[Samba] samba-tool classicupgrade throws uncaught exception

Mon Aug 19 17:57:08 MDT 2013

Update: I realized shortly after I sent the email that because I don't use
winbind, I can (and should) delete the file winbindd_idmap.tdb.
So, the second error is now the stopper.  In essence, it's complaining that
it can't find the user or group with sid ending in 1057.

Adding users to groups
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1002'
to group 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057' as either group or user record
doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057>' not found
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 913, in upgrade_from_samba3
    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 316, in add_users_to_group
    raise ProvisioningError("Could not add member '%s' to group '%s' as
either group or user record doesn't exist: %s" % (member_sid, group.sid,
emsg))

*Scott Goodwin*
IT Lead
Mimic Technologies, Inc
811 First Avenue, Suite 408  |  Seattle, WA 98104
phone: 1.800.918.1670  |  direct: 206.456.9180
fax: 206.623.3491  |  cell: 206.355.7767

On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin <scott at mimicsimulation.com>wrote:

> I have a new server running CentOS 6.4 x64, which will serve as our new
> Samba4 server. It is set up in a test environment, and I've copied over the
> tdb files and the smb.conf file from our samba3 server (Same OS and
> version).
> I'm trying to do an in-place upgrade on the copied files, but keep hitting
> an assert / uncaught exception during the upgrade:
>
> # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3
> --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf
>
> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> Exporting users
> Ignoring group memberships of 'testuser' S-1-5-21-XXXXXXXXXXXXXXXXXX-1065:
> Unable to enumerate group memberships, (-1073741724,No such user)
>   Skipping wellknown rid=501 (for username=nobody)
> Ignoring group memberships of 'TEST-PC$' S-1-5-21-XXXXXXXXXXXXXXXXXX-1097:
> Unable to enumerate group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'testuser2' S-1-5-21-XXXXXXXXXXXXXXXXXX-1075:
> Unable to enumerate group memberships, (-1073741724,No such user)
> Next rid = 9001
> Exporting posix attributes
> Reading WINS database
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=mydomain,DC=com
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting acl on sysvol skipped
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Setting up fake yp server settings
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role:           active directory domain controller
> Hostname:              myserver
> NetBIOS Domain:        MYDOMAIN
> DNS Domain:            mydomain.com
> DOMAIN SID:            S-1-5-21-XXXXXXXXXXXXXXXXXX
> Importing WINS database
> Importing Account policy
> Importing idmap database
> ERROR(assert): uncaught exception
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 868, in upgrade_from_samba3
>     import_idmap(result.idmap, samba3, logger)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 214, in import_idmap
>     samba3_idmap = samba3.get_idmap_db()
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 402, in get_idmap_db
>     return IdmapDatabase(self.statedir_path("winbindd_idmap.tdb"))
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 59, in __init__
>     self._check_version()
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 142, in _check_version
>     assert fetch_int32(self.tdb, "IDMAP_VERSION\0") == IDMAP_VERSION_V2
>
>
> The error indicates an idmap problem, so on advise of another poster, I
> renamed my winbindd_idmap.tdb file, then tried again (after deleting the
> generated tdb files and smb.conf).  This, however, caused another error:
>
> ...
> ...
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Importing groups
> Could not add group name=Domain Admins ((68, "samldb: Account name
> (sAMAccountName) 'Domain Admins' already in use!"))
> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057,
> id=502, type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
> Could not add group name=Domain Users ((68, "samldb: Account name
> (sAMAccountName) 'Domain Users' already in use!"))
> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066,
> id=100, type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
> Importing users
> User root has been kept in the directory, it should be removed in favour
> of the Administrator user
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1002'
> to group 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1057' as either group or user record
> doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 913, in upgrade_from_samba3
>     add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 316, in add_users_to_group
>     raise ProvisioningError("Could not add member '%s' to group '%s' as
> either group or user record doesn't exist: %s" % (member_sid, group.sid,
> emsg))
>
>
> I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump
> winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes.  If
> this is the issue, can I "rebuild it" on the samba3 server?
>
> Here's the global section of my smb.conf:
>
>           workgroup = MYDOMAIN
>         netbios name = MYSERVER
>         server string = "Samba4 AD"
>         interfaces = 192.168.0.0/24
>         bind interfaces only = Yes
>         passdb backend = tdbsam
>         username map = /etc/samba/smbusers
>         admin users = scott
>         wins support = Yes
>         smb ports = 139
>         time server = Yes
>         client ntlmv2 auth = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         debug uid = Yes
>         deadtime = 15
>         socket options = TCP_NODELAY IPTOS_LOWDELAY
>         show add printer wizard = No
>         load printers = no
>         printing = bsd
>         disable spoolss = yes
>         printcap name = /dev/null
>         printcap cache time = 0
>         add user script = /usr/sbin/useradd -m -g users %u
>         logon script = logon.bat
>         logon path =
>         logon drive = H:
>         domain logons = Yes
>         os level = 65
>         preferred master = Yes
>         domain master = Yes
>         unix password sync = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         pam password change = Yes
>
> Thanks ahead of time for any assistance, and if you need additional info,
> let me know.
>  --scott
>