[Samba] How to move shares from DC to MS preserving permissions?

Denis CARDON dcardon at tranquil.it
Fri Apr 1 12:46:53 UTC 2022

Hi Rowland,

Le 01/04/2022 à 14:22, Rowland Penny via samba a écrit :
> On Fri, 2022-04-01 at 14:12 +0200, Denis CARDON via samba wrote:
>> Hi Antonio,
>> Le 01/04/2022 à 11:53, Antonio Trogu via samba a écrit :
>>> I need to move some shares from an AD DC to a new member server
>>> joined
>>> to the domain. These shares are on LVMs on iSCSI targets, but when
>>> I
>>> mount them on the new member server they are not accessible to the
>>> domain's users except to Administrator. Is it possible to configure
>>> the
>>> member server's Samba to preserve users' permissions on the moved
>>> shares
>>> without having to propagate them again (on hundreds of TBs)?
>> if you are confortable with python-ldb / python-tdb you can use TDB
>> mapping on the member server and recreate the tdb map by script.
>> You can read current mapping from idmap.ldb on the domain controller
>> and
>> re-inject them in the tdb map on the member server.
> Are you sure about that Denis ?
> On a a DC, idmap.ldb contains different format records to what a Unix
> domain member expects.
> I would have thought using rsync to copy the data would be a better
> alternative.

idmap.ldb and winbindd_idmap.tdb does not have the same structure, but 
you can recreate one on the file server with the proper format using 
some python scripting. It's just a mapping tables.

The thing that couldn't be mapped is having a group as a file owner 
(possible on a DC but not on a member server), but I wouldn't expect 
this kind of situation on a fileshare.

I don't know exactly how the extended attribute NTACL would behave (if 
you happen to need them), but if there are complexe ACLs, it is better 
to do it on a Windows client with setacl.exe anyway.



> Rowland

More information about the samba mailing list