Web lists-archives.com

Re: [Samba] samba 4 joining samba 3 pdc - group mismatch




On Thu, 3 May 2018 08:40:37 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Wed, 2 May 2018 19:21:46 -0300
> "Ethy H. Brito" <ethy.brito@xxxxxxxxxxxx> wrote:
> 
> This is where it is all going wrong, Your PDC isn't using LDAP, so
> you will have to rely on the winbind 'rid' backend. The lines below are
> wrong in several ways:

LDAP was not necessary back those days S3 was brought to life.
Few users, few shares.

> 
> >    idmap uid = 100000-200000
> >    idmap gid = 100000-200000
> >    idmap cache time = 60
> >    idmap config *:range = 100000-200000
> >    idmap config *:backend = rid  
> 
> 'idmap uid' & 'idmap gid' are deprecated, you should use the 'idmap
> config' lines

This is garbage from dozens of unfortunate tests I did. Sorry.
I just Removed these lines.

> The ranges overlap
> You cannot use the 'rid' backend with the '*' domain

OK. Noted.

> You will never get the same IDs on the PDC and Unix domain member (this
> isn't really a problem)

I know that. But at least the returned uid should respect the "idmap config"
displacement and always return the source uid plus a constant displacement. 
At least it is what I was expecting. Am I wrong?

> 
> Try it like this:
> 
>    idmap config *:range = 3000-7999
>    idmap config *:backend = tdb
>    idmap config PEGASE:range = 100000-200000
>    idmap config PEGASE:backend = rid

I got a small progress here. Now jgarcia uid is inside the "range". Thanks.

	S4# id jgarcia
	uid=103032(jgarcia) gid=100513(none) \
	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
	101119(jgomes-pc$),10001(BUILTIN\users)

but "base" id does not match. jgarcia uid is 1094 at S3. 
I'd like it to be 101094 at S4.

the group names which jgarcia belongs make no sense either 
(5p6l3d1$ ?!?! this one should be named jgarcia).

Also, jgarcia's primary group changed from 1094 at S3 to 100513 at S4.

This would not be a problem *if* rsync could "translate" uids during the copy.
Remember I am migrating data from S3 to S4.
It is much easier to correlate uid (or gid) 1094 with 101094 than to 103032.

Is that possible S4 have learned garbage from my previous tests and stored it
somewhere?? if so, can my mess be undone ?

Suggestions?


> 
> I feel I should also warn you that Microsoft is making it harder &
> harder to use Windows with an NT4-style domain, you really should
> consider upgrading to AD.

This S3 server will be discontinued soon and this S4 will be promoted 
to AD, I hope!

For the moment S4 is pulling data from S3 via rsync every 2 hours.
I think any configurations for S4 may be changed/erased with no harm to the
data, which must be preserved at S4. No user is accessing S4.

All this is to make this migration transparent to the current users.
There are a few dozens of PCs I do not want to deal, "rejoing" them to a 
new domain. This will take hours! Lots of.

BTW, do you guys have a better way to migrate painlessly?

Cheers

Ethy

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba