samba - Apr 2022 - How to move shares from DC to MS preserving permissions?

Hi Antonio,

Le 01/04/2022 ? 11:53, Antonio Trogu via samba a ?crit?:
> I need to move some shares from an AD DC to a new member server joined 
> to the domain. These shares are on LVMs on iSCSI targets, but when I 
> mount them on the new member server they are not accessible to the 
> domain's users except to Administrator. Is it possible to configure the
> member server's Samba to preserve users' permissions on the moved
shares
> without having to propagate them again (on hundreds of TBs)?
if you are confortable with python-ldb / python-tdb you can use TDB 
mapping on the member server and recreate the tdb map by script.

You can read current mapping from idmap.ldb on the domain controller and 
re-inject them in the tdb map on the member server.

By the way, ACL propagation speed depends much on the number of files 
rather than the total volume, and if you are using only posix ACL or 
Windows ACL. Using getfacl / setfacl it may not take that much time to 
propagate ACL again. I've done it dozens of time on small and large file 
servers during domain merge / migration.

I would rewrite the tdb mapping only if the acl propagation really 
overflow your maximum acceptable downtime.

Cheers,

Denis

> 
> Thank you.
> 
> Antonio
> 
> 
> The information contained in this email message and/or attachments is 
> strictly confidential. Its use is exclusive to the intended recipient of 
> the message for the purpose reported in the message itself. The 
> following constitutes a breach to the principles provided for by the 
> General Data Protection Regulation 2016/679: keeping the message beyond 
> the necessary time, disclosing its contents, either totally or 
> partially, to third parties, copying or using it for any purpose other 
> than those stated in the message itself. We further inform you that, at 
> any time, you can ask for the suspension of the use of your data, except 
> for any communication provided for by law. Should you receive this 
> message in error, we kindly ask you to notify us immediately via e-mail 
> and delete it from your system.
>

On Fri, 2022-04-01 at 14:12 +0200, Denis CARDON via samba
wrote:
> Hi Antonio,
> 
> Le 01/04/2022 ? 11:53, Antonio Trogu via samba a ?crit :
> > I need to move some shares from an AD DC to a new member server
> > joined 
> > to the domain. These shares are on LVMs on iSCSI targets, but when
> > I 
> > mount them on the new member server they are not accessible to the 
> > domain's users except to Administrator. Is it possible to
configure
> > the 
> > member server's Samba to preserve users' permissions on the
moved
> > shares 
> > without having to propagate them again (on hundreds of TBs)?
> 
> if you are confortable with python-ldb / python-tdb you can use TDB 
> mapping on the member server and recreate the tdb map by script.
> 
> You can read current mapping from idmap.ldb on the domain controller
> and 
> re-inject them in the tdb map on the member server.
Are you sure about that Denis ?
On a a DC, idmap.ldb contains different format records to what a Unix
domain member expects.
I would have thought using rsync to copy the data would be a better
alternative.

Rowland