Denis CARDON
2022-Apr-01 12:46 UTC
[Samba] How to move shares from DC to MS preserving permissions?
Hi Rowland, Le 01/04/2022 ? 14:22, Rowland Penny via samba a ?crit?:> On Fri, 2022-04-01 at 14:12 +0200, Denis CARDON via samba wrote: >> Hi Antonio, >> >> Le 01/04/2022 ? 11:53, Antonio Trogu via samba a ?crit : >>> I need to move some shares from an AD DC to a new member server >>> joined >>> to the domain. These shares are on LVMs on iSCSI targets, but when >>> I >>> mount them on the new member server they are not accessible to the >>> domain's users except to Administrator. Is it possible to configure >>> the >>> member server's Samba to preserve users' permissions on the moved >>> shares >>> without having to propagate them again (on hundreds of TBs)? >> >> if you are confortable with python-ldb / python-tdb you can use TDB >> mapping on the member server and recreate the tdb map by script. >> >> You can read current mapping from idmap.ldb on the domain controller >> and >> re-inject them in the tdb map on the member server. > > Are you sure about that Denis ? > On a a DC, idmap.ldb contains different format records to what a Unix > domain member expects. > I would have thought using rsync to copy the data would be a better > alternative.idmap.ldb and winbindd_idmap.tdb does not have the same structure, but you can recreate one on the file server with the proper format using some python scripting. It's just a mapping tables. The thing that couldn't be mapped is having a group as a file owner (possible on a DC but not on a member server), but I wouldn't expect this kind of situation on a fileshare. I don't know exactly how the extended attribute NTACL would behave (if you happen to need them), but if there are complexe ACLs, it is better to do it on a Windows client with setacl.exe anyway. Cheers, Denis> Rowland > > >
Ralph Boehme
2022-Apr-01 13:48 UTC
[Samba] How to move shares from DC to MS preserving permissions?
On 4/1/22 14:46, Denis CARDON via samba wrote:> The thing that couldn't be mapped is having a group as a file owner > (possible on a DC but not on a member server), but I wouldn't expect > this kind of situation on a fileshare.fwiw, this works just fine on a member server given an idmap backend that supports id-type-both (iirc rid, autorid and script). There are other use cases besides group as file owner like SID history where basically users are represented as gids in the UNIX token and the filesystem. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba