Hello, I've inherited a set of servers running Red Hat Enterprise Linux Server release 5.9. They have some variant of samba 3.3 on them (e.g. Version 3.3.8-0.52.el5_5.2). These servers are using Samba and Winbind as a way to bind to our Active Directory environment as domain members. We also have a domain member file server running the following: Red Hat Enterprise Linux Server release 5.6 (Tikanga) Samba/Winbind Version 3.5.4-0.70.el5 Due to hardware aging and the desire to use newer versions of the SMB protocol, I have been building a new server and migrate user's data over to it. The new server is running the following: Red Hat Enterprise Linux Server release 7.6 (Maipo) Samba/Winbind Version 4.8.3 One issue I've been having is trying to get UIDs to coinside between old and new software versions. Our Samba 3 configs have the following defined: idmap config ADSMC:default = yes idmap config ADSMC:backend = rid idmap config ADSMC:base_rid=500 idmap config ADSMC:range = 2000-100000 I've set up the following in our Samba 4 server: idmap config ADSMC:range = 2000-100000 idmap config * :range = 2000-100000 idmap config ADSMC : backend = rid idmap config * : backend = tdb In an effort to keep things as compatible as possible between co-existing old and new servers, I made an effort to emulate the old settings ad much as possible. I don't know if these settings are correct for our AD/Samba environment, but it seems to work except for one issue. Every UID and GID issued by the new server is 500 greater than the old server. This presents a problem on some of the old servers that automount user directories on the file server via NFS. The UID discrepancy results in users not owning their own directories and files when logged into older servers. One way I have tried to mitigate this was to set the ranges on the new server to 500 less: idmap config ADSMC:range = 1500-100000 idmap config * :range = 1500-100000 Is this an acceptable solution, or is there something more radical I need to do? Thanks. Steve Hideg Director of Network & System Administration Department of Information Technology Saint Mary's College hideg at saintmarys.edu
On Thu, 10 Jan 2019 09:29:19 -0500 Steve Hideg via samba <samba at lists.samba.org> wrote:> Hello, > > I've inherited a set of servers running Red Hat Enterprise Linux > Server release 5.9. They have some variant of samba 3.3 on them (e.g. > Version 3.3.8-0.52.el5_5.2). These servers are using Samba and > Winbind as a way to bind to our Active Directory environment as > domain members. > > We also have a domain member file server running the following: > > Red Hat Enterprise Linux Server release 5.6 (Tikanga) > Samba/Winbind Version 3.5.4-0.70.el5 > > Due to hardware aging and the desire to use newer versions of the SMB > protocol, I have been building a new server and migrate user's data > over to it. The new server is running the following: > > Red Hat Enterprise Linux Server release 7.6 (Maipo) > Samba/Winbind Version 4.8.3 > > One issue I've been having is trying to get UIDs to coinside between > old and new software versions. > > Our Samba 3 configs have the following defined: > idmap config ADSMC:default = yes > idmap config ADSMC:backend = rid > idmap config ADSMC:base_rid=500 > idmap config ADSMC:range = 2000-100000 > > I've set up the following in our Samba 4 server: > idmap config ADSMC:range = 2000-100000 > idmap config * :range = 2000-100000 > idmap config ADSMC : backend = rid > idmap config * : backend = tdbThat isn't going to work, the ranges must not overlap.> > In an effort to keep things as compatible as possible between > co-existing old and new servers, I made an effort to emulate the old > settings ad much as possible.No you didn't> > I don't know if these settings are correct for our AD/Samba > environment, but it seems to work except for one issue. Every UID and > GID issued by the new server is 500 greater than the old server. This > presents a problem on some of the old servers that automount user > directories on the file server via NFS. The UID discrepancy results > in users not owning their own directories and files when logged into > older servers. > > One way I have tried to mitigate this was to set the ranges on the new > server to 500 less: > idmap config ADSMC:range = 1500-100000 > idmap config * :range = 1500-100000No, it wouldn't> > Is this an acceptable solution, or is there something more radical I > need to do?How about reading 'man idmap_rid' ? Is that radical enough for you ;-) If you had read it, you would have found that the ID's are calculated from: ID = RID - BASE_RID + LOW_RANGE_ID Rowland
Okay, so I've now read 'man idmap_rid'. It states that the use of the base_rid parameter is deprecated, so does that change ID formula to this? ID = RID + LOW_RANGE_ID Assuming that the default value for the now-deprecated base_rid is 0. Following the example on the man page, I am going to try this: idmap config * : backend = tdb idmap config * :range = 1000000-1999999 idmap config ADSMC : backend = rid idmap config ADSMC:range = 1500-500000 Will this work to keep IDs aligned across new and old systems (without changing the old systems)? Thanks. On Thu, Jan 10, 2019 at 10:01 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 10 Jan 2019 09:29:19 -0500 > Steve Hideg via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I've inherited a set of servers running Red Hat Enterprise Linux > > Server release 5.9. They have some variant of samba 3.3 on them (e.g. > > Version 3.3.8-0.52.el5_5.2). These servers are using Samba and > > Winbind as a way to bind to our Active Directory environment as > > domain members. > > > > We also have a domain member file server running the following: > > > > Red Hat Enterprise Linux Server release 5.6 (Tikanga) > > Samba/Winbind Version 3.5.4-0.70.el5 > > > > Due to hardware aging and the desire to use newer versions of the SMB > > protocol, I have been building a new server and migrate user's data > > over to it. The new server is running the following: > > > > Red Hat Enterprise Linux Server release 7.6 (Maipo) > > Samba/Winbind Version 4.8.3 > > > > One issue I've been having is trying to get UIDs to coinside between > > old and new software versions. > > > > Our Samba 3 configs have the following defined: > > idmap config ADSMC:default = yes > > idmap config ADSMC:backend = rid > > idmap config ADSMC:base_rid=500 > > idmap config ADSMC:range = 2000-100000 > > > > I've set up the following in our Samba 4 server: > > idmap config ADSMC:range = 2000-100000 > > idmap config * :range = 2000-100000 > > idmap config ADSMC : backend = rid > > idmap config * : backend = tdb > > That isn't going to work, the ranges must not overlap. > > > > > In an effort to keep things as compatible as possible between > > co-existing old and new servers, I made an effort to emulate the old > > settings ad much as possible. > > No you didn't > > > > > I don't know if these settings are correct for our AD/Samba > > environment, but it seems to work except for one issue. Every UID and > > GID issued by the new server is 500 greater than the old server. This > > presents a problem on some of the old servers that automount user > > directories on the file server via NFS. The UID discrepancy results > > in users not owning their own directories and files when logged into > > older servers. > > > > One way I have tried to mitigate this was to set the ranges on the new > > server to 500 less: > > idmap config ADSMC:range = 1500-100000 > > idmap config * :range = 1500-100000 > > No, it wouldn't > > > > > Is this an acceptable solution, or is there something more radical I > > need to do? > > How about reading 'man idmap_rid' ? > Is that radical enough for you ;-) > If you had read it, you would have found that the ID's are calculated > from: > > ID = RID - BASE_RID + LOW_RANGE_ID > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba