samba - Jun 2014 - Howto migrate shares from samba 3 / ADUC changing uid/uidnumber when activating UNIX (posix) attributes

Hi,

I've been using Samba 3 (standalone server, workgroup setup) for a long 
looong time and now I want to migrate to Samba 4 AD DC setup with 
clients joined to the newly created AD domain and all the bells and 
whistles that come with it.

I've setup an AD DC (Debian wheezy with samba from backports) that will 
only handle authentication and a second AD DC that will also serve 
shares. Replication between those works fine. Group policies work. Even 
roaming profiles. So far so good.

Now I'd like to transfer all files from the current shares that only 
have user/group information (no xattr / ACLs) onto the new shares server.

I tried to create the users using samba-tool and giving "--uid" and 
"--uid-number" as parameters.

This apparently works nicely and (thanks to winbind) I can see those 
users on the shares server with exactly the uidNumber (in the 2000-3000 
range) that I've provided on the "samba-tool user create" command
line,
using "getent passwd".

My plan was to simply run "rsync --numeric-ids" to copy the content of
those old shares over to the new shares server. I'd have to use 
"--numeric-ids" since winbind will make the users visible to linux as 
"SADOM+user" instead of simply "user".


However, if I use ADUC and activate the "Unix Attributes" (selecting a
"NIS Domain" to do so) for a user, the uidNumber, uid, and loginShell 
attributes get overwritten. The uidNumber visible via winbind and 
ldapsearch changes to something in the "10000-20000" range, uid
changes
to the Windows username (currently that is not an issue as they are the 
same but it may become one) and login shell changes to the one visible 
in ADUC.

If I change back (deselecting the NIS Domain) then ldapsearch shows that 
those attributes are gone and "getent passwd" will report a uid number
in the 3000000+ range. (As if they never had any posix attributes.)

ADUC is currently not the way I do user administration but I may not 
stay the only System Administrator and Windows-trained administrators 
will certainly want to use it. Changing uid numbers sometime later seems 
like a very bad idea thus my question on how to do it right the first time.

I'd like to know how to best migrate those shares without losing the 
ownership information and timestamps, and without losing the ability to 
use ADUC in the future to manage the posix attributes.

Any ideas / further information you need?

Thanks for your help!
cheers
-henrik

Hi

Answer in the text


-----------------------------------
St?phane PURNELLE                         Admin. Syst?mes et R?seaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 18/06/2014 15:47:38:
> De : Henrik Langos <hlangos-samba at innominate.com>
> A : samba at lists.samba.org, 
> Date : 18/06/2014 15:48
> Objet : [Samba] Howto migrate shares from samba 3 / ADUC changing 
> uid/uidnumber when activating UNIX (posix) attributes
> Envoy? par : samba-bounces at lists.samba.org
> 
> Hi,
> 
> I've been using Samba 3 (standalone server, workgroup setup) for a long
> looong time and now I want to migrate to Samba 4 AD DC setup with 
> clients joined to the newly created AD domain and all the bells and 
> whistles that come with it.
> 
> I've setup an AD DC (Debian wheezy with samba from backports) that will
> only handle authentication and a second AD DC that will also serve 
> shares. Replication between those works fine. Group policies work. Even 
> roaming profiles. So far so good.
Why a second DC for that ?
A simple samba 4 as file-server will be more great for that
 
> Now I'd like to transfer all files from the current shares that only 
> have user/group information (no xattr / ACLs) onto the new shares 
server.
> 
> I tried to create the users using samba-tool and giving "--uid"
and
> "--uid-number" as parameters.
> 
> This apparently works nicely and (thanks to winbind) I can see those 
> users on the shares server with exactly the uidNumber (in the 2000-3000 
> range) that I've provided on the "samba-tool user create"
command line,
> using "getent passwd".
> 
> My plan was to simply run "rsync --numeric-ids" to copy the
content of
> those old shares over to the new shares server. I'd have to use 
> "--numeric-ids" since winbind will make the users visible to
linux as
> "SADOM+user" instead of simply "user".
> 
> 
> However, if I use ADUC and activate the "Unix Attributes"
(selecting a
> "NIS Domain" to do so) for a user, the uidNumber, uid, and
loginShell
> attributes get overwritten. The uidNumber visible via winbind and 
> ldapsearch changes to something in the "10000-20000" range, uid
changes
> to the Windows username (currently that is not an issue as they are the 
> same but it may become one) and login shell changes to the one visible 
> in ADUC.
> 
> If I change back (deselecting the NIS Domain) then ldapsearch shows that 
> those attributes are gone and "getent passwd" will report a uid
number
> in the 3000000+ range. (As if they never had any posix attributes.)
> 
> ADUC is currently not the way I do user administration but I may not 
> stay the only System Administrator and Windows-trained administrators 
> will certainly want to use it. Changing uid numbers sometime later seems 
> like a very bad idea thus my question on how to do it right the first 
time.
> 
> I'd like to know how to best migrate those shares without losing the 
> ownership information and timestamps, and without losing the ability to 
> use ADUC in the future to manage the posix attributes.
> 
> Any ideas / further information you need?
For the AD part (user and group) I used the classic-upgrade feature
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29

