On Wed, 2 May 2018 21:46:52 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 2 May 2018 17:12:30 -0300 > "Ethy H. Brito via samba" <samba at lists.samba.org> wrote: > > > > > Hi all > > > > Background: I am not a samba expert, not even close! > > > > I have a ancient samba 3 (Server role: ROLE_DOMAIN_PDC) and I intend > > to migrate all files to a samba 4 (Server role: ROLE_DOMAIN_MEMBER) > > > > Users will stay in S3 for now. > > > > Samba 4 joined samba 3 with no problems. > > I rsync'ed all files and its permissions (rsync -a ...). > > > > But... > > I cannot find a way that makes S4 sees S3 users and groups in a > > "ordered" manner. > > > > "id some_user" returns "almost" valid data for some users and > > "id: ‘some_user’: no such user" for others. > > I say "almost" because not all groups for all users are returned. > > > > Example: > > S4# id jgarcia > > uid=10000(jgarcia) gid=100513(none) \ > > groups=100513(none),101094(5p6l3d1$),101119(jgomes-pc$), > > 10001(BUILTIN\users) > > > > jgarcia id should be 101016 (100000 + 1016), and there are missing > > groups > > > > S3# id jgarcia > > uid=1016(jgarcia) gid=1094(jgarcia)\ > > groups=1094(jgarcia),1000(G00),2009(G01),3011(G02),1119(G03) > > > > > > For groups is about the same. > > for instance: > > S4# wbinfo --gid-info 100513 > > none:x:100513: > > S4# wbinfo -G 100513 > > S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513 > > > > Where did this group "513" come from ?? "Domain Users" ?? > > If so, why the group name does not come along ?? > > > > What smb.conf options should I care so that S4 sees S3 users and > > groups like S4[ug]id=S3[ug]id+100000 ?? > > "idmap config" seams not to be effective. > > > > Is there any options in S3 that I should also change?? > > > > How do I make S4 "forget" everything it learned so far about uids and > > gids from S3 so I can start fresh?? > > > > > > Cheers > > > > Ethy > > > > I think you are going to have to give us a bit more info, smb.conf from > the S3 PDC and the S4 machine, for a start.As requested, those files follows. Samba 3 config file S3# grep -v -e ^# -e '^;' /etc/samba/smb.conf | uniq | less -S [global] workgroup = PEGASE server string = RedePEGASE netbios name = PegaseSRV hosts allow = 192.168.0. 192.168.1. 127.0.0.1 hosts deny = ALL EXCEPT 192.168.0. 127.0.0.1 192.168.1. #unix charset = iso8859-1 wins support = yes dns proxy = yes name resolve order = bcast host lmhosts wins interfaces = lo,eth0 bind interfaces only = yes log file = /var/log/samba/%U.%m.log max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = Bad User domain logons = yes logon drive = logon home = add user script = /usr/sbin/adduser --quiet --disabled-password --shell /bin/false --gecos "Added by Samba" %u add machine script = /usr/sbin/useradd -c "%u machine account" -g machines --home /var/lib/samba -s /bin/false %u add group script = /usr/sbin/addgroup --force-badname %g load printers = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 domain master = yes admin users = root jgarcia sysadm domain logons = yes local master = yes os level = 64 preferred master = yes wins proxy = no Level2 oplocks = no ntlm auth = Yes lanman auth = Yes client ntlmv2 auth = Yes use client driver = Yes client lanman auth = Yes guest account = nobody time server = yes directory mask = 0771 create mask = 0655 force create mode = 0664 force directory mode = 0771 map archive = yes map system = yes map hidden = no hide dot files = yes mangled names = yes default case = lower preserve case = yes max xmit = 65535 locking = yes oplocks = yes level2 oplocks = no lock directory = /var/state/samba cache directory = /var/state/samba state directory = /var/state/samba veto oplock files = /prf*.tmp/ oplocks = false kernel oplocks = false level2 oplocks = false template shell = /bin/false usershare allow guests = yes inherit permissions = no inherit owner = No ... SHARES FOLLOWS ... SAMBA 4 config file S4# grep -v -e ^# -e '^;' /etc/samba/smb.conf | uniq | less -S [global] workgroup = PEGASE netbios name = pegasus netbios aliases = safebits security = DOMAIN server role = member server encrypt passwords = yes client ipc signing = auto server string = %h server (Safe.bitS) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user idmap uid = 100000-200000 idmap gid = 100000-200000 idmap cache time = 60 idmap config *:range = 100000-200000 idmap config *:backend = rid winbind use default domain = yes usershare allow guests = yes ... SHARES FOLLOWS ... Cheers Ethy
