[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

Andrew Bartlett abartlet at samba.org
Tue Oct 16 01:00:14 MDT 2012 

On Tue, 2012-10-16 at 08:45 +0200, Johannes Paechnatz wrote:
> >> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
> >> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
> >> until all user accounts got migrated.
> >
> > What was your 'unix charset' (we may need to add a conversion here, as
> > we assume UTF8 at the ldb layer).
> 
> old samba3 server:
> LANG="de_DE"
> LC_ALL="de_DE"
> 
> smb.conf:
> display charset = ISO8859-1
> unix charset = ISO8859-1
> I remember the reason for this was a software that couldn't handle
> UTF-8 (which is fixed meanwhile) - and I know that we need to convert
> the whole content of the filesystem when we migrate...

OK, that's certainly the issue here.  Can you please file a bug, so we
can try and handle or at least detect it more clearly at classicupgrade
time?

> >> 1. machine accounts: some machine accounts don't have Logon hours
> >> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
> >> Could I manually change fields (which fields?) in the tdbsam dump? I
> >> tried pdbedit  -Z of the specific account, but that seems to change it
> >> to an epoch style timestamp and migration fails again - so I removed
> >> them in the tdbsam dump to get the migration working, after that
> >> additional steps all user and machine accounts get migrated.
> >
> > Can you give me some more detail about what is wrong here?  We generally
> > do want to convert any valid samba3 account.
> 
> old samba3 server:
> add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
> -s /bin/false %u
> 
> all machine accounts are added via this entry - so I thought they are the same.

Well, that doesn't control the samba passdb.tdb record, which is where
the failure is.

> example:
> 
> Failed to modify account record
> CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes:
> objectclass_attrs: attribute 'logonHours' on entry
> 'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
> invalid value!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam
> account 'w-2000-007$', (-1073741811,Unexpected information received)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 1321, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
> in upgrade_from_samba3
>     s4_passdb.add_sam_account(userdata[username])
> 
> on samba3
> pdbedit -Lv
> 
> Unix username:        w-2000-007$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-2800255703-2035631742-3861056042-3132
> Primary Group SID:    S-1-5-21-2800255703-2035631742-3861056042-513
> Full Name:            W-2000-007$
> Home Directory:       \\filesrv\w-2000-007_
> HomeDir Drive:        L:
> Logon Script:         logon-users.bat
> Profile Path:         ""
> Domain:               BFE
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          9223372036854775807 seconds since the Epoch
> Kickoff time:         9223372036854775807 seconds since the Epoch
> Password last set:    Mon, 19 Sep 2011 08:25:53 CEST
> Password can change:  Mon, 19 Sep 2011 08:25:53 CEST
> Password must change: Sun, 18 Dec 2011 07:25:53 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : 0000000000000000000000000000000030ACC81063

That looks like an un-initialised value to me...

> other successful migrated account:
> 
> Unix username:        W-4000-026$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-2800255703-2035631742-3861056042-2219
> Primary Group SID:    S-1-5-21-2800255703-2035631742-3861056042-513
> Full Name:            W-4000-026$
> Home Directory:       \\filesrv\w-4000-026_
> HomeDir Drive:        L:
> Logon Script:         logon-joh.bat
> Profile Path:         ""
> Domain:               BFE
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          9223372036854775807 seconds since the Epoch
> Kickoff time:         9223372036854775807 seconds since the Epoch
> Password last set:    Mon, 14 Mar 2011 08:54:54 CET
> Password can change:  Mon, 14 Mar 2011 08:54:54 CET
> Password must change: Sun, 12 Jun 2011 09:54:54 CEST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> tdbdump of both (made on the samba4 machine, if tdbtools version matters?):
> 
> {
> key(17) = "USER_w-2000-007$\00"
> data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\00\8C\9A\F1\16\AA@\90\1Ef\0E\95\B2\CAW\7F\97\00\00\00\00\80\00\00\00\00\00\00\00\00\00
> \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00"
> }
> 
> {
> key(13) = "RID_00000c3c\00"
> data(12) = "w-2000-007$\00"
> }
> 
> 
> {
> key(17) = "USER_w-4000-026$\00"
> data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\AB\08\00\00\01\02\00\00\00\00\00\00\10\00\00\00\90\13\ADS\0FBn\F8j\99
> \03\C5Dy\E1\00\00\00\00\80\00\00\00\A8\00\15\00\00\00
> \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
> }
> 
> 
> {
> key(13) = "RID_000008ab\00"
> data(12) = "w-4000-026$\00"
> }

Please make sure you change the password on those accounts (rejoin) them
as you probably just exposed the machine account passwords there. 

One thing we have found out with the classicupgrade script is that is is
the first consistency checker samba3 passdb backends have had, and so
the first time we really notice stuff like this. 

> >> 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
> >> samba4 server is stand alone and starting of smbd works without error.
> >> BUT if I change the server role to active directory domain controller
> >> and try samba instead of smbd, I get an error: Failed to find record
> >> for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
> >> object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
> >> new and empty ADS from scratch does work - but I need the migration
> >> ;-)
> >> I tried to modify the secrets.tdb before I start the classicupgrade
> >> without success.
> >>
> >> This is a show-stopper ;-)
> >
> > Exactly what command did you run?
> 
> samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
> --realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf
> 
> 
> > We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
> > directory domain controller'.  Are you sure you are using the smb.conf
> > produced by the upgrade?
> 
> yes. I made a small script that removes all old data before I try a
> new migration run:
> 
> rm /etc/samba/smb.conf
> rm /var/lib/samba/private/*.ldb
> rm /var/lib/samba/private/*.tdb
> rm /var/lib/samba/private/sam.ldb.d/*
> samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
> --realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf
> 
> Please let me know if you need more data/information.

Please show me the input and output smb.conf files. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list