[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

Andrew Bartlett abartlet at samba.org
Mon Oct 15 21:44:39 MDT 2012 

On Mon, 2012-10-15 at 11:52 +0200, Johannes Paechnatz wrote:
> Hello.
> 
> I tried the migration from samba3 domain master (pdc) to a samba4.
> 
> samba4 -V:
> Version 4.1.0pre1-GIT-2c3a808
> 
> I used the wiki entry about samba3 migration as a guide, copied over
> the data etc. but I have some questions left.
> 
> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
> until all user accounts got migrated.

What was your 'unix charset' (we may need to add a conversion here, as
we assume UTF8 at the ldb layer). 

> 1. machine accounts: some machine accounts don't have Logon hours
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
> Could I manually change fields (which fields?) in the tdbsam dump? I
> tried pdbedit  -Z of the specific account, but that seems to change it
> to an epoch style timestamp and migration fails again - so I removed
> them in the tdbsam dump to get the migration working, after that
> additional steps all user and machine accounts get migrated.

Can you give me some more detail about what is wrong here?  We generally
do want to convert any valid samba3 account.

> 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
> samba4 server is stand alone and starting of smbd works without error.
> BUT if I change the server role to active directory domain controller
> and try samba instead of smbd, I get an error: Failed to find record
> for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
> object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
> new and empty ADS from scratch does work - but I need the migration
> ;-)
> I tried to modify the secrets.tdb before I start the classicupgrade
> without success.
> 
> This is a show-stopper ;-)

Exactly what command did you run? 

We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
directory domain controller'.  Are you sure you are using the smb.conf
produced by the upgrade?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list