[Samba] mixed versions, mixed UIDs

Steve Hideg hideg at saintmarys.edu
Thu Jan 10 14:29:19 UTC 2019 

Hello,

I've inherited a set of servers running Red Hat Enterprise Linux Server
release 5.9. They have some variant of samba 3.3 on them (e.g. Version
3.3.8-0.52.el5_5.2). These servers are using Samba and Winbind as a way to
bind to our Active Directory environment as domain members.

We also have a domain member file server running the following:

Red Hat Enterprise Linux Server release 5.6 (Tikanga)
Samba/Winbind Version 3.5.4-0.70.el5

Due to hardware aging and the desire to use newer versions of the SMB
protocol, I have been building a new server and migrate user's data over to
it. The new server is running the following:

Red Hat Enterprise Linux Server release 7.6 (Maipo)
Samba/Winbind Version 4.8.3

One issue I've been having is trying to get UIDs to coinside between old
and new software versions.

Our Samba 3 configs have the following defined:
idmap config ADSMC:default = yes
idmap config ADSMC:backend = rid
idmap config ADSMC:base_rid=500
idmap config ADSMC:range = 2000-100000

I've set up the following in our Samba 4 server:
idmap config ADSMC:range = 2000-100000
idmap config * :range = 2000-100000
idmap config ADSMC : backend = rid
idmap config * : backend = tdb

In an effort to keep things as compatible as possible between co-existing
old and new servers, I made an effort to emulate the old settings ad much
as possible.

I don't know if these settings are correct for our AD/Samba environment,
but it seems to work except for one issue. Every UID and GID issued by the
new server is 500 greater than the old server. This presents a problem on
some of the old servers that automount user directories on the file server
via NFS. The UID discrepancy results in users not owning their own
directories and files when logged into older servers.

One way I have tried to mitigate this was to set the ranges on the new
server to 500 less:
idmap config ADSMC:range = 1500-100000
idmap config * :range = 1500-100000

Is this an acceptable solution, or is there something more radical I need
to do?

Thanks.



Steve Hideg
Director of Network & System Administration
Department of Information Technology
Saint Mary's College
hideg at saintmarys.edu

More information about the samba mailing list