[Solved] Is it possible to modify UID GID

NethServer Version: 7.6
Module: AD
hello, we are migrating towards the end of this year from openldap to AD using NethServer 7.6 we have successfully tested user and group creations and login from win 7/10 and linux. The big issue seems to be the 2Tb of data from old server and all the ACLs that have been done over the many years for special needs. What we are looking to do is see if it is possible to change the UID / GIDs on Neth so when we rsync data to storage with ACL preservation things will go smoothly.
EX:
on old server
uid=2383(mike) gid=912(Domain Users)
on nethserver
uid=604401116(mike@domtest.com) gid=604400513(domain users@domtest.com)
im scratching my head on this one.

hmmm maybe this is not possible?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-system-uids

" When the user logs into a system or service, SSSD caches that user name with the associated UID/GID numbers. The UID number is then used as the identifying key for the user. If a user with the same name but a different UID attempts to log into the system, then SSSD treats it as two different users with a name collision.

What this means is that SSSD does not recognize UID number changes. It interprets it as a different and new user, not an existing user with a different UID number. If an existing user changes the UID number, that user is prevented from logging into SSSD and associated services and domains. This also has an impact on any client applications which use SSSD for identity information; the user with the conflict will not be found or accessible to those applications."

Is there another way to rsync all the data and change acls to match new uid / gids perhaps?

Don’t know if is useful for you (not the same scenario)
I’m migrating from an old domain (w2k) to NS with ForensIT “User Profile Wizard
All without issues and I don’t need to re-create the shared permissions, at least to access the old server shared folders. But, if the user have local shared folders to other users I need to re-write the permissions (just a few cases)

1 Like

Thank you very much for the assist but it is more about the ACLs on the data side that is the big hurdle. We had many minor ACL adds to a great many files / folders. So we are trying to figure out a way to convert from the old UID / GID as we bring the users onboard or Address ACLs on 2 TB of data.

@support_team
Has somebody an idea?

It could work with ldbedit or ldbmodify but I never tested.

For UID change:

https://www.blackhole-networks.com/Cheatsheets/Samba4Map/

GID change should be possible too.

https://lists.samba.org/archive/samba/2017-January/205714.html

You may have to flush sssd and net cache to make it work:

https://lists.samba.org/archive/samba/2017-January/205716.html

thank you very much for the idea, i will go test this with 1 id and post results.

I found this article about migrating file shares:
https://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/20_NetCommand_25.html

https://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/20_NetCommand_26.html
Didn’t read all through, but it might do the trick?

does not seem possible this way:
on windows pc:
wmic useraccount where name=‘mike’ get sid
take this and install ldb-tools

# find /var |grep idmap.ldb
/var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb
# ldbedit -e nano -H /var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-2179231535-2739892362-1993144220-1117
no matching records - cannot edit
# ldbedit -e nano -H /var/lib/machines/nsdc/var/lib/samba/private/idmap.ldb cn=S-1-5-21-2179231535-2739892362-1993144220-1117

# editing 1 records
# record 1
dn: CN=S-1-5-21-2179231535-2739892362-1993144220-1117
cn: S-1-5-21-2179231535-2739892362-1993144220-1117
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAL2/kgYpwT6Oc98x2XQQAAA==
type: ID_TYPE_BOTH
xidNumber: 3000027
distinguishedName: CN=S-1-5-21-2179231535-2739892362-1993144220-1117

according to samba4map xidNumber is what i need to modify But if i look at id for mike:

# id mike
uid=604401117(mike@domtest.com)

they are not the same.

sorry the formatting got messed up.

Thank you Rob i will try.

Hi Rob, in reading this and the preparation to run net rpc share you need to run net rpc vampire which seems to want to create a local passdb.
net rpc vampire Sync a remote NT PDC’s data into local passdb
the old samba domain is openldap and i am still not familiar with where user and group info is stored in nethserver ?

I didn’t realize your old server was openldap… I was thinking it was a windows file server…
I am not aware of an option to migrate openldap acl’s to samab4 acl’s… :frowning:

thank you for the help guys. I will look to another way.

if it helps at all it is samba3 with openldap authentication.

I’ve found that the UID should be in the samba database. Have a look at the following link, it depands on freenas, but I think it should be the same with nethserver samba.

hi all i have an update for you. It is tested and works.
On the old server issue the command getfacl -R >> somefile.acl
On nethserver after users/groups created setfacl --restore= somefile.acl
Thank you all for the ideas. :slight_smile:

3 Likes

i should add it does the uid/gid translation for you as the users and groups are named the same:

# file: /blah/ibay/blahshare/somefile.pdf
# owner: root
# group: domadmins
user::rwx
user:mike:r-x
group::rwx
group:cad:rwx
mask::rwx
other::---

Thanks for reply, could you mark the answer for your problem as solution please.

Ok it is marked. Hopefully helps others doing similar migration. :slightly_smiling_face:

1 Like