Jean-Yves Avenard
2011-Dec-07 11:06 UTC
[Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi there.
Our IT moved all the user accounts to a new domain controller.
It wasn't much of a migration, more so a complete setup on a new
machine, new OS, new domain ; it just happens that the username and
group names remained the same.
I have been asked to look after the migration of the existing unix
servers (linux and freebsd running samba 3.4).
All the unix machine use winbind for authentication purposes
Previously the mapping between uid and sids were mapped as follow:
idmap backend = idmap_rid:MEL=10000-100000000
idmap uid = 10000-100000000
idmap gid = 10000-100000000
That was simple and easy.
Problem is, on the new domain controller, while the username are the
same, the SIDs are not.
So should I move the unix machines to the new domain, all ownerships
and permissions will be screwed up.
The new winbind setup is supposed to use the following config for idmap backend:
idmap backend = ad
ldap idmap suffix = dc=alloratech,dc=local
ldap admin dn = cn=access,ou=Alloratech,dc=alloratech,dc=local
ldap suffix = dc=alloratech,dc=local
Which actually gives similar uid/gid in relation to the SID as the
previous setup (10000 + last digits of SID)
Now, going through all the files and folders found on those servers
(they are used as file server) to fix the ownership and permission is
going to take forever.
Is there a way to make so the uid/SID are matched in such a way that a
username keeps the same uid as before.
For example, editing on the domain controller the ldap entries that
contain the uid/SID map or something like that (just thinking out loud
here)
Any help and/or advices will be greatly appreciated
Thank you in advance
Jean-Yves
Jean-Yves Avenard
2011-Dec-08 01:49 UTC
[Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi On 7 December 2011 22:06, Jean-Yves Avenard <jyavenard at gmail.com> wrote:> Is there a way to make so the uid/SID are matched in such a way that a > username keeps the same uid as before. > For example, editing on the domain controller the ldap entries that > contain the uid/SID map or something like that (just thinking out loud > here)Amending this troubleshooting. Unix extension has been added to the active directory, and the uidNumber for each user have been added in order to match the previous uid as discovered by winbind. smb.conf was amended as follow: winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind nss info = rfc2307 allow trusted domains = No idmap uid = 1000-1999999 idmap gid = 1000-1999999 idmap backend = ad idmap config ALLORATECH : backend = ad idmap config ALLORATECH : range = 1000-999999 idmap config ALLORATECH : schema_mode = rfc2307 Looking at the winbind_ad module, it seems to me that should the nss info and schema mode be set to rfc2307 ; it should use the uidNumber entry for determining the uid of the user. However, winbind still assign the RID + 10000 for the user's uid... Is there a way to tell winbind precisely which uid to use ? what am I missing? Thanks JY