samba - May 2018 - samba 4 joining samba 3 pdc - group mismatch

On Thu, 3 May 2018 15:07:30 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 3 May 2018 10:17:48 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> 
> 
> > > You will never get the same IDs on the PDC and Unix domain member
> > > (this isn't really a problem)  
> > 
> > I know that. But at least the returned uid should respect the
"idmap
> > config" displacement and always return the source uid plus a
constant
> > displacement. At least it is what I was expecting. Am I wrong?  
> 
> No, you should get the same UID on the Unix domain member at all times,
> it will just be a different on to the PDC.
I get the same uid all time but not the one I expect.
I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the new
uid.
But as you said idmap uses RID instead. My mistaken thought.

This leads me to another questions:
and how RID is guessed at S3?? 
From a random number? 
RID=UID should be an educated guess, don't you think?
> > I got a small progress here. Now jgarcia uid is inside the
"range".
> > Thanks.
> > 
> > 	S4# id jgarcia
> > 	uid=103032(jgarcia) gid=100513(none) \
> > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > 
> > but "base" id does not match. jgarcia uid is 1094 at S3.   
> 
> I am willing to bet the RID for 'jgarcia' is '3032'
How do I check this at S3 command line ?
Or even better, how do I list each and every SIDs for users and groups at S3?

> > I'd like it to be 101094 at S4.  
> 
> OK, change their RID to '1094' on S3, though this will probably
break
> something else ;-)
I am pretty sure it will break things.
> 
> > 
> > the group names which jgarcia belongs make no sense either 
> > (5p6l3d1$ ?!?! this one should be named jgarcia).  
> 
> This I don't understand.
The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
1094 is the UNIX primary group for user jgarcia. 
This group is named, at S3, "jgarcia", like the username.

I'm inclined to think that this 1010194 is just a big coincidence and that
number refer to another RID group not related to the jgarcia unix group 1094.
And why this name "5p6l3d1$" is so messed up?? Where this came from?


Other thing I do not get is why wbinfo does not returns all groups jgarcia is
in. I mentioned this on first email of this tread.

Why "id other_user" returns "no such user" for a bunch of
users,
been "other_user" obtained from "wbinfo -u"
> 
> > 
> > Also, jgarcia's primary group changed from 1094 at S3 to 100513 at
S4.
> 
> No it didn't, every windows users primary group is Domain Users and
> the RID for this is '513' (100000 + 513 = 100513)
Make sense. 
> 
> > 
> > This would not be a problem *if* rsync could "translate"
uids during
> > the copy. Remember I am migrating data from S3 to S4.
> > It is much easier to correlate uid (or gid) 1094 with 101094 than to
> > 103032.  
> 
> I thought rsync synced by name
Nope. It syncs uid/gid number based.
So it would be very easy to write a script that changes the files/directories
permissions that rsync writes, from UID 1019 (jgarcia) to uid 101019 *if* the
SID was "UID + LOW_RANGE_ID". Cruel world!!

I am pretty screwed here!
> 
> > 
> > Is that possible S4 have learned garbage from my previous tests and
> > stored it somewhere?? if so, can my mess be undone ?  
> 
> possibly, try running 'net cache flush' on the S4 machine.
Nope. Same results.
> > 
> > All this is to make this migration transparent to the current users.
> > There are a few dozens of PCs I do not want to deal,
"rejoing" them
> > to a new domain. This will take hours! Lots of.  
> 
> It might be easier in the long run to set up a new AD domain and move
> everything to that.
This leads me to re-join every station. Not good!

On Thu, 3 May 2018 12:54:52 -0300
"Ethy H. Brito" <ethy.brito at inexo.com.br> wrote:
> On Thu, 3 May 2018 15:07:30 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Thu, 3 May 2018 10:17:48 -0300
> > "Ethy H. Brito via samba" <samba at lists.samba.org>
wrote:
> > 
> > 
> > > > You will never get the same IDs on the PDC and Unix domain
> > > > member (this isn't really a problem)  
> > > 
> > > I know that. But at least the returned uid should respect the
> > > "idmap config" displacement and always return the
source uid plus
> > > a constant displacement. At least it is what I was expecting. Am
> > > I wrong?  
> > 
> > No, you should get the same UID on the Unix domain member at all
> > times, it will just be a different on to the PDC.
> 
> I get the same uid all time but not the one I expect.
> I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the
new uid.
> But as you said idmap uses RID instead. My mistaken thought.
> 
> This leads me to another questions:
> and how RID is guessed at S3?? 
It isn't guessed, it is allocated and what you have to understand is
that a users (or groups) RID is different from a Unix ID.
On an old style PDC, you also have to have a Unix user, and
as /etc/passwd is checked first, the ID found there is used as the Unix
ID.
> From a random number? 
> RID=UID should be an educated guess, don't you think?
>
No
 
> > > I got a small progress here. Now jgarcia uid is inside the
> > > "range". Thanks.
> > > 
> > > 	S4# id jgarcia
> > > 	uid=103032(jgarcia) gid=100513(none) \
> > > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > > 
> > > but "base" id does not match. jgarcia uid is 1094 at
S3.
> > 
> > I am willing to bet the RID for 'jgarcia' is '3032'
> 
> How do I check this at S3 command line ?
Run 'pdbedit -Lv' on S3
This should list all your users, you are looking for lines like
this:

S-1-5-21-1768301897-3342589593-1064908849-3601

The last number '3601' is the RID, the rest is the SID that identifies
the domain.
> > 
> > > the group names which jgarcia belongs make no sense either 
> > > (5p6l3d1$ ?!?! this one should be named jgarcia).  
> > 
> > This I don't understand.
> 
> The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
> 1094 is the UNIX primary group for user jgarcia. 
> This group is named, at S3, "jgarcia", like the username.
I wonder if this is similar to AD, where you cannot have a user and
group with the same name, perhaps Samba renames the group ?
> 
> I'm inclined to think that this 1010194 is just a big coincidence and
> that number refer to another RID group not related to the jgarcia
> unix group 1094. And why this name "5p6l3d1$" is so messed up??
Where
> this came from?
This also is possible, you could try running 'net groupmap list' on S3
> 
> 
> Other thing I do not get is why wbinfo does not returns all groups
> jgarcia is in. I mentioned this on first email of this tread.
Winbind doesn't show all a users groups until the user logs in.
> 
> Why "id other_user" returns "no such user" for a bunch
of users,
> been "other_user" obtained from "wbinfo -u"
this is probably because 'wbinfo -u' shows windows users and these may
not be Unix users, they may be members of the '*' domain.
> > > This would not be a problem *if* rsync could
"translate" uids
> > > during the copy. Remember I am migrating data from S3 to S4.
> > > It is much easier to correlate uid (or gid) 1094 with 101094 than
> > > to 103032.  
> > 
> > I thought rsync synced by name
> 
> Nope. It syncs uid/gid number based.
what is your rsync command ?
I ask this because if I rsync a file from my pc (rowland, 10000, ad
backend) to a another pc (rowland, 11107, rid backend), ls -la shows
the owner as 'rowland'
> > It might be easier in the long run to set up a new AD domain and
> > move everything to that.
> 
> This leads me to re-join every station. Not good!
 
Yes, but you can correct all the historic errors and start afresh.

Rowland

On Thu, 3 May 2018 17:35:25 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> > > No, you should get the same UID on the Unix domain member at all
> > > times, it will just be a different on to the PDC.  
> > 
> > I get the same uid all time but not the one I expect.
> > I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID"
as the new uid.
> > But as you said idmap uses RID instead. My mistaken thought.
> > 
> > This leads me to another questions:
> > and how RID is guessed at S3??   
> 
> It isn't guessed, it is allocated and what you have to understand is
> that a users (or groups) RID is different from a Unix ID.
> On an old style PDC, you also have to have a Unix user, and
> as /etc/passwd is checked first, the ID found there is used as the Unix
> ID.

