[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

Johannes Paechnatz jpaechnatz at gmail.com
Tue Oct 16 00:45:45 MDT 2012 

>> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
>> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
>> until all user accounts got migrated.
>
> What was your 'unix charset' (we may need to add a conversion here, as
> we assume UTF8 at the ldb layer).

old samba3 server:
LANG="de_DE"
LC_ALL="de_DE"

smb.conf:
display charset = ISO8859-1
unix charset = ISO8859-1
I remember the reason for this was a software that couldn't handle
UTF-8 (which is fixed meanwhile) - and I know that we need to convert
the whole content of the filesystem when we migrate...

>> 1. machine accounts: some machine accounts don't have Logon hours
>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
>> Could I manually change fields (which fields?) in the tdbsam dump? I
>> tried pdbedit  -Z of the specific account, but that seems to change it
>> to an epoch style timestamp and migration fails again - so I removed
>> them in the tdbsam dump to get the migration working, after that
>> additional steps all user and machine accounts get migrated.
>
> Can you give me some more detail about what is wrong here?  We generally
> do want to convert any valid samba3 account.

old samba3 server:
add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
-s /bin/false %u

all machine accounts are added via this entry - so I thought they are the same.

example:

Failed to modify account record
CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes:
objectclass_attrs: attribute 'logonHours' on entry
'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
invalid value!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam
account 'w-2000-007$', (-1073741811,Unexpected information received)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1321, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
in upgrade_from_samba3
    s4_passdb.add_sam_account(userdata[username])

on samba3
pdbedit -Lv

Unix username:        w-2000-007$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2800255703-2035631742-3861056042-3132
Primary Group SID:    S-1-5-21-2800255703-2035631742-3861056042-513
Full Name:            W-2000-007$
Home Directory:       \\filesrv\w-2000-007_
HomeDir Drive:        L:
Logon Script:         logon-users.bat
Profile Path:         ""
Domain:               BFE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          9223372036854775807 seconds since the Epoch
Kickoff time:         9223372036854775807 seconds since the Epoch
Password last set:    Mon, 19 Sep 2011 08:25:53 CEST
Password can change:  Mon, 19 Sep 2011 08:25:53 CEST
Password must change: Sun, 18 Dec 2011 07:25:53 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : 0000000000000000000000000000000030ACC81063

other successful migrated account:

Unix username:        W-4000-026$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2800255703-2035631742-3861056042-2219
Primary Group SID:    S-1-5-21-2800255703-2035631742-3861056042-513
Full Name:            W-4000-026$
Home Directory:       \\filesrv\w-4000-026_
HomeDir Drive:        L:
Logon Script:         logon-joh.bat
Profile Path:         ""
Domain:               BFE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          9223372036854775807 seconds since the Epoch
Kickoff time:         9223372036854775807 seconds since the Epoch
Password last set:    Mon, 14 Mar 2011 08:54:54 CET
Password can change:  Mon, 14 Mar 2011 08:54:54 CET
Password must change: Sun, 12 Jun 2011 09:54:54 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

tdbdump of both (made on the samba4 machine, if tdbtools version matters?):

{
key(17) = "USER_w-2000-007$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\00\8C\9A\F1\16\AA@\90\1Ef\0E\95\B2\CAW\7F\97\00\00\00\00\80\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00"
}

{
key(13) = "RID_00000c3c\00"
data(12) = "w-2000-007$\00"
}


{
key(17) = "USER_w-4000-026$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\AB\08\00\00\01\02\00\00\00\00\00\00\10\00\00\00\90\13\ADS\0FBn\F8j\99
\03\C5Dy\E1\00\00\00\00\80\00\00\00\A8\00\15\00\00\00
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}


{
key(13) = "RID_000008ab\00"
data(12) = "w-4000-026$\00"
}


>> 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
>> samba4 server is stand alone and starting of smbd works without error.
>> BUT if I change the server role to active directory domain controller
>> and try samba instead of smbd, I get an error: Failed to find record
>> for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
>> object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
>> new and empty ADS from scratch does work - but I need the migration
>> ;-)
>> I tried to modify the secrets.tdb before I start the classicupgrade
>> without success.
>>
>> This is a show-stopper ;-)
>
> Exactly what command did you run?

samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf


> We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
> directory domain controller'.  Are you sure you are using the smb.conf
> produced by the upgrade?

yes. I made a small script that removes all old data before I try a
new migration run:

rm /etc/samba/smb.conf
rm /var/lib/samba/private/*.ldb
rm /var/lib/samba/private/*.tdb
rm /var/lib/samba/private/sam.ldb.d/*
samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf

Please let me know if you need more data/information.

cu Joh.Paechnatz


-- 
Johannes Paechnatz

--> googleplus: http://goo.gl/GVNoM
--> facebook: http://www.facebook.com/jpaechnatz
--> jabber/xmpp: jpaechnatz at gmail.com
--> icq: 22621122
--> skype: jpaechnatz
--> blog: http://simplyroot.blogspot.com/

amazon wishlist:
--> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z

Backup u. Sync sicher via Wuala:
http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M

Encfs4win:
http://goo.gl/djpLB

Callsign: DO2PJ
Try JT65a: http://jt65.w6cqz.org/

More information about the samba mailing list