Mario Pio Russo
2015-Sep-06 14:03 UTC
[Samba] Migrating samba file server OS, group id different on the source and the target server.
Good Day All I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze") Now we want to migrate the file share server from Debian+samba3 to Ubuntu 14.04 +samba4. this for various reason, the most important being that samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016). Please note that the file server has been implemented long time ago, unfortunatelly not from me. So I notice that few parameter were not implemented in the smb.conf (e.g #idmap config CCDC : backend = ad #idmap config CCDC : range = 10000-20000 etcc. ) now I have a file share test enviroment based on ubuntu 14 and samba4 . I have noticed that the groups and the users have completely different group and user ids. For example the group domainusers has gid 10003 on the old server and gid 10122 on the new one. Because all the file share directory are mounted on dedicated disks, the Idea of the migration is to detach the disks from the old file server and attach them to the new one. However because of this group discrepancy, all the access permission rights will be messed up. Considering that we have about 10 TB of data to transfer, and a huge number of files, Re-assigning the access permission after the migration is pratically impossible (also considering that we do not have lots of time for the migration itself.) The only option is to make sure that the GID and the UID of the new file share match excatlly the old file share. I have tryed already with few options by using the idmap, but this didn t resolve my issue. I wonder if there is a way to manually map gid and uid, or any other way to get this problem solved. on following the 2 smb.conf. thanks orignal samba3 file share: root at seadog://etc/samba# less smb.conf log file = /var/log/samba/log.%m log level = 3 max log size = 2000 syslog = 0 # using these options copied from clearcase. # back in the day we did research these to death # # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY # This disables print options # we are not a print server # load printers = No disable spoolss = Yes smb ports = 139 # every mount from the SAN has a lost+found folder # to avoid user confusion, have set this to hidden # hide files = /lost+found/ aio read size = 1 aio write size = 1 follow symlinks = no NEW FILE SHARE [global] workgroup = CCDC realm = CCDC.LAN security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = CSI Samba Server winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind cache time = 15 winbind refresh tickets = Yes winbind uid = 10000-20000 winbind gid = 10000-20000 #idmap config * : backend = tdb #idmap config * : range = 2000-9999 #idmap config CCDC : backend = ad #idmap config CCDC : range = 10000-20000 map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = acl_xattr full_audit store dos attributes = Yes ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic02427.gif)
Rowland Penny
2015-Sep-06 15:04 UTC
[Samba] Migrating samba file server OS, group id different on the source and the target server.
On 06/09/15 15:03, Mario Pio Russo wrote:> Good Day All > > I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a > samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze") > > Now we want to migrate the file share server from Debian+samba3 to Ubuntu > 14.04 +samba4. this for various reason, the most important being that > samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016). > > Please note that the file server has been implemented long time ago, > unfortunatelly not from me. So I notice that few parameter were not > implemented in the smb.conf > > (e.g #idmap config CCDC : backend = ad > #idmap config CCDC : range = 10000-20000 > > etcc. ) > > now I have a file share test enviroment based on ubuntu 14 and samba4 . I > have noticed that the groups and the users have completely different group > and user ids. > > For example the group domainusers has gid 10003 on the old server and gid > 10122 on the new one. > > Because all the file share directory are mounted on dedicated disks, the > Idea of the migration is to detach the disks from the old file server and > attach them to the new one. However because of this group discrepancy, all > the access permission rights will be messed up. Considering that we have > about 10 TB of data to transfer, and a huge number of files, Re-assigning > the access permission after the migration is pratically impossible (also > considering that we do not have lots of time for the migration itself.) > > The only option is to make sure that the GID and the UID of the new file > share match excatlly the old file share. I have tryed already with few > options by using the idmap, but this didn t resolve my issue. > > I wonder if there is a way to manually map gid and uid, or any other way to > get this problem solved. > > on following the 2 smb.conf. > > thanks > > > orignal samba3 file share: > > root at seadog://etc/samba# less smb.conf > log file = /var/log/samba/log.