Re: [Samba] samba 4 joining samba 3 pdc - group mismatch
- Date: Thu, 3 May 2018 17:35:25 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] samba 4 joining samba 3 pdc - group mismatch
On Thu, 3 May 2018 12:54:52 -0300
"Ethy H. Brito" <ethy.brito@xxxxxxxxxxxx> wrote:
> On Thu, 3 May 2018 15:07:30 +0100
> Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > On Thu, 3 May 2018 10:17:48 -0300
> > "Ethy H. Brito via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > > > You will never get the same IDs on the PDC and Unix domain
> > > > member (this isn't really a problem)
> > >
> > > I know that. But at least the returned uid should respect the
> > > "idmap config" displacement and always return the source uid plus
> > > a constant displacement. At least it is what I was expecting. Am
> > > I wrong?
> > No, you should get the same UID on the Unix domain member at all
> > times, it will just be a different on to the PDC.
> I get the same uid all time but not the one I expect.
> I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the new uid.
> But as you said idmap uses RID instead. My mistaken thought.
> This leads me to another questions:
> and how RID is guessed at S3??
It isn't guessed, it is allocated and what you have to understand is
that a users (or groups) RID is different from a Unix ID.
On an old style PDC, you also have to have a Unix user, and
as /etc/passwd is checked first, the ID found there is used as the Unix
> From a random number?
> RID=UID should be an educated guess, don't you think?
> > > I got a small progress here. Now jgarcia uid is inside the
> > > "range". Thanks.
> > >
> > > S4# id jgarcia
> > > uid=103032(jgarcia) gid=100513(none) \
> > > groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > 101119(jgomes-pc$),10001(BUILTIN\users)
> > >
> > > but "base" id does not match. jgarcia uid is 1094 at S3.
> > I am willing to bet the RID for 'jgarcia' is '3032'
> How do I check this at S3 command line ?
Run 'pdbedit -Lv' on S3
This should list all your users, you are looking for lines like
The last number '3601' is the RID, the rest is the SID that identifies
> > > the group names which jgarcia belongs make no sense either
> > > (5p6l3d1$ ?!?! this one should be named jgarcia).
> > This I don't understand.
> The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
> 1094 is the UNIX primary group for user jgarcia.
> This group is named, at S3, "jgarcia", like the username.
I wonder if this is similar to AD, where you cannot have a user and
group with the same name, perhaps Samba renames the group ?
> I'm inclined to think that this 1010194 is just a big coincidence and
> that number refer to another RID group not related to the jgarcia
> unix group 1094. And why this name "5p6l3d1$" is so messed up?? Where
> this came from?
This also is possible, you could try running 'net groupmap list' on S3
> Other thing I do not get is why wbinfo does not returns all groups
> jgarcia is in. I mentioned this on first email of this tread.
Winbind doesn't show all a users groups until the user logs in.
> Why "id other_user" returns "no such user" for a bunch of users,
> been "other_user" obtained from "wbinfo -u"
this is probably because 'wbinfo -u' shows windows users and these may
not be Unix users, they may be members of the '*' domain.
> > > This would not be a problem *if* rsync could "translate" uids
> > > during the copy. Remember I am migrating data from S3 to S4.
> > > It is much easier to correlate uid (or gid) 1094 with 101094 than
> > > to 103032.
> > I thought rsync synced by name
> Nope. It syncs uid/gid number based.
what is your rsync command ?
I ask this because if I rsync a file from my pc (rowland, 10000, ad
backend) to a another pc (rowland, 11107, rid backend), ls -la shows
the owner as 'rowland'
> > It might be easier in the long run to set up a new AD domain and
> > move everything to that.
> This leads me to re-join every station. Not good!
Yes, but you can correct all the historic errors and start afresh.
To unsubscribe from this list go to the following URL and read the