[Samba] classicupgrade from LDAP - failed to find Unix account for machine account

Andrew Bartlett abartlet at samba.org
Thu Apr 4 02:08:41 MDT 2013 

On Thu, 2013-04-04 at 15:30 +0800, David Adam wrote:
> Hi all,
> 
> We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an 
> OpenLDAP server that we use for both Linux and Windows 7 authentication, 
> thanks to the magic of ldapsam and smbk5pwd.
> 
> I am investigating the feasability of moving to Samba 4 and have tried 
> upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in 
> Debian unstable and also with GIT v4-0-stable (b341371).
> 
> The current roadblock is that a machine account produces an error in the 
> migration:
> 
> init_sam_from_ldap: Failed to find Unix account for CICHLID$
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user 
> information for 'CICHLID$', (-1073741724,No such user)
> 
> Notably all of our Linux machines joined to the domain have posixAccount 
> credentials, but the Windows machines do not.
> 
> The LDAP entry for this machine is:
> dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
> objectClass: sambaSamAccount
> objectClass: account
> displayName: CICHLID$
> sambaAcctFlags: [W          ]
> sambaNTPassword: {elided}
> sambaPwdLastSet: 1364267120
> sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
> uid: CICHLID$
> 
> The entries for all our Windows 7 machines look similar.
> 
> The Linux machines all also have a posixAccount objectClass with the 
> appropriate attributes.
> 
> Importantly, we have ldapsam:trusted set in our Samba 3 config, and with 
> the add machine script set to:
> "/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o %u"
> (where cpu-samba.conf sets the default container to the Computers OU, 
> disables the home directory and shell, and sets the GID to the computers 
> group).
> 
> Any suggestions? I am particularly curious as to why the add machine 
> script doesn't appear to be doing anything for Windows machines joined to 
> the domain, and why the classicupgrade script is trying to look for user 
> account details for machine accounts.

So, what has happened is that I've forced on the 'ldapsam:trusted' in
our classicupgrade script, as it makes it much, much easier to set up a
migration, as you don't have to set up nss_ldap and then tear it down
again.  

I had assumed that almost all installations of Samba as a DC on LDAP
would store the unix account with the Samba account. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list