%m > log level = 3 > > max log size = 2000 > syslog = 0 > > # using these options copied from clearcase. > # back in the day we did research these to death > # > # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > > # This disables print options > # we are not a print server > # > load printers = No > disable spoolss = Yes > > smb ports = 139 > > # every mount from the SAN has a lost+found folder > # to avoid user confusion, have set this to hidden > # > hide files = /lost+found/ > > aio read size = 1 > aio write size = 1 > follow symlinks = no > > > > > NEW FILE SHARE > > [global] > workgroup = CCDC > realm = CCDC.LAN > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = CSI Samba Server > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind cache time = 15 > winbind refresh tickets = Yes > winbind uid = 10000-20000 > winbind gid = 10000-20000 > > #idmap config * : backend = tdb > #idmap config * : range = 2000-9999 > #idmap config CCDC : backend = ad > #idmap config CCDC : range = 10000-20000 > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > invalid users = root, daemon, bin, sys, sync, games, man, lp, > mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, > sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = acl_xattr full_audit > store dos attributes = Yes > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic02427.gif)OK, the first smb.conf looks like it is from a standalone server, using tdbsam and local users, the second is from an AD client but you are using a depreciated uid/gid mechanism and have commented this out: #idmap config * : backend = tdb #idmap config * : range = 2000-9999 #idmap config CCDC : backend = ad #idmap config CCDC : range = 10000-20000 Now if you want to use AD (do you have an AD DC ? ) then what you have commented out is actually what you need. You will need to be using samba4 or a windows DC with IDMU, if you use samba4, you may be able to use the 'classicupgrade' method. If not, you will need to extract your users & groups along with their uid/gid numbers and add these to the user/group objects in AD. Rowland
Mario Pio Russo
2015-Sep-07 10:26 UTC
[Samba] Migrating samba file server OS, group id different on the source and the target server.
thank you once again Rowland just a some clarification: 1) I have one Domain Controller based on Samba4 in AD mode, how can I verify that I am using IDMU on it? 2) YES - the samba3 file share is a standalone server, using tdbsam and local users. 3) "the second is from an AD client but you are using a depreciated uid/gid mechanism and have commented this out: #idmap config * : backend = tdb #idmap config * : range = 2000-9999 #idmap config CCDC : backend = ad #idmap config CCDC : range = 10000-20000 " I did comment those out just for testing, but if I put them back, nothing changes and the gid and uid are still different from the standalone server 4) to be honest all I need is that all the domain guid/uid on the new file server match exactly the domain guid/uid that are present in the old file server, whatever mechanism I have to use. For example , the AD group domainusers is defined as following into the Domain controller Samba4 AD DC: dn: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan cn: DomainUsers description: Domain Users instanceType: 4 whenCreated: 20150713152248.0Z uSNCreated: 3780 name: DomainUsers objectGUID:: wzVim3m0yUiKEj7cF10BYA=objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf69wIAAA=sAMAccountName: DomainUsers sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ccdc,DC=lan gidNumber: 759 objectClass: top objectClass: posixGroup objectClass: group msSFU30NisDomain: ccdc memberOf: CN=CCDC - Remote Desktop Users,OU=Security,OU=CCDC-Groups,DC=ccdc,DC =lan memberOf: CN=Domain Users,CN=Users,DC=ccdc,DC=lan memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan member: CN=ieu94629,CN=Users,DC=ccdc,DC=lan member: CN=ieu94768,CN=Users,DC=ccdc,DC=lan member: CN=ieu94243,CN=Users,DC=ccdc,DC=lan member: CN=ieu68184,CN=Users,DC=ccdc,DC=lan member: CN=ieu68199,CN=Users,DC=ccdc,DC=lan member: CN=ieu68243,CN=Users,DC=ccdc,DC=lan member: CN=ieu68284,CN=Users,DC=ccdc,DC=lan member: CN=ieu68298,CN=Users,DC=ccdc,DC=lan that's what I see on the 2 file share servers: Samba 3.5.6 getent group | grep domainusers | cut -f 1 -d "," domainusers:x:10003:mooreof Samba 4.1.6 getent group | grep domainusers | cut -f 1 -d "," domainusers:x:10122:mooreof what I need is this: Samba 4.1.2 - domainusers had GID 10003 any