[Samba] samba 4 joining samba 3 pdc - group mismatch

[Ethy H. Brito]

On Thu, 3 May 2018 15:07:30 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Thu, 3 May 2018 10:17:48 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> 
> 
> > > You will never get the same IDs on the PDC and Unix domain member
> > > (this isn't really a problem)  
> > 
> > I know that. But at least the returned uid should respect the "idmap
> > config" displacement and always return the source uid plus a constant
> > displacement. At least it is what I was expecting. Am I wrong?  
> 
> No, you should get the same UID on the Unix domain member at all times,
> it will just be a different on to the PDC.

I get the same uid all time but not the one I expect.
I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the new uid.
But as you said idmap uses RID instead. My mistaken thought.

This leads me to another questions:
and how RID is guessed at S3?? 
From a random number? 
RID=UID should be an educated guess, don't you think?

> > I got a small progress here. Now jgarcia uid is inside the "range".
> > Thanks.
> > 
> > 	S4# id jgarcia
> > 	uid=103032(jgarcia) gid=100513(none) \
> > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > 
> > but "base" id does not match. jgarcia uid is 1094 at S3.   
> 
> I am willing to bet the RID for 'jgarcia' is '3032'

How do I check this at S3 command line ?
Or even better, how do I list each and every SIDs for users and groups at S3?


> > I'd like it to be 101094 at S4.  
> 
> OK, change their RID to '1094' on S3, though this will probably break
> something else ;-)

I am pretty sure it will break things.

> 
> > 
> > the group names which jgarcia belongs make no sense either 
> > (5p6l3d1$ ?!?! this one should be named jgarcia).  
> 
> This I don't understand.

The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
1094 is the UNIX primary group for user jgarcia. 
This group is named, at S3, "jgarcia", like the username.

I'm inclined to think that this 1010194 is just a big coincidence and that
number refer to another RID group not related to the jgarcia unix group 1094.
And why this name "5p6l3d1$" is so messed up?? Where this came from?


Other thing I do not get is why wbinfo does not returns all groups jgarcia is
in. I mentioned this on first email of this tread.

Why "id other_user" returns "no such user" for a bunch of users,
been "other_user" obtained from "wbinfo -u"

> 
> > 
> > Also, jgarcia's primary group changed from 1094 at S3 to 100513 at S4.  
> 
> No it didn't, every windows users primary group is Domain Users and
> the RID for this is '513' (100000 + 513 = 100513)

Make sense. 

> 
> > 
> > This would not be a problem *if* rsync could "translate" uids during
> > the copy. Remember I am migrating data from S3 to S4.
> > It is much easier to correlate uid (or gid) 1094 with 101094 than to
> > 103032.  
> 
> I thought rsync synced by name

Nope. It syncs uid/gid number based.
So it would be very easy to write a script that changes the files/directories
permissions that rsync writes, from UID 1019 (jgarcia) to uid 101019 *if* the
SID was "UID + LOW_RANGE_ID". Cruel world!!

I am pretty screwed here!

> 
> > 
> > Is that possible S4 have learned garbage from my previous tests and
> > stored it somewhere?? if so, can my mess be undone ?  
> 
> possibly, try running 'net cache flush' on the S4 machine.

Nope. Same results.

> > 
> > All this is to make this migration transparent to the current users.
> > There are a few dozens of PCs I do not want to deal, "rejoing" them
> > to a new domain. This will take hours! Lots of.  
> 
> It might be easier in the long run to set up a new AD domain and move
> everything to that.

This leads me to re-join every station. Not good!