With that I have same uid/uidNumber than my older server
For the file-server I use nslcd for getting uid/uidnumber from AD
> 
> Thanks for your help!
> cheers
> -henrik
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 18/06/14 14:47, Henrik Langos wrote:
> Hi,
>
> I've been using Samba 3 (standalone server, workgroup setup) for a 
> long looong time and now I want to migrate to Samba 4 AD DC setup with 
> clients joined to the newly created AD domain and all the bells and 
> whistles that come with it.
>
> I've setup an AD DC (Debian wheezy with samba from backports) that 
> will only handle authentication and a second AD DC that will also 
> serve shares. Replication between those works fine. Group policies 
> work. Even roaming profiles. So far so good.
>
> Now I'd like to transfer all files from the current shares that only 
> have user/group information (no xattr / ACLs) onto the new shares server.
>
> I tried to create the users using samba-tool and giving "--uid"
and
> "--uid-number" as parameters.
>
> This apparently works nicely and (thanks to winbind) I can see those 
> users on the shares server with exactly the uidNumber (in the 
> 2000-3000 range) that I've provided on the "samba-tool user
create"
> command line, using "getent passwd".
>
> My plan was to simply run "rsync --numeric-ids" to copy the
content of
> those old shares over to the new shares server. I'd have to use 
> "--numeric-ids" since winbind will make the users visible to
linux as
> "SADOM+user" instead of simply "user".
>
>
> However, if I use ADUC and activate the "Unix Attributes"
(selecting a
> "NIS Domain" to do so) for a user, the uidNumber, uid, and
loginShell
> attributes get overwritten. The uidNumber visible via winbind and 
> ldapsearch changes to something in the "10000-20000" range, uid 
> changes to the Windows username (currently that is not an issue as 
> they are the same but it may become one) and login shell changes to 
> the one visible in ADUC.
This is what I 'think' is happening, ADUC cannot find the 
'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes,
they are not
in the standard samba4 AD, so ADUC falls back to 10000 (windows 
standard) and is ignoring what ever is in a users AD, but it shouldn't 
do this. Is there any chance of posting a users ldif from your AD, this 
should be one of your users created by samba-tool and not trampled on by 
ADUC.
>
> If I change back (deselecting the NIS Domain) then ldapsearch shows 
> that those attributes are gone and "getent passwd" will report a
uid
> number in the 3000000+ range. (As if they never had any posix 
> attributes.)
I think that what you are doing here is: selecting the nisdomain, 
deselecting the nisdomain then clicking the 'OK' button, this will (I am
fairly sure) remove all unix attributes from a user, have you tried the 
cancel button ??
>
> ADUC is currently not the way I do user administration but I may not 
> stay the only System Administrator and Windows-trained administrators 
> will certainly want to use it. Changing uid numbers sometime later 
> seems like a very bad idea thus my question on how to do it right the 
> first time.
>
> I'd like to know how to best migrate those shares without losing the 
> ownership information and timestamps, and without losing the ability 
> to use ADUC in the future to manage the posix attributes.
The timestamps shouldn't be a problem, I frequently destroy my test 
samba4 domain and start again, I use a laptop to connect to the domain 
and have had to join this to the new domain every time, a quick chown 
resets the user of the files in 'my' directory and does not touch the 
timestamps.

Rowland
>
> Any ideas / further information you need?
>
> Thanks for your help!
> cheers
> -henrik
>