idea? thanks ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic11980.gif) From: Rowland Penny <rowlandpenny241155 at gmail.com> To: samba at lists.samba.org Date: 06/09/2015 16:09 Subject: Re: [Samba] Migrating samba file server OS, group id different on the source and the target server. Sent by: "samba" <samba-bounces at lists.samba.org> On 06/09/15 15:03, Mario Pio Russo wrote:> Good Day All > > I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) anda> samba file share server based on saba 3.5.6 (on Debian 10.01, "squeeze") > > Now we want to migrate the file share server from Debian+samba3 to Ubuntu > 14.04 +samba4. this for various reason, the most important being that > samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016). > > Please note that the file server has been implemented long time ago, > unfortunatelly not from me. So I notice that few parameter were not > implemented in the smb.conf > > (e.g #idmap config CCDC : backend = ad > #idmap config CCDC : range = 10000-20000 > > etcc. ) > > now I have a file share test enviroment based on ubuntu 14 and samba4 . I > have noticed that the groups and the users have completely differentgroup> and user ids. > > For example the group domainusers has gid 10003 on the old server and gid > 10122 on the new one. > > Because all the file share directory are mounted on dedicated disks, the > Idea of the migration is to detach the disks from the old file server and > attach them to the new one. However because of this group discrepancy,all> the access permission rights will be messed up. Considering that we have > about 10 TB of data to transfer, and a huge number of files, Re-assigning > the access permission after the migration is pratically impossible (also > considering that we do not have lots of time for the migration itself.) > > The only option is to make sure that the GID and the UID of the new file > share match excatlly the old file share. I have tryed already with few > options by using the idmap, but this didn t resolve my issue. > > I wonder if there is a way to manually map gid and uid, or any other wayto> get this problem solved. > > on following the 2 smb.conf. > > thanks > > > orignal samba3 file share: > > root at seadog://etc/samba# less smb.conf > log file = /var/log/samba/log.%m > log level = 3 > > max log size = 2000 > syslog = 0 > > # using these options copied from clearcase. > # back in the day we did research these to death > # > # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > > # This disables print options > # we are not a print server > # > load printers = No > disable spoolss = Yes > > smb ports = 139 > > # every mount from the SAN has a lost+found folder > # to avoid user confusion, have set this to hidden > # > hide files = /lost+found/ > > aio read size = 1 > aio write size = 1 > follow symlinks = no > > > > > NEW FILE SHARE > > [global] > workgroup = CCDC > realm = CCDC.LAN > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = CSI Samba Server > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind cache time = 15 > winbind refresh tickets = Yes > winbind uid = 10000-20000 > winbind gid = 10000-20000 > > #idmap config * : backend = tdb > #idmap config * : range = 2000-9999 > #idmap config CCDC : backend = ad > #idmap config CCDC : range = 10000-20000 > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > invalid users = root, daemon, bin, sys, sync, games, man, lp, > mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, > sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = acl_xattr full_audit > store dos attributes = Yes > >___________________________________________________________________________________________> > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland withnumber> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin4> > (Embedded image moved to file: pic02427.gif)OK, the first smb.conf looks like it is from a standalone server, using tdbsam and local users, the second is from an AD client but you are using a depreciated uid/gid mechanism and have commented this out: #idmap config * : backend = tdb #idmap config * : range = 2000-9999 #idmap config CCDC : backend = ad #idmap config CCDC : range = 10000-20000 Now if you want to use AD (do you have an AD DC ? ) then what you have commented out is actually what you need. You will need to be using samba4 or a windows DC with IDMU, if you use samba4, you may be able to use the 'classicupgrade' method. If not, you will need to extract your users & groups along with their uid/gid numbers and add these to the user/group objects in AD. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- Migrating samba file server OS, group id different on the source and the target server.
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"