samba - Mar 2004 - matching UIDs to RIDs when converting from Windows to Samba

I have a bunch of Windows users using a Win2k server as a PDC.  I want
to move all the server functions to a Samba server without disturbing
the users in any way.  The client machines are all Win2k, using local
profiles.

Samba insists on algorithmicly generating the RID from the UID, so the
Windows user, after migration, gets a new SID and loses contact with
their local profile.  In fact, they seem to be an entirely different
user, with a new SID and new profile directory.

I haven't had any luck yet using the "profiles" tool to convert
NTUSER.DAT, and I don't really want to go that route if I can help
it, since it involves converting to remote profiles which slows down
login/logout and doesn't meat my "seamless" migration
requirements.

Is there any way to get Samba to match the Unix UIDs to Windows RIDs,
or to force the RIDs to be particular values as we can do with
"net groupmap" for groups?

Thanks,

	-- Ed

On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin
wrote:
> I have a bunch of Windows users using a Win2k server as a PDC.  I want
> to move all the server functions to a Samba server without disturbing
> the users in any way.  The client machines are all Win2k, using local
> profiles.
> 
> Samba insists on algorithmicly generating the RID from the UID, so the
> Windows user, after migration, gets a new SID and loses contact with
> their local profile.  In fact, they seem to be an entirely different
> user, with a new SID and new profile directory.
If you used a 'real' passdb backend, like ldapsam and tdbsam, then
this should 'just work'.
> I haven't had any luck yet using the "profiles" tool to
convert
> NTUSER.DAT, and I don't really want to go that route if I can help
> it, since it involves converting to remote profiles which slows down
> login/logout and doesn't meat my "seamless" migration
requirements.
> 
> Is there any way to get Samba to match the Unix UIDs to Windows RIDs,
> or to force the RIDs to be particular values as we can do with
> "net groupmap" for groups?
For users, this is done by matching names via getpwnam().  We are
working to make it work on a table, sort of like the way group mapping
works, in Samba HEAD.

Andrew  Bartlett

On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin
wrote:
> Is there any way to get Samba to match the Unix UIDs to Windows RIDs,
> or to force the RIDs to be particular values as we can do with
> "net groupmap" for groups?
Speaking of which, I'm having trouble with that command too (samba-3.0.2a,
running on Red Hat 6.x Linux with some new bits grafted into it).

I started by deleting group_mapping.tdb and starting the server.

  # net groupmap list | grep Users
  Power Users (S-1-5-32-547) -> -1
  Users (S-1-5-32-545) -> -1
  Domain Users (S-1-5-21-662018651-3907110178-816287836-513) -> -1

Now, I want to map "Domain Users" to my local "users" group
and keep
the same RID:

  [root migration]# net groupmap add rid=513 unixgroup=users type=domain
ntgroup='Domain Users'
  adding entry for group Domain Users failed!

Well, that's a helpful error message.  What's going on here?

I've noticed that I can do this without specifying the RID:

  # net groupmap add  unixgroup=users type=domain ntgroup='Domain Users'
  No rid or sid specified, choosing algorithmic mapping
  Successully added group Domain Users to the mapping db

But now, there are TWO entries in the map for "Domain Users":

  # net groupmap list | grep Users
  Power Users (S-1-5-32-547) -> -1
  Domain Users (S-1-5-21-662018651-3907110178-816287836-1201) -> users
  Users (S-1-5-32-545) -> -1
  Domain Users (S-1-5-21-662018651-3907110178-816287836-513) -> -1

And running rpcclient against localhost reports that "Domain Users"
is RID 1201, not 513.

Other experiments show that there will always be an entry for Domain Users
with rid 513 pointing to -1, even when I explicitly try to delete it.

	-- Ed