samba - Sep 2015 - Migrating samba file server OS, group id different on the source and the target server.

Good Day All

I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a
samba file share server based on saba 3.5.6 (on Debian 10.01,
"squeeze")

Now we want to migrate the file share server from Debian+samba3 to Ubuntu
14.04 +samba4. this for various reason, the most important being that
samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).

Please note that the file server has been implemented long time ago,
unfortunatelly not from me. So I notice that few parameter were not
implemented in the smb.conf

(e.g    #idmap config CCDC : backend = ad
         #idmap config CCDC : range = 10000-20000

etcc. )

now I have a file share test enviroment based on ubuntu 14 and samba4 . I
have noticed that the groups and the users have completely different group
and user ids.

For example the group domainusers has gid 10003 on the old server and gid
10122 on the new one.

Because all the file share directory are mounted on dedicated disks, the
Idea of the migration is to detach the disks from the old file server and
attach them to the new one. However because of this group discrepancy, all
the access permission rights will be messed up. Considering that we have
about 10 TB of data to transfer, and a huge number of files, Re-assigning
the access permission after the migration is pratically impossible (also
considering that we do not have lots of time for the migration itself.)

The only option is to make sure that the GID and the UID of the new file
share match excatlly the old file share. I have tryed already with few
options by using the idmap, but this didn t resolve my issue.

I wonder if there is a way to manually map gid and uid, or any other way to
get this problem solved.

on following the 2 smb.conf.

thanks


orignal samba3 file share:

root at seadog://etc/samba# less smb.conf
      log file = /var/log/samba/log.%m
      log level = 3

      max log size = 2000
      syslog = 0

      # using these options copied from clearcase.
      # back in the day we did research these to death
      #
#      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
      socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY

      # This disables print options
      # we are not a print server
      #
      load printers = No
      disable spoolss = Yes

      smb ports = 139

      # every mount from the SAN has a lost+found folder
      # to avoid user confusion, have set this to hidden
      #
      hide files = /lost+found/

      aio read size = 1
      aio write size = 1
      follow symlinks          = no




NEW FILE SHARE

[global]
         workgroup = CCDC
         realm = CCDC.LAN
         security = ADS
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = CSI Samba Server
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind cache time = 15
         winbind refresh tickets = Yes
         winbind uid = 10000-20000
         winbind gid = 10000-20000

         #idmap config * : backend = tdb
         #idmap config * : range = 2000-9999
         #idmap config CCDC : backend = ad
         #idmap config CCDC : range = 10000-20000
         map untrusted to domain = Yes
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 2000
         #smb ports = 139
         name resolve order = wins, host, bcast
         server signing = required
         load printers = No
         disable spoolss = Yes
         local master = No
         domain master = No
         dns proxy = No
         wins server = 9.161.96.220
         template homedir = /home/winbind
         full_audit:priority = NOTICE
         full_audit:facility = local7
         full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
         full_audit:prefix = %u,%I,%m,%S
         invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
sshd, ntpd
         acl group control = Yes
         aio read size = 1
         aio write size = 1
         map acl inherit = Yes
         hide files = /lost+found/
         follow symlinks = No
         dos filemode = Yes
         vfs objects = acl_xattr full_audit
         store dos attributes = Yes

