NethServer Version: 7.6
hello, we are migrating towards the end of this year from openldap to AD using NethServer 7.6 we have successfully tested user and group creations and login from win 7/10 and linux. The big issue seems to be the 2Tb of data from old server and all the ACLs that have been done over the many years for special needs. What we are looking to do is see if it is possible to change the UID / GIDs on Neth so when we rsync data to storage with ACL preservation things will go smoothly.
on old server
uid=2383(mike) gid=912(Domain Users)
uid=604401116(email@example.com) gid=604400513(domain firstname.lastname@example.org)
im scratching my head on this one.
NethServer Version: 7.6
hmmm maybe this is not possible?
" When the user logs into a system or service, SSSD caches that user name with the associated UID/GID numbers. The UID number is then used as the identifying key for the user. If a user with the same name but a different UID attempts to log into the system, then SSSD treats it as two different users with a name collision.
What this means is that SSSD does not recognize UID number changes. It interprets it as a different and new user, not an existing user with a different UID number. If an existing user changes the UID number, that user is prevented from logging into SSSD and associated services and domains. This also has an impact on any client applications which use SSSD for identity information; the user with the conflict will not be found or accessible to those applications."
Is there another way to rsync all the data and change acls to match new uid / gids perhaps?
Don’t know if is useful for you (not the same scenario)
I’m migrating from an old domain (w2k) to NS with ForensIT “User Profile Wizard”
All without issues and I don’t need to re-create the shared permissions, at least to access the old server shared folders. But, if the user have local shared folders to other users I need to re-write the permissions (just a few cases)
Thank you very much for the assist but it is more about the ACLs on the data side that is the big hurdle. We had many minor ACL adds to a great many files / folders. So we are trying to figure out a way to convert from the old UID / GID as we bring the users onboard or Address ACLs on 2 TB of data.
Has somebody an idea?
It could work with ldbedit or ldbmodify but I never tested.
For UID change:
GID change should be possible too.
You may have to flush sssd and net cache to make it work:
thank you very much for the idea, i will go test this with 1 id and post results.
I found this article about migrating file shares:
Didn’t read all through, but it might do the trick?
does not seem possible this way:
on windows pc:
wmic useraccount where name=‘mike’ get sid
take this and install ldb-tools
# find /var |grep idmap.ldb /var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb # ldbedit -e nano -H /var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-2179231535-2739892362-1993144220-1117 no matching records - cannot edit # ldbedit -e nano -H /var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb cn=S-1-5-21-2179231535-2739892362-1993144220-1117 # editing 1 records # record 1 dn: CN=S-1-5-21-2179231535-2739892362-1993144220-1117 cn: S-1-5-21-2179231535-2739892362-1993144220-1117 objectClass: sidMap objectSid:: AQUAAAAAAAUVAAAAL2/kgYpwT6Oc98x2XQQAAA== type: ID_TYPE_BOTH xidNumber: 3000027 distinguishedName: CN=S-1-5-21-2179231535-2739892362-1993144220-1117
according to samba4map xidNumber is what i need to modify But if i look at id for mike:
# id mike uid=604401117(email@example.com)
they are not the same.
sorry the formatting got messed up.
Thank you Rob i will try.
Hi Rob, in reading this and the preparation to run net rpc share you need to run net rpc vampire which seems to want to create a local passdb.
net rpc vampire Sync a remote NT PDC’s data into local passdb
the old samba domain is openldap and i am still not familiar with where user and group info is stored in nethserver ?
I didn’t realize your old server was openldap… I was thinking it was a windows file server…
I am not aware of an option to migrate openldap acl’s to samab4 acl’s…
thank you for the help guys. I will look to another way.
if it helps at all it is samba3 with openldap authentication.
I’ve found that the UID should be in the samba database. Have a look at the following link, it depands on freenas, but I think it should be the same with nethserver samba.
hi all i have an update for you. It is tested and works.
On the old server issue the command getfacl -R >> somefile.acl
On nethserver after users/groups created setfacl --restore= somefile.acl
Thank you all for the ideas.
i should add it does the uid/gid translation for you as the users and groups are named the same:
# file: /blah/ibay/blahshare/somefile.pdf # owner: root # group: domadmins user::rwx user:mike:r-x group::rwx group:cad:rwx mask::rwx other::---
Thanks for reply, could you mark the answer for your problem as solution please.
Ok it is marked. Hopefully helps others doing similar migration.