
> >    idmap config PEGASE:range = 100000-200000
> >    idmap config PEGASE:backend = rid
> 
> I got a small progress here. Now jgarcia uid is inside the "range".
> Thanks.
> 
> 	S4# id jgarcia
> 	uid=103032(jgarcia) gid=100513(none) \
> 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> 	101119(jgomes-pc$),10001(BUILTIN\users)
> 
> but "base" id does not match. jgarcia uid is 1094 at S3. 

I am willing to bet the RID for 'jgarcia' is '3032'
The winbind 'rid' backend uses this formula to calculate the ID:

ID = RID + LOW_RANGE_ID

> I'd like it to be 101094 at S4.

OK, change their RID to '1094' on S3, though this will probably break
something else ;-)

> 
> the group names which jgarcia belongs make no sense either 
> (5p6l3d1$ ?!?! this one should be named jgarcia).

This I don't understand.

> 
> Also, jgarcia's primary group changed from 1094 at S3 to 100513 at S4.

No it didn't, every windows users primary group is Domain Users and
the RID for this is '513' (100000 + 513 = 100513)

> 
> This would not be a problem *if* rsync could "translate" uids during
> the copy. Remember I am migrating data from S3 to S4.
> It is much easier to correlate uid (or gid) 1094 with 101094 than to
> 103032.

I thought rsync synced by name

> 
> Is that possible S4 have learned garbage from my previous tests and
> stored it somewhere?? if so, can my mess be undone ?

possibly, try running 'net cache flush' on the S4 machine.

> 
> Suggestions?
> 
> 
> > 
> > I feel I should also warn you that Microsoft is making it harder &
> > harder to use Windows with an NT4-style domain, you really should
> > consider upgrading to AD.
> 
> This S3 server will be discontinued soon and this S4 will be promoted 
> to AD, I hope!
> 
> For the moment S4 is pulling data from S3 via rsync every 2 hours.
> I think any configurations for S4 may be changed/erased with no harm
> to the data, which must be preserved at S4. No user is accessing S4.
> 
> All this is to make this migration transparent to the current users.
> There are a few dozens of PCs I do not want to deal, "rejoing" them
> to a new domain. This will take hours! Lots of.

It might be easier in the long run to set up a new AD domain and move
everything to that.

Rowland