Rowland Penny
2022-Apr-01 12:22 UTC
[Samba] How to move shares from DC to MS preserving permissions?
On Fri, 2022-04-01 at 14:12 +0200, Denis CARDON via samba wrote:> Hi Antonio, > > Le 01/04/2022 ? 11:53, Antonio Trogu via samba a ?crit : > > I need to move some shares from an AD DC to a new member server > > joined > > to the domain. These shares are on LVMs on iSCSI targets, but when > > I > > mount them on the new member server they are not accessible to the > > domain's users except to Administrator. Is it possible to configure > > the > > member server's Samba to preserve users' permissions on the moved > > shares > > without having to propagate them again (on hundreds of TBs)? > > if you are confortable with python-ldb / python-tdb you can use TDB > mapping on the member server and recreate the tdb map by script. > > You can read current mapping from idmap.ldb on the domain controller > and > re-inject them in the tdb map on the member server.Are you sure about that Denis ? On a a DC, idmap.ldb contains different format records to what a Unix domain member expects. I would have thought using rsync to copy the data would be a better alternative. Rowland
Denis CARDON
2022-Apr-01 12:46 UTC
[Samba] How to move shares from DC to MS preserving permissions?
Hi Rowland, Le 01/04/2022 ? 14:22, Rowland Penny via samba a ?crit?:> On Fri, 2022-04-01 at 14:12 +0200, Denis CARDON via samba wrote: >> Hi Antonio, >> >> Le 01/04/2022 ? 11:53, Antonio Trogu via samba a ?crit : >>> I need to move some shares from an AD DC to a new member server >>> joined >>> to the domain. These shares are on LVMs on iSCSI targets, but when >>> I >>> mount them on the new member server they are not accessible to the >>> domain's users except to Administrator. Is it possible to configure >>> the >>> member server's Samba to preserve users' permissions on the moved >>> shares >>> without having to propagate them again (on hundreds of TBs)? >> >> if you are confortable with python-ldb / python-tdb you can use TDB >> mapping on the member server and recreate the tdb map by script. >> >> You can read current mapping from idmap.ldb on the domain controller >> and >> re-inject them in the tdb map on the member server. > > Are you sure about that Denis ? > On a a DC, idmap.ldb contains different format records to what a Unix > domain member expects. > I would have thought using rsync to copy the data would be a better > alternative.idmap.ldb and winbindd_idmap.tdb does not have the same structure, but you can recreate one on the file server with the proper format using some python scripting. It's just a mapping tables. The thing that couldn't be mapped is having a group as a file owner (possible on a DC but not on a member server), but I wouldn't expect this kind of situation on a fileshare. I don't know exactly how the extended attribute NTACL would behave (if you happen to need them), but if there are complexe ACLs, it is better to do it on a Windows client with setacl.exe anyway. Cheers, Denis> Rowland > > >