Import groups and users from old samba


#1

Dear UCS people,

I need a bit of help importing our users and groups into UCS while preserving the posix UID and GID.

Is there any reason groups that I create with gidNumber < 5000 do not work?

I have copied our files across to new UCS AD domain from our old Samba server. Until UCS we have had no ldap and no windows domain – we controlled access with users’ posix group membership and managed users on the samba server with smbpasswd.

I have migrated the users, setting their uidNumber to the UID from the old server.

I am trying to add the groups from the old server, like this:

univention-directory-manager groups/group create --position "cn=groups,dc=office,dc=domain,dc=co,dc=uk" --set name="all-users" --option posix --set gidNumber="100"

But this does not seem to work. I can see the group in the managment interface, I can assign users to it, but assigned users can’t access files chowned GID 100. Also if I type groups username I don’t see the all-users group in the list; only the groups that have GID >5000.

What is the recommended way to migrate legacy posix users groups and files?

many thanks, Julian


#2

Hey,

on Debian (which UCS is based on) user IDs and group IDs < 1000 are reserved for system users/groups. This means that only users and groups used for system services such as running the web server (user & group “www-data”) should use such low IDs. Normal user accounts and groups should always use IDs >= 1000.

You can observe that the UMC (Univention Management Console, the web-based UI) doesn’t show the all those system groups either.

The reason why "groups username« doesn’t show the newly created group could be that there is a group with the ID 100 already on a freshly installed system:

[0 root@master ~] getent group 100 users:x:100:

That’s a system-local group from “/etc/group”.

I highly recommend you discard the original group IDs. Instead let the system assign group IDs on its own and change file ownership afterwards, e.g. do the following for each affected group:

find /path/to/data -gid <old-group-ID> -exec chgrp <group-name> '{}' \+

Be careful not to run that on / though. Chances are you’ll accidentally change the ownership of system files as well, e.g. paths beneath /var, if your old group IDs collide with current usage.

Kind regards,
mosu