> 
>  
> > > > I got a small progress here. Now jgarcia uid is inside the
> > > > "range". Thanks.
> > > > 
> > > > 	S4# id jgarcia
> > > > 	uid=103032(jgarcia) gid=100513(none) \
> > > > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > > > 
> > > > but "base" id does not match. jgarcia uid is 1094
at S3.
> > > 
> > > I am willing to bet the RID for 'jgarcia' is
'3032'
> > 
> > How do I check this at S3 command line ?  
> 
> Run 'pdbedit -Lv' on S3
> This should list all your users, you are looking for lines like
> this:
> 
> S-1-5-21-1768301897-3342589593-1064908849-3601
> 
> The last number '3601' is the RID, the rest is the SID that
identifies
> the domain.
I run the pdbedit command.
I got a lage amount of users (and groups). 
The admin of the S3 server deleted (userdel) 75 users and these are still listed
by pdbedit.
How do I get rid os them??
> 
> > >   
> > > > the group names which jgarcia belongs make no sense either 
> > > > (5p6l3d1$ ?!?! this one should be named jgarcia).    
> > > 
> > > This I don't understand.  
> > 
> > The "id jgarcia" returns, among other groups,
101094(5p6l3d1$).
> > 1094 is the UNIX primary group for user jgarcia. 
> > This group is named, at S3, "jgarcia", like the username.  
> 
> I wonder if this is similar to AD, where you cannot have a user and
> group with the same name, perhaps Samba renames the group ?
Hmmm. Good observation.

> 
> > 
> > I'm inclined to think that this 1010194 is just a big coincidence
and
> > that number refer to another RID group not related to the jgarcia
> > unix group 1094. And why this name "5p6l3d1$" is so messed
up?? Where
> > this came from?  
> 
> This also is possible, you could try running 'net groupmap list' on
S3
This command listed nothing but two maps I created in previous tests.

ntjgarcia (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1094) -> jgarcia
ntsomegrp (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1119) -> somegrp

and I these does not show at S4 anywhere!

Although I believe that these mappings may not be adequate.
When I created these I had in mind that RID was directly copied from Unix UID.

As you observed above, this S-1-5-21-...-1094 may by the jgarcia group
renamed to 5p6l3d1$ and the mapping does not smells good.
> 
> > 
> > 
> > Other thing I do not get is why wbinfo does not returns all groups
> > jgarcia is in. I mentioned this on first email of this tread.  
> 
> Winbind doesn't show all a users groups until the user logs in.
> 
> > 
> > Why "id other_user" returns "no such user" for a
bunch of users,
> > been "other_user" obtained from "wbinfo -u"  
> 
> this is probably because 'wbinfo -u' shows windows users and these
may
> not be Unix users, they may be members of the '*' domain.
I think you may be mistaken (or I did not fully understood your affirmation).
These "no such user" users were deleted from Linux with "userdel
-r"  and are
ghosts in Samba.
I just tried to remove them (smbpasswd -x) them but got "Failed to delete
entry
for user XXXX"
How do I get rid of these ghosts?
> 
> > > > This would not be a problem *if* rsync could
"translate" uids
> > > > during the copy. Remember I am migrating data from S3 to S4.
> > > > It is much easier to correlate uid (or gid) 1094 with 101094
than
> > > > to 103032.    
> > > 
> > > I thought rsync synced by name  
> > 
> > Nope. It syncs uid/gid number based.  
> 
> what is your rsync command ?
for i in D1 D2 D3 D4 ; do 
        echo
        echo "SYNC'ing $i";
        echo
        /usr/bin/rsync -av S3:/var/samba/$i /home; 
done

> I ask this because if I rsync a file from my pc (rowland, 10000, ad
> backend) to a another pc (rowland, 11107, rid backend), ls -la shows
> the owner as 'rowland'
Maybe you mounted the remote server locally. Didn't you?
> 
> > > It might be easier in the long run to set up a new AD domain and
> > > move everything to that.  
> > 
> > This leads me to re-join every station. Not good!  
>  
> Yes, but you can correct all the historic errors and start afresh.
Good point.

Ethy