___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic02427.gif)

On 06/09/15 15:03, Mario Pio Russo wrote:
> Good Day All
>
> I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and a
> samba file share server based on saba 3.5.6 (on Debian 10.01,
"squeeze")
>
> Now we want to migrate the file share server from Debian+samba3 to Ubuntu
> 14.04 +samba4. this for various reason, the most important being that
> samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).
>
> Please note that the file server has been implemented long time ago,
> unfortunatelly not from me. So I notice that few parameter were not
> implemented in the smb.conf
>
> (e.g    #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>
> etcc. )
>
> now I have a file share test enviroment based on ubuntu 14 and samba4 . I
> have noticed that the groups and the users have completely different group
> and user ids.
>
> For example the group domainusers has gid 10003 on the old server and gid
> 10122 on the new one.
>
> Because all the file share directory are mounted on dedicated disks, the
> Idea of the migration is to detach the disks from the old file server and
> attach them to the new one. However because of this group discrepancy, all
> the access permission rights will be messed up. Considering that we have
> about 10 TB of data to transfer, and a huge number of files, Re-assigning
> the access permission after the migration is pratically impossible (also
> considering that we do not have lots of time for the migration itself.)
>
> The only option is to make sure that the GID and the UID of the new file
> share match excatlly the old file share. I have tryed already with few
> options by using the idmap, but this didn t resolve my issue.
>
> I wonder if there is a way to manually map gid and uid, or any other way to
> get this problem solved.
>
> on following the 2 smb.conf.
>
> thanks
>
>
> orignal samba3 file share:
>
> root at seadog://etc/samba# less smb.conf
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
>
> NEW FILE SHARE
>
> [global]
>           workgroup = CCDC
>           realm = CCDC.LAN
>           security = ADS
>           dedicated keytab file = /etc/krb5.keytab
>           kerberos method = secrets and keytab
>           server string = CSI Samba Server
>           winbind enum users = Yes
>           winbind enum groups = Yes
>           winbind use default domain = Yes
>           winbind cache time = 15
>           winbind refresh tickets = Yes
>           winbind uid = 10000-20000
>           winbind gid = 10000-20000
>
>           #idmap config * : backend = tdb
>           #idmap config * : range = 2000-9999
>           #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>           map untrusted to domain = Yes
>           syslog = 0
>           log file = /var/log/samba/log.%m
>           max log size = 2000
>           #smb ports = 139
>           name resolve order = wins, host, bcast
>           server signing = required
>           load printers = No
>           disable spoolss = Yes
>           local master = No
>           domain master = No
>           dns proxy = No
>           wins server = 9.161.96.220
>           template homedir = /home/winbind
>           full_audit:priority = NOTICE
>           full_audit:facility = local7
>           full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>           full_audit:prefix = %u,%I,%m,%S
>           invalid users = root, daemon, bin, sys, sync, games, man, lp,
> mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
> sshd, ntpd
>           acl group control = Yes
>           aio read size = 1
>           aio write size = 1
>           map acl inherit = Yes
>           hide files = /lost+found/
>           follow symlinks = No
>           dos filemode = Yes
>           vfs objects = acl_xattr full_audit
>           store dos attributes = Yes
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic02427.gif)
OK, the first smb.conf looks like it is from a standalone server, using 
tdbsam and local users, the second is from an AD client but you are 
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000

Now if you want to use AD (do you have an AD DC ? ) then what you have 
commented out is actually what you need.

You will need to be using samba4 or a windows DC with  IDMU, if you use 
samba4, you may be able to use the 'classicupgrade' method. If not, you 
will need to extract your users & groups along with their uid/gid 
numbers and add these to the user/group objects in AD.

Rowland

thank you once again Rowland

just a some clarification:

1) I have one Domain Controller based on Samba4 in AD mode, how can I
verify that I am using IDMU on it?
2) YES - the samba3 file share is a standalone server, using tdbsam and
local users.
3)

"the second is from an AD client but you are
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000
"

I did comment those out just for testing, but if I put them back, nothing
changes and the gid and uid are still different from the standalone server

4) to be honest all I need is that all the domain guid/uid on the new file
server match exactly the domain guid/uid that are present in the old file
server, whatever mechanism I have to use.

For example , the AD group domainusers is defined as following into the
Domain controller

Samba4 AD DC:

dn: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
cn: DomainUsers
description: Domain Users
instanceType: 4
whenCreated: 20150713152248.0Z
uSNCreated: 3780
name: DomainUsers
objectGUID:: wzVim3m0yUiKEj7cF10BYA=objectSid::
AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf69wIAAA=sAMAccountName: DomainUsers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
gidNumber: 759
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: ccdc
memberOf: CN=CCDC - Remote Desktop
Users,OU=Security,OU=CCDC-Groups,DC=ccdc,DC
 =lan
memberOf: CN=Domain Users,CN=Users,DC=ccdc,DC=lan
memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94629,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94768,CN=Users,DC=ccdc,DC=lan
member: CN=ieu94243,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68184,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68199,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68243,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68284,CN=Users,DC=ccdc,DC=lan
member: CN=ieu68298,CN=Users,DC=ccdc,DC=lan


that's what I see on the 2 file share servers:

Samba 3.5.6
getent group | grep domainusers | cut -f 1 -d ","
domainusers:x:10003:mooreof

Samba 4.1.6
getent group | grep domainusers | cut -f 1 -d ","
domainusers:x:10122:mooreof

what I need is this:

Samba 4.1.2 - domainusers had GID 10003


any idea?

thanks

___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic11980.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	06/09/2015 16:09
Subject:	Re: [Samba] Migrating samba file server OS, group id different
            on the source and the target server.
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 06/09/15 15:03, Mario Pio Russo wrote:
> Good Day All
>
> I have a samba 4 AD DC based on sernet samba 4.2.3 (on Ubuntu 14.0.4) and
a
> samba file share server based on saba 3.5.6 (on Debian 10.01,
"squeeze")
>
> Now we want to migrate the file share server from Debian+samba3 to Ubuntu
> 14.04 +samba4. this for various reason, the most important being that
> samba3 is EOL and "squeeze" will be EOL soon (beginning of 2016).
>
> Please note that the file server has been implemented long time ago,
> unfortunatelly not from me. So I notice that few parameter were not
> implemented in the smb.conf
>
> (e.g    #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>
> etcc. )
>
> now I have a file share test enviroment based on ubuntu 14 and samba4 . I
> have noticed that the groups and the users have completely different
group
> and user ids.
>
> For example the group domainusers has gid 10003 on the old server and gid
> 10122 on the new one.
>
> Because all the file share directory are mounted on dedicated disks, the
> Idea of the migration is to detach the disks from the old file server and
> attach them to the new one. However because of this group discrepancy,
all
> the access permission rights will be messed up. Considering that we have
> about 10 TB of data to transfer, and a huge number of files, Re-assigning
> the access permission after the migration is pratically impossible (also
> considering that we do not have lots of time for the migration itself.)
>
> The only option is to make sure that the GID and the UID of the new file
> share match excatlly the old file share. I have tryed already with few
> options by using the idmap, but this didn t resolve my issue.
>
> I wonder if there is a way to manually map gid and uid, or any other way
to
> get this problem solved.
>
> on following the 2 smb.conf.
>
> thanks
>
>
> orignal samba3 file share:
>
> root at seadog://etc/samba# less smb.conf
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
>
> NEW FILE SHARE
>
> [global]
>           workgroup = CCDC
>           realm = CCDC.LAN
>           security = ADS
>           dedicated keytab file = /etc/krb5.keytab
>           kerberos method = secrets and keytab
>           server string = CSI Samba Server
>           winbind enum users = Yes
>           winbind enum groups = Yes
>           winbind use default domain = Yes
>           winbind cache time = 15
>           winbind refresh tickets = Yes
>           winbind uid = 10000-20000
>           winbind gid = 10000-20000
>
>           #idmap config * : backend = tdb
>           #idmap config * : range = 2000-9999
>           #idmap config CCDC : backend = ad
>           #idmap config CCDC : range = 10000-20000
>           map untrusted to domain = Yes
>           syslog = 0
>           log file = /var/log/samba/log.%m
>           max log size = 2000
>           #smb ports = 139
>           name resolve order = wins, host, bcast
>           server signing = required
>           load printers = No
>           disable spoolss = Yes
>           local master = No
>           domain master = No
>           dns proxy = No
>           wins server = 9.161.96.220
>           template homedir = /home/winbind
>           full_audit:priority = NOTICE
>           full_audit:facility = local7
>           full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>           full_audit:prefix = %u,%I,%m,%S
>           invalid users = root, daemon, bin, sys, sync, games, man, lp,
> mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
> sshd, ntpd
>           acl group control = Yes
>           aio read size = 1
>           aio write size = 1
>           map acl inherit = Yes
>           hide files = /lost+found/
>           follow symlinks = No
>           dos filemode = Yes
>           vfs objects = acl_xattr full_audit
>           store dos attributes = Yes
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic02427.gif)
OK, the first smb.conf looks like it is from a standalone server, using
tdbsam and local users, the second is from an AD client but you are
using a depreciated uid/gid mechanism and have commented this out:

          #idmap config * : backend = tdb
          #idmap config * : range = 2000-9999
          #idmap config CCDC : backend = ad
          #idmap config CCDC : range = 10000-20000

Now if you want to use AD (do you have an AD DC ? ) then what you have
commented out is actually what you need.

You will need to be using samba4 or a windows DC with  IDMU, if you use
samba4, you may be able to use the 'classicupgrade' method. If not, you
will need to extract your users & groups along with their uid/gid
numbers and add these to the user/group objects in AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba