errors/issues when trying to migrate

Charles Tryon charles.tryon at gmail.com
Tue May 29 08:56:52 MDT 2012 

On Sat, May 26, 2012 at 1:41 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2012-05-25 at 16:43 +0200, Marc Muehlfeld wrote:
> > Hi,
> >
> > I'm playing in my test environment with a migration from s3 to the
> latest git
> > version. My s3 is in LDAP and I followed the HowTo.
> >
> > But I'm having the following issues/errors when running
> > # /usr/local/samba/bin/samba-tool domain samba3upgrade
> > --dbdir=/usr/var/locks3/ --use-xattrs=yes --realm=
> MUC.medizinische-genetik.de
> > /etc/samba/smb3.conf
> >
> >
> >
> >
> > 1.) tdb(/usr/var/locks3/gencache.tdb):Corrupt database: Record offset
> 696 has
> > incorrect hash
> > gencache_init: tdb_check(/usr/var/locks3/gencache.tdb) failed - retry
> after
> > truncate
> >
> > It's nothing serious. The script just continues.
>
> Indeed, gencache is only a cache, and therefore not required for
> migration.
>
> > 2.) Exporting groups
> > Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found:
> > Unable to enumerate members for alias,
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not found:
> > Unable to enumerate members for alias,
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Replicator' S-1-5-32-552 listed but then not found:
> Unable to
> > enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Administrators' S-1-5-32-544 listed but then not found:
> Unable
> > to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring 'well known' group 'Guests' (should already be in AD, and have
> no
> > members)
> > Ignoring group 'Account Operators' S-1-5-32-548 listed but then not
> found:
> > Unable to enumerate members for alias,
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Server Operators' S-1-5-32-549 listed but then not found:
> > Unable to enumerate members for alias,
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Power Users' S-1-5-32-547 listed but then not found:
> Unable to
> > enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> > Ignoring group 'Users' S-1-5-32-545 listed but then not found: Unable to
> > enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> >
> > The script continues, but this groups are all ignored. Any idea why?
>
> A number of Samba3 databases appear to have aliases templates for these
> well known groups, but if they are not mapped to system groups, then
> this will happen.  That's why we ignore the error, because clearly there
> are no users in these groups.
>
> > 3.) Importing WINS database
> > ERROR(<type 'exceptions.ValueError'>): uncaught exception - invalid
> literal
> > for int() with base 16: ''
> >    File
> >
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> > line 160, in _run
> >      return self.run(*args, **kwargs)
> >    File
> > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line
> > 926, in run
> >      useeadb=eadb)
> >    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> > line 683, in upgrade_from_samba3
> >      samba3_winsdb = samba3.get_wins_db()
> >    File
> >
> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> > line 399, in get_wins_db
> >      return WinsDatabase(self.statedir_path("wins.dat"))
> >    File
> >
> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> > line 333, in __init__
> >      nb_flags = int(entries[i][:-1], 16)
> >
> > Here the script crashes and stops. The only way to continue, is to delete
> > wins.dat. Maybe the script can continue, if the WINS import failes.
>
> I need a sample of the failed wins.dat, so we can fix the parsing
> script.
>
> > 4.) Adding users to groups
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: Could not add member
> > 'S-1-5-21-1362721961-1801182073-732966438-2996' to group
> > 'S-1-5-21-1362721961-1801182073-732966438-512' as either group or user
> record
> > doesn't exist: Unable to find GUID for DN
> >
> >    File
> >
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> > line 160, in _run
> >      return self.run(*args, **kwargs)
> >    File
> > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line
> > 926, in run
> >      useeadb=eadb)
> >    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> > line 728, in upgrade_from_samba3
> >      add_users_to_group(result.samdb, g, groupmembers[str(g.sid)],
> logger)
> >    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> > line 242, in add_users_to_group
> >      raise ProvisioningError("Could not add member '%s' to group '%s' as
> > either group or user record doesn't exist: %s" % (member_sid, group.sid,
> emsg))
> >
> > Here the script crash and stop again.
> > S-1-5-21-1362721961-1801182073-732966438-2996 in LDAP = Administrator
> > S-1-5-21-1362721961-1801182073-732966438-512 in LDAP = Group "Domain
> Admins"
> >
> > If I delete the user Administator from LDAP, the script run up to the
> end.
>
> The issue would be that Administrator should have a SID ending in -500.
> We already skip accounts "root" and "administrator" and map the password
> on to the Administrator account we build at provision time.  This does
> however mean that we break when trying to import the incorrect
> administrator as a group member.
>


Urk...  This could explain some long term problems we've been having with
our old S3 (3.0.9) system.  :-P  Another problem I'm seeing in our database
is a "nobody" user with a SID ending in *-501.  Our database has had a long
and tortuous journey over the years, and I'm not surprised to find various
accumulated crud in there.  I'm hoping that our S4 migration manages to
filter out some of that garbage...

I'm trying to use "pdbedit" to change the SID, but it fails, telling
me: Unable to modify TDB passwd ! Error: Record does not exist
(The record DOES show up if I do a "pdbedit -v -u administrator".)

<>? sudo smbpasswd -a Administrator
New SMB password:
Retype new SMB password:
Unable to modify TDB passwd ! Error: Record does not exist
 occured while storing the RID index (RID_000001f4)
Failed to modify entry for user Administrator.
Failed to modify password entry for user Administrator



In this case, I think we need to both more clearly detect this, and ask
> you to fix your database prior to importation.
>
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list