Re: [Samba] samba 4 joining samba 3 pdc - group mismatch
- Date: Thu, 3 May 2018 14:59:18 -0300
- From: "Ethy H. Brito via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] samba 4 joining samba 3 pdc - group mismatch
On Thu, 3 May 2018 17:35:25 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > No, you should get the same UID on the Unix domain member at all
> > > times, it will just be a different on to the PDC.
> > I get the same uid all time but not the one I expect.
> > I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the new uid.
> > But as you said idmap uses RID instead. My mistaken thought.
> > This leads me to another questions:
> > and how RID is guessed at S3??
> It isn't guessed, it is allocated and what you have to understand is
> that a users (or groups) RID is different from a Unix ID.
> On an old style PDC, you also have to have a Unix user, and
> as /etc/passwd is checked first, the ID found there is used as the Unix
> > > > I got a small progress here. Now jgarcia uid is inside the
> > > > "range". Thanks.
> > > >
> > > > S4# id jgarcia
> > > > uid=103032(jgarcia) gid=100513(none) \
> > > > groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > > 101119(jgomes-pc$),10001(BUILTIN\users)
> > > >
> > > > but "base" id does not match. jgarcia uid is 1094 at S3.
> > >
> > > I am willing to bet the RID for 'jgarcia' is '3032'
> > How do I check this at S3 command line ?
> Run 'pdbedit -Lv' on S3
> This should list all your users, you are looking for lines like
> The last number '3601' is the RID, the rest is the SID that identifies
> the domain.
I run the pdbedit command.
I got a lage amount of users (and groups).
The admin of the S3 server deleted (userdel) 75 users and these are still listed by pdbedit.
How do I get rid os them??
> > >
> > > > the group names which jgarcia belongs make no sense either
> > > > (5p6l3d1$ ?!?! this one should be named jgarcia).
> > >
> > > This I don't understand.
> > The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
> > 1094 is the UNIX primary group for user jgarcia.
> > This group is named, at S3, "jgarcia", like the username.
> I wonder if this is similar to AD, where you cannot have a user and
> group with the same name, perhaps Samba renames the group ?
Hmmm. Good observation.
> > I'm inclined to think that this 1010194 is just a big coincidence and
> > that number refer to another RID group not related to the jgarcia
> > unix group 1094. And why this name "5p6l3d1$" is so messed up?? Where
> > this came from?
> This also is possible, you could try running 'net groupmap list' on S3
This command listed nothing but two maps I created in previous tests.
ntjgarcia (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1094) -> jgarcia
ntsomegrp (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1119) -> somegrp
and I these does not show at S4 anywhere!
Although I believe that these mappings may not be adequate.
When I created these I had in mind that RID was directly copied from Unix UID.
As you observed above, this S-1-5-21-...-1094 may by the jgarcia group
renamed to 5p6l3d1$ and the mapping does not smells good.
> > Other thing I do not get is why wbinfo does not returns all groups
> > jgarcia is in. I mentioned this on first email of this tread.
> Winbind doesn't show all a users groups until the user logs in.
> > Why "id other_user" returns "no such user" for a bunch of users,
> > been "other_user" obtained from "wbinfo -u"
> this is probably because 'wbinfo -u' shows windows users and these may
> not be Unix users, they may be members of the '*' domain.
I think you may be mistaken (or I did not fully understood your affirmation).
These "no such user" users were deleted from Linux with "userdel -r" and are
ghosts in Samba.
I just tried to remove them (smbpasswd -x) them but got "Failed to delete entry
for user XXXX"
How do I get rid of these ghosts?
> > > > This would not be a problem *if* rsync could "translate" uids
> > > > during the copy. Remember I am migrating data from S3 to S4.
> > > > It is much easier to correlate uid (or gid) 1094 with 101094 than
> > > > to 103032.
> > >
> > > I thought rsync synced by name
> > Nope. It syncs uid/gid number based.
> what is your rsync command ?
for i in D1 D2 D3 D4 ; do
echo "SYNC'ing $i";
/usr/bin/rsync -av S3:/var/samba/$i /home;
> I ask this because if I rsync a file from my pc (rowland, 10000, ad
> backend) to a another pc (rowland, 11107, rid backend), ls -la shows
> the owner as 'rowland'
Maybe you mounted the remote server locally. Didn't you?
> > > It might be easier in the long run to set up a new AD domain and
> > > move everything to that.
> > This leads me to re-join every station. Not good!
> Yes, but you can correct all the historic errors and start afresh.
To unsubscribe from this list go to the following URL and read the