On Wed, 2 May 2018 19:21:46 -0300 "Ethy H. Brito" <ethy.brito at inexo.com.br> wrote: This is where it is all going wrong, Your PDC isn't using LDAP, so you will have to rely on the winbind 'rid' backend. The lines below are wrong in several ways:> idmap uid = 100000-200000 > idmap gid = 100000-200000 > idmap cache time = 60 > idmap config *:range = 100000-200000 > idmap config *:backend = rid'idmap uid' & 'idmap gid' are deprecated, you should use the 'idmap config' lines The ranges overlap You cannot use the 'rid' backend with the '*' domain You will never get the same IDs on the PDC and Unix domain member (this isn't really a problem) Try it like this: idmap config *:range = 3000-7999 idmap config *:backend = tdb idmap config PEGASE:range = 100000-200000 idmap config PEGASE:backend = rid I feel I should also warn you that Microsoft is making it harder & harder to use Windows with an NT4-style domain, you really should consider upgrading to AD. Rowland
On Thu, 3 May 2018 08:40:37 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 2 May 2018 19:21:46 -0300 > "Ethy H. Brito" <ethy.brito at inexo.com.br> wrote: > > This is where it is all going wrong, Your PDC isn't using LDAP, so > you will have to rely on the winbind 'rid' backend. The lines below are > wrong in several ways:LDAP was not necessary back those days S3 was brought to life. Few users, few shares.> > > idmap uid = 100000-200000 > > idmap gid = 100000-200000 > > idmap cache time = 60 > > idmap config *:range = 100000-200000 > > idmap config *:backend = rid > > 'idmap uid' & 'idmap gid' are deprecated, you should use the 'idmap > config' linesThis is garbage from dozens of unfortunate tests I did. Sorry. I just Removed these lines.> The ranges overlap > You cannot use the 'rid' backend with the '*' domainOK. Noted.> You will never get the same IDs on the PDC and Unix domain member (this > isn't really a problem)I know that. But at least the returned uid should respect the "idmap config" displacement and always return the source uid plus a constant displacement. At least it is what I was expecting. Am I wrong?> > Try it like this: > > idmap config *:range = 3000-7999 > idmap config *:backend = tdb > idmap config PEGASE:range = 100000-200000 > idmap config PEGASE:backend = ridI got a small progress here. Now jgarcia uid is inside the "range". Thanks. S4# id jgarcia uid=103032(jgarcia) gid=100513(none) \ groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\ 101119(jgomes-pc$),10001(BUILTIN\users) but "base" id does not match. jgarcia uid is 1094 at S3. I'd like it to be 101094 at S4. the group names which jgarcia belongs make no sense either (5p6l3d1$ ?!?! this one should be named jgarcia). Also, jgarcia's primary group changed from 1094 at S3 to 100513 at S4. This would not be a problem *if* rsync could "translate" uids during the copy. Remember I am migrating data from S3 to S4. It is much easier to correlate uid (or gid) 1094 with 101094 than to 103032. Is that possible S4 have learned garbage from my previous tests and stored it somewhere?? if so, can my mess be undone ? Suggestions?> > I feel I should also warn you that Microsoft is making it harder & > harder to use Windows with an NT4-style domain, you really should > consider upgrading to AD.This S3 server will be discontinued soon and this S4 will be promoted to AD, I hope! For the moment S4 is pulling data from S3 via rsync every 2 hours. I think any configurations for S4 may be changed/erased with no harm to the data, which must be preserved at S4. No user is accessing S4. All this is to make this migration transparent to the current users. There are a few dozens of PCs I do not want to deal, "rejoing" them to a new domain. This will take hours! Lots of. BTW, do you guys have a better way to migrate painlessly? Cheers Ethy