Web lists-archives.com

Re: [Samba] samba 4 joining samba 3 pdc - group mismatch




On Thu, 3 May 2018 17:35:25 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:


> > > No, you should get the same UID on the Unix domain member at all
> > > times, it will just be a different on to the PDC.  
> > 
> > I get the same uid all time but not the one I expect.
> > I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID" as the new uid.
> > But as you said idmap uses RID instead. My mistaken thought.
> > 
> > This leads me to another questions:
> > and how RID is guessed at S3??   
> 
> It isn't guessed, it is allocated and what you have to understand is
> that a users (or groups) RID is different from a Unix ID.
> On an old style PDC, you also have to have a Unix user, and
> as /etc/passwd is checked first, the ID found there is used as the Unix
> ID.



> 
>  
> > > > I got a small progress here. Now jgarcia uid is inside the
> > > > "range". Thanks.
> > > > 
> > > > 	S4# id jgarcia
> > > > 	uid=103032(jgarcia) gid=100513(none) \
> > > > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > > > 
> > > > but "base" id does not match. jgarcia uid is 1094 at S3.     
> > > 
> > > I am willing to bet the RID for 'jgarcia' is '3032'  
> > 
> > How do I check this at S3 command line ?  
> 
> Run 'pdbedit -Lv' on S3
> This should list all your users, you are looking for lines like
> this:
> 
> S-1-5-21-1768301897-3342589593-1064908849-3601
> 
> The last number '3601' is the RID, the rest is the SID that identifies
> the domain.

I run the pdbedit command.
I got a lage amount of users (and groups). 
The admin of the S3 server deleted (userdel) 75 users and these are still listed by pdbedit.
How do I get rid os them??

> 
> > >   
> > > > the group names which jgarcia belongs make no sense either 
> > > > (5p6l3d1$ ?!?! this one should be named jgarcia).    
> > > 
> > > This I don't understand.  
> > 
> > The "id jgarcia" returns, among other groups, 101094(5p6l3d1$).
> > 1094 is the UNIX primary group for user jgarcia. 
> > This group is named, at S3, "jgarcia", like the username.  
> 
> I wonder if this is similar to AD, where you cannot have a user and
> group with the same name, perhaps Samba renames the group ?

Hmmm. Good observation.


> 
> > 
> > I'm inclined to think that this 1010194 is just a big coincidence and
> > that number refer to another RID group not related to the jgarcia
> > unix group 1094. And why this name "5p6l3d1$" is so messed up?? Where
> > this came from?  
> 
> This also is possible, you could try running 'net groupmap list' on S3

This command listed nothing but two maps I created in previous tests.

ntjgarcia (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1094) -> jgarcia
ntsomegrp (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1119) -> somegrp

and I these does not show at S4 anywhere!

Although I believe that these mappings may not be adequate.
When I created these I had in mind that RID was directly copied from Unix UID.

As you observed above, this S-1-5-21-...-1094 may by the jgarcia group
renamed to 5p6l3d1$ and the mapping does not smells good.

> 
> > 
> > 
> > Other thing I do not get is why wbinfo does not returns all groups
> > jgarcia is in. I mentioned this on first email of this tread.  
> 
> Winbind doesn't show all a users groups until the user logs in.
> 
> > 
> > Why "id other_user" returns "no such user" for a bunch of users,
> > been "other_user" obtained from "wbinfo -u"  
> 
> this is probably because 'wbinfo -u' shows windows users and these may
> not be Unix users, they may be members of the '*' domain.

I think you may be mistaken (or I did not fully understood your affirmation).
These "no such user" users were deleted from Linux with "userdel -r"  and are
ghosts in Samba.
I just tried to remove them (smbpasswd -x) them but got "Failed to delete entry
for user XXXX"
How do I get rid of these ghosts?

> 
> > > > This would not be a problem *if* rsync could "translate" uids
> > > > during the copy. Remember I am migrating data from S3 to S4.
> > > > It is much easier to correlate uid (or gid) 1094 with 101094 than
> > > > to 103032.    
> > > 
> > > I thought rsync synced by name  
> > 
> > Nope. It syncs uid/gid number based.  
> 
> what is your rsync command ?

for i in D1 D2 D3 D4 ; do 
        echo
        echo "SYNC'ing $i";
        echo
        /usr/bin/rsync -av S3:/var/samba/$i /home; 
done


> I ask this because if I rsync a file from my pc (rowland, 10000, ad
> backend) to a another pc (rowland, 11107, rid backend), ls -la shows
> the owner as 'rowland'

Maybe you mounted the remote server locally. Didn't you?

> 
> > > It might be easier in the long run to set up a new AD domain and
> > > move everything to that.  
> > 
> > This leads me to re-join every station. Not good!  
>  
> Yes, but you can correct all the historic errors and start afresh.

Good point.

Ethy

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba