[Samba] SAMBA4: pdbedit not changing SID

Gémes Géza geza at kzsdabas.hu
Mon Apr 1 23:06:26 MDT 2013 

2013-04-02 05:35 keltezéssel, simon+samba at matthews.eu írta:
>
>
> On Mon, 1 Apr 2013, simon+samba at matthews.eu wrote:
>
>>
>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>
>>>   On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>>> >   2013-04-01 02:36 keltezéssel, simon+samba at matthews.eu írta:
>>> > >   Since I don't seem to be having any luck with the 
>>> classicupgrade, I > >   decided to try starting from scratch and 
>>> then adding users.
>>> > > > >   I ran the command:
>>> > >   /usr/local/samba/bin/samba-tool domain provision --realm=<my 
>>> realm> \ > > --domain=<mydomain> --adminpass 'mypass' 
>>> --server-role=dc  \
>>> > >   --dns-backend=BIND9_DLZ
>>> > > > >   Then I tried both adding and changing users. In neither 
>>> case can I > >   change the SID with pdbedit. It seems to be added 
>>> with a > > system-defined SID, irrespective of what I specify. 
>>> pdbedit -v is > >   able to list the user's parameters, including 
>>> the SID.
>>> > > > >   Any suggestions? I am pretty much stuck here trying to 
>>> figure out how > >   to migrate from an existing SAMBA3 domain to 
>>> SAMBA4.
>>> > > > > >   Hi,
>>> > >   Trying to add users one by one (preserving SID) is IMHO a lot 
>>> harder >   (you would probably need to ldbmodify the user record of 
>>> each one) to >   do, than fixing your samba3 install to have it 
>>> classicupgraded.
>>>
>>>   Indeed.  The only way to safely import a list of users who already 
>>> have
>>>   SIDs is to migrate them to Samba 4.0's AD DC using one of the 
>>> supported
>>>   migration tools.
>>>
>>>   These are 'samba-tool domain join dc' and 'samba-tool domain
>>>   classicupgrade'.
>>
>> Perhaps I need to address why the "classicupgrade" did not work. I 
>> see now that I did not pass the --dbdir option when running it 
>> before. I'll try again.
>>
>
> I went back to trying to get the classicupgrade to work:
> /usr/local/samba/bin/samba-tool domain classicupgrade  \
> --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b  \
> /etc/samba/smb.conf --use-xattrs=yes
>
> For the realm, I used a subdomain of one of the two existing dns 
> domains in the LAN. It appears to be processing the information from 
> the old domain tdb files, although I see some errors:
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Importing groups
> Could not add group name=Remote Desktop Users ((68, "samldb: Account 
> name (sAMAccountName) 'Remote Desktop Users' already in use!"))
> Could not modify AD idmap entry for 
> sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077, 
> type=ID_TYPE_GID ((32, "Base-DN 
> '<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
> Could not add posix attrs for AD entry for 
> sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, "Base-DN 
> '<SID=S-1-5-21-4254857281-3346836279-4152649156-555>' not found"))
> Group already exists 
> sid=S-1-5-21-4254857281-3346836279-4152649156-512, groupname=Domain 
> Admins existing_groupname=Domain Admins, Ignoring.
>
> However, after this, all I get from pdbedit -L is:
> # pdbedit -L
> RAIDSERVER$:4294967295:
> Administrator:4294967295:
> [root at samba ~]# pdbedit -L
> RAIDSERVER$:4294967295:
> Administrator:4294967295:
> krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b
> /etc/samba/smb.confnobody:99:Nobody
>
> Any ideas? What information might help debug this?
>
> Simon
>
>
Could this happen because pdbedit is from the samba3 install?

I recommend doing upgrade on a new box/virtual machine where no samba3 
is installed, and copying the tdb files to the new box.

Regards

Geza Gemes

More information about the